From rforno at infowarrior.org Mon May 1 08:10:18 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 01 May 2006 08:10:18 -0400 Subject: [Infowarrior] - Politics: Colbert's WHCA Parody of Bush and "Current Events" Message-ID: IMV, Colbert was hysterical. From what I've heard and read, this was one of the 'darker' comic bits at the WHCA dinner in recent years (and more slanted towards the 'spoof-the-President' instead of also 'spoof-the-press-corps'). Some reports say that the criticism-adverse President was NOT pleased when Colbert was done....but then again, he could just have been grumpy since the dinner let out way past his bedtime. That said, I am still having nightmares of being stalked by Helen Thomas, so I guess that's my penance for enjoying the gig so much. :) Transcript: http://dailykos.com/storyonly/2006/4/30/1441/59811 Part I http://video.freevideoblog.com/video/AAC7FA18-2DDC-4D3E-B1BB-9D6CBD83E27F.ht m Part II http://video.freevideoblog.com/video/C91DDBB4-28AD-4E6F-BD52-822BC77DF696.ht m ...and no, I'm not rubbing anyone's face in anything -- I also enjoyed the skewerings of Bill Clinton during the 90s as well. -rf From rforno at infowarrior.org Mon May 1 09:44:24 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 01 May 2006 09:44:24 -0400 Subject: [Infowarrior] - Can Techie Oust Orrin Hatch? Message-ID: Can Techie Oust Orrin Hatch? http://www.wired.com/news/columns/1,70761-0.html By Eliot Van Buskirk| Also by this reporter 02:00 AM May, 01, 2006 Listening Post columnist Eliot van Buskirk Listening Post Technology policy rarely makes for compelling campaign theater -- and rarer still moves the body politic -- but I can't help rooting for Pete Ashdown. In a political mismatch of almost biblical proportions, the tech-savvy Democrat is running for the U.S. Senate seat currently held by Utah Republican Orrin Hatch. Hatch is a popular incumbent who has polled over 62 percent in past elections. Apparently, Utahans couldn't care less about the Republican senator's slavish endorsement of entertainment industry-backed bills that would, without understatement, create the equivalent of a copyright police state. Hatch has terrorized techies from his Washington perch by sponsoring the much-loathed DMCA. He's on record saying it'd be a good idea to let entertainment companies remotely destroy the computers of those they suspect of copyright infringement. And he's a co-sponsor of the Induce Act, a moribund bill that aimed to hold tech companies responsible for creating devices that could be used to pirate digital content. Ashdown is a political novice with impeccable tech credentials. He founded the first independent ISP in Utah, used to DJ raves, and uses a collaborative wiki for his campaign. This has all the makings of a classic Old West showdown between Hatch -- seemingly beholden to the entertainment companies who contribute to his campaigns -- and Ashdown, who hopes to fight anti-tech policies and help Congress understand the internet from the point of view of someone who has been there. Guess which one I chose to interview. Wired News: You mentioned that you'd been to the Wired offices before. How did that come about? Pete Ashdown: I have a friendship with Brian Behlendorf, who helped set up Wired's first venture on the internet, Hot Wired (now Wired News). He was also in charge of Organic and continues to be a member of the Apache Foundation -- a founding member of the Apache Foundation for that matter. And I initially knew him (from) the internet rave scene, because a lot of the early rave scene was connected through e-mail lists and the All Rave newsgroup, and of course there was a big concentration of that in San Francisco. So I came out to San Francisco frequently during that time. WN: When I asked you if you had time for an interview, you referred me to your online calendar. I was thinking that this openness is admirable, when so many public figures seem to want to be anything but public, and I also saw that you have a MySpace page. What would you say the upsides and downsides of your open approach to this campaign have been? Ashdown: Well I feel transparency is a big part of my campaign. That is needed in Washington. And what I see in Washington is certainly we have a lot of scandal (in which) the Democrats try and blame on the Republicans, but I view it as a larger scandal of money and politics. And what I see in Washington is the Democrats stomping around, and they stand up and sign these ethics declarations for the television cameras, and then they say, "We need more restrictions on lobbyists," but they really don't lead by example. And it's a really simple thing to make your office transparent. And when somebody takes on the mantle of public service, they lose the privacy that is in regards to that job. Now certainly their personal privacy should still be respected, but when they are doing something in relation to making legislation, or meeting with individuals, that should be open and transparent. And it's easy to do. I mean, what I've done is elaborate in comparison to what Google calendar allows you to do. And so for these people to make the excuse that they can't do it, I don't believe it. I believe that they want to preserve the status quo. They want to keep the American people in the dark. And you know, there's also concern about safety. If people know where I'm gonna be next Friday, a sniper could come and kill me. Well, publish the calendar retroactively. I think people would still appreciate knowing what's going on and who you're meeting with. In regards to the broader question of how MySpace and being open and transparent ha(ve) benefited me in this campaign, people are finding it refreshing. People are finding it remarkable that a candidate is taking this kind of approach and advocating this in government because it's so rarely seen. On the drawbacks, I really haven't seen a lot. You know, they may come later when the opposition tries to attack me, but I really feel that in my own business being transparent has been my policy and providing internet service in that we document the good along with the bad. And we put that out for all of our customers to see, and even our non-customers can go to the XMission website and see what the history of XMission is in regards to success and failure. And my competition looks at that and says, "How in the world can you do that? Because it makes you look terrible." Conversely, my customers look at that and they say, "Thank you so much for keeping me informed about what's going on, because I know the cause of the problem when it happens." WN: My column mainly focuses on digital music, so I have to ask, what do you see as the right balance between consumers' and corporations' rights when it comes to digital music, in terms of fair use and what should be allowed? How do you think that line should be drawn? Ashdown: Well it's interesting you say individual and corporation, because there's a third party here, it's the artist. And I think the artist's rights should be held over the corporation rights. I believe that the internet presents a great opportunity for artists to make more on their work than what they were formerly doing with the corporate distribution system. And I think the writing is on the wall for that corporate distribution system, and that's the kind of backlash we're seeing from them in regards to lawsuits and restrictive legislation. So I absolutely believe the artists need to be rewarded for their work, should be rewarded for their work, and that the internet presents them an opportunity to do that in a more direct fashion. So I support their rights, but I also support the rights of the consumer. I support the rights of the consumer when it's in regards to fair use. If I buy some media I should be able to do whatever I wish with that media inside the domain of my own home, outside of sharing it with somebody else commercially. That is, if I play it in the car for somebody else should I have to charge them a use fee? I don't think so. But if I'm out selling their music and the artist is getting no benefit from that, then that's an obvious violation. I'm against the idea of DRM because it restricts the individual. It punishes the individual, (restricts) the innocent from being able to do what they wish with the property they've purchased. And if people say, "Well, the pricing for this is so low that we can only sell it to a certain kind of use," well, raise the price! You know, that's what the market's all about. If you want to raise the price so I have no DRM on my music, I may pay an extra 25 cents, or whatever you decide to do to get that music without the DRM encumberment. WN: Have you seen evidence as more and more people go online and buy iPods, that Utahans might be realizing that Orrin Hatch may not represent their best interests as citizens or consumers? I mean, there are all these stories everywhere, everybody's getting online?. Do you think that's something that people are going to vote with? Ashdown: I don't think it's a primary issue in Utah, although we have a very strong technology base and that receives a lot of support, at least verbal support from the technology base in Utah. I don't think most people are concerned about fair use as a primary issue. They're more concerned about the energy policy in this country, and how it affects them at the pump, and how it affects their security worldwide. They're concerned about health care, and they're concerned about jobs. They're concerned about the future of this country economically. So I think that is low on the list. But I have been making an appeal to not only people in Utah, but people nationwide in regards to technology, that it is important that we have representation in Congress that understands technology beyond where the power button is on the computer, because these laws that are being made by a senator in Utah or a senator somewhere else affect everybody nationwide. We all have an interest in getting people into Congress that understand these things robustly. I get a lot of e-mail from people outside of Utah saying, "Man, you're, you're a great candidate. I wish I could live in Utah to vote for you," or "I wish you were a candidate in my state." Well there is a way you can vote for me, and that's sending financial support. WN: So speaking of people in Congress and how much they understand about the internet, where do you stand on the whole "net neutrality" issue? What do you make of that? Do you think that the internet is fragile, like Larry Lessig says, and (that) it only exists because of careful planning, or is it kind of a naturally occurring thing that will just survive no matter what the rules are? Ashdown: I tend to take more of the latter viewpoint. I've been doing XMission since 1993, which makes it one of the oldest internet companies in the country. And what I have seen is, you know, back in 1993 the internet was controlled by the National Science Foundation. And when they turned it over to private enterprise there was this idea that they would set up neutral peering points for entities to come together and exchange traffic. Now I'm in some of those peering points, and what I have seen, they're far from neutral, (and) that this idea of net neutrality has been long lost, in that if I try and exchange traffic with, say, a carrier on the level of MCI, they're going to put down all sorts of crazy requirements that there's no way a small provider of my size can meet. So I am forced to go another route to get into their network. Now the thing is that the bureaucrats and the executives of these big telcos don't seem to realize is that they have as much need to reach my network as I have a need to reach theirs, even more so when you have an entity like Google. You have this guy just stomping around from SBC, I forget his name, but he's saying, "Google should be paying me money to traverse my network." Well, he receives as much benefit from having the connectivity to Google as Google receives and vice versa, in return. So if he decides to lower Google's traffic because they're not paying his extortion fee, his customers are going to react to that. "Why can't I get to Google? Why is it slow?" And so I think that this kind of balances out in the end. I tend more to take an anti-regulation standpoint on the internet, and (though) it is very easy to say, "We don't want the government censoring the internet," it becomes a much more complex issue when we're talking about net neutrality. "Well we should have the government confirm that neutrality, and guarantee it." But does that mean that I can't prioritize video traffic and voice traffic in my own network, (which) is obviously needed, that has to be more of a real-time situation? You know, for a long time I prioritized gaming traffic, because that's what my customers desire. So I tend to think that the government getting involved with more regulation on the internet is a bad thing. And so some of these calls for enforced net neutrality I don't support, because I believe that these situations will work themselves out in the end with the market that we have. Now you have the other question of, well, if you're a smaller player, if you're not a Google, if you're a mom and pop shop and you're on the rise, is your traffic going to be discounted in the face of these other entities that are able to pay for good traffic, say an eBay. And I argue again that there is enough customer draw on these major networks to say, "Hey, I can't get to this small entity; what's wrong with your network? What is breaking with your network?" that the customers of these large telcos are forced into net neutrality on their own. WN: So the availability of alternate ISPs, especially smaller or independent ISPs, is going to act as a pressure valve on this whole situation then? Ashdown:I believe so. But also independent entities, like some of the free wireless groups that are springing up. There's a great democracy that comes through the technology of the internet that really anyone can provide it. If you wanted to buy a connection from somebody and then send wireless out to your entire neighborhood, that's in the realm of possibility for individuals to do. It's not the same case when you're talking about satellite TV or broadcast TV. So this is a very unique medium that enables democracy and supports democracy and spreads by democracy. WN: I have one more, very easy question: What software and hardware do you personally use to listen to digital music? Ashdown: Well, on my desktop I'm a big fan of Ubuntu, not only in my campaign office -- I use Ubuntu exclusively, Ubuntu/Linux. I use Ubuntu throughout my office at X Mission. We do have a need for a few Windows desktops for running some of the accounting software we need, but that's for the secretary. We try and put Ubuntu/Linux on everything, and of course our servers (run Linux). When it comes to music hardware, I have an iPod, 40-gig iPod, and I rip all my own music. I prefer when I buy music to go out and buy the CD, bring it home, rip the contents off it, archive the CD. Having been a DJ in the past, I just recently completed ripping my entire collection of CDs, which was over 2,000 CDs. WN: Well, thank you so much for your time, and I can tell you if I were in Utah, I'd be voting for you. [Print story][E-mail story] Page 1 of 1 Wired News: Contact Us | Advertising | Subscribe From rforno at infowarrior.org Mon May 1 19:22:56 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 01 May 2006 19:22:56 -0400 Subject: [Infowarrior] - Spies Among Us Message-ID: Spies Among Us Despite a troubled history, police across the nation are keeping tabs on ordinary Americans By David E. Kaplan 5/8/06 In the Atlanta suburbs of DeKalb County, local officials wasted no time after the 9/11 attacks. The second-most-populous county in Georgia, the area is home to the Centers for Disease Control and Prevention, the FBI's regional headquarters, and other potential terrorist targets. Within weeks of the attacks, officials there boasted that they had set up the nation's first local department of homeland security. Dozens of other communities followed, and, like them, DeKalb County put in for--and got--a series of generous federal counterterrorism grants. The county received nearly $12 million from Washington, using it to set up, among other things, a police intelligence unit. The outfit stumbled in 2002, when two of its agents were assigned to follow around the county executive. Their job: to determine whether he was being tailed--not by al Qaeda but by a district attorney investigator looking into alleged misspending. A year later, one of its plainclothes agents was seen photographing a handful of vegan activists handing out antimeat leaflets in front of a HoneyBaked Ham store. Police arrested two of the vegans and demanded that they turn over notes, on which they'd written the license-plate number of an undercover car, according to the American Civil Liberties Union, which is now suing the county. An Atlanta Journal-Constitution editorial neatly summed up the incident: "So now we know: Glazed hams are safe in DeKalb County." Glazed hams aren't the only items that America's local cops are protecting from dubious threats. U.S. News has identified nearly a dozen cases in which city and county police, in the name of homeland security, have surveilled or harassed animal-rights and antiwar protesters, union activists, and even library patrons surfing the Web. Unlike with Washington's warrantless domestic surveillance program, little attention has been focused on the role of state and local authorities in the war on terrorism. A U.S.News inquiry found that federal officials have funneled hundreds of millions of dollars into once discredited state and local police intelligence operations. Millions more have gone into building up regional law enforcement databases to unprecedented levels. In dozens of interviews, officials across the nation have stressed that the enhanced intelligence work is vital to the nation's security, but even its biggest boosters worry about a lack of training and standards. "This is going to be the challenge," says Los Angeles Police Chief William Bratton, "to ensure that while getting bin Laden we don't transgress over the law. We've been burned so badly in the past--we can't do that again." < snip > http://www.usnews.com/usnews/news/articles/060508/8homeland.htm From rforno at infowarrior.org Mon May 1 19:25:48 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 01 May 2006 19:25:48 -0400 Subject: [Infowarrior] - Stats on FBI use of NSL powers for 2005 Message-ID: More Spying Statistics http://wiredblogs.tripod.com/27BStroke6/index.blog?entry_id=1470696 A bit of intrepid reporting (a Google search and a phone call) got me a copy of the FBI report to Congress on the use of National Security Letters mentioned earlier. Turns out that there's other good stats in there for those of you who keep their own scorecard for the National Privacy League. The Justice Department's other stats for 2005 are pretty impressive: Foreign Intelligence Surveillance Act (FISA) wiretaps/searches: * Submitted 2,074 applications in 2005 to the Foreign Intelligence Surveillance Court for wiretapping and searches of spies and terrorists. (1,758 in 2004) * 2 of those were withdrawn before the court ruled. One was modified and resubmitted and approved by the court). (3 withdrawn, 1 re-submitted 2004) * 2,072 were approved by the secret FISA court, but 61 were substantially modified. (1754 approved, 94 modified in 2004) (The math is odd here, since it seems that 2,073 were actually filed, but the extra one could have been resubmitted in 2006) Batting Average: 100% Slugging Percentage: 97% These are good numbers for the Administration, which submitted 18% more applications without reducing its batting average and improving on its slugging percentage. Section 215 Orders for Business Records * Submitted 155 applications for business records (and maybe tangible things, like that guy's iPod) * None withdrawn by government * FISA court approved all 155 but modified 2 substantially Batting Average: 100% Slugging Percentage: 98.7% These are also solid numbers, but this is the first year the Department has released them so there's no benchmarks. From rforno at infowarrior.org Mon May 1 19:37:49 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 01 May 2006 19:37:49 -0400 Subject: [Infowarrior] - Apple renews iTunes flat-rate contracts Message-ID: Apple renews iTunes flat-rate contracts http://www.macnn.com/articles/06/05/01/itunes.flat.rate.contracts/ Apple on Monday said it had renewed contracts with the four largest record companies to sell songs through its iTunes for 99 cents each, according to The Financial Times. The agreements were signed with Universal, Warner Music, EMI and Sony BMG, following months of public jockeying on song pricing. The music labels wanted to implement variable pricing to charge more for more popular songs, while Steve Jobs, calling the Labels "greedy," wanted keep the flat price structure. The agreement is seen largely as a defeat for music labels, as they struggle to regain control of the online music industry, which is dominated by Apple's iTunes but continues to grow rapidly. The report says that online music sales surged 194 per cent last year to 352 million songs, according to Nielsen Soundscan. Overall album sales fell 3.9 percent. Rival Napster has begun to offer free songs via the Web in a effort to break Apple's stranglehold on digital music, which accounts for about 5 percent of overall album sales. From rforno at infowarrior.org Mon May 1 19:54:56 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 01 May 2006 19:54:56 -0400 Subject: [Infowarrior] - USG has 56 different "sensitive but unclassified" ratings Message-ID: http://www.gao.gov/htext/d06385.html GAO-06-385 The Federal Government Needs to Establish Policies and Processes for Sharing Terrorism-Related and Sensitive but Unclassified Information March 2006 Federal agencies report that they are using a total of 56 different designations for information they determined is sensitive but unclassified, and agencies that account for a large percentage of the homeland security budget reported using most of these designations.22 There are no governmentwide policies or procedures that describe the basis on which agencies should designate, mark, and handle this information. In this absence, the agency determines what designations to apply to its sensitive but unclassified information. Such inconsistency can lead to challenges in information sharing. In fact, more than half of the agencies reported encountering challenges in sharing sensitive but unclassified information. Furthermore, most agencies do not determine who and how many employees can make such designations, provide them training on how to do so, or perform periodic reviews of how well their practices are working, nor are there governmentwide policies that require such internal control practices. By not providing guidance and monitoring, there is a probability that the designation will be misapplied, potentially restricting material unnecessarily or resulting in dissemination of information that should be restricted. < snip > Table 2: Sensitive but Unclassified Designations in Use at Selected Federal Agencies Designation Agencies using designation 1 Applied Technology *Department of Energy (DOE) 2 Attorney-Client Privilege Department of Commerce (Commerce), *DOE 3 Business Confidential *DOE 4 Budgetary Information Environmental Protection Agency (EPA) 5 Census Confidential Commerce 6 Confidential Information Protection and Statistical Efficiency Act Information (CIPSEA) Social Security Administration (SSA) 7 Computer Security Act Sensitive Information (CSASI) Department of Health and Human Services (HHS) 8 Confidential Department of Labor 9 Confidential Business Information (CBI) Commerce, EPA 10 Contractor Access Restricted Information (CARI) HHS 11 Copyrighted Information *DOE 12 Critical Energy Infrastructure Information (CEII) Federal Energy Regulatory Commission (FERC) 13 Critical Infrastructure Information Office of Personnel Management (OPM) 14 DEA Sensitive Department of Justice (DOJ) 15 DOD Unclassified Controlled Nuclear Information Department of Defense (DOD) 16 Draft EPA 17 Export Controlled Information *DOE 18 For Official Use Only (FOUO) Commerce, DOD, Department of Education, EPA, General Services Administration, HHS, DHS, Department of Housing and Urban Development (HUD), DOJ, Labor, OPM, SSA, and the Department of Transportation (DOT) 19 For Official Use Only?Law Enforcement Sensitive DOD 20 Freedom of Information Act (FOIA) EPA 21 Government Confidential Commercial Information *DOE 22 High-Temperature Superconductivity Pilot Center Information *DOE 23 In Confidence *DOE 24 Intellectual Property *DOE 25 Law Enforcement Sensitive Commerce, EPA, DHS, DOJ, HHS, Labor, OPM 26 Law Enforcement Sensitive/Sensitive DOJ 27 Limited Distribution Information DOD 28 Limited Official Use (LOU) DHS, DOJ, Department of Treasury 29 Medical records EPA 30 Non-Public Information FERC 31 Not Available National Technical Information Service Commerce 32 Official Use Only (OUO) DOE, SSA, Treasury 33 Operations Security Protected Information (OSPI) HHS 34 Patent Sensitive Information *DOE 35 Predecisional Draft *DOE 36 Privacy Act Information *DOE, EPA 37 Privacy Act Protected Information (PAPI) HHS 38 Proprietary Information *DOE, DOJ 39 Protected Battery Information *DOE 40 Protected Critical Infrastructure Information (PCII) DHS 41 Safeguards Information Nuclear Regulatory Commission (NRC) 42 Select Agent Sensitive Information (SASI) HHS 43 Sensitive But Unclassified (SBU) Commerce, HHS, NASA, National Science Foundation (NSF), Department of State, U.S. Agency for International Development (USAID) 44 Sensitive Drinking Water Related Information (SDWRI) EPA 45 Sensitive Information DOD, U.S. Postal Service (USPS) 46 Sensitive Instruction SSA 47 Sensitive Internal Use *DOE 48 Sensitive Unclassified Non-Safeguards Information NRC 49 Sensitive Nuclear Technology *DOE 50 Sensitive Security Information (SSI) DHS, DOT, U.S. Department of Agriculture (USDA) 51 Sensitive Water Vulnerability Assessment Information EPA 52 Small Business Innovative Research Information *DOE 53 Technical Information DOD 54 Trade Sensitive Information Commerce 55 Unclassified Controlled Nuclear Information (UCNI) DOE 56 Unclassified National Security-Related *DOE From rforno at infowarrior.org Tue May 2 07:53:46 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 02 May 2006 07:53:46 -0400 Subject: [Infowarrior] - The Broadcast Flag:Returns (again) Message-ID: I'm going to start calling the Broadcast Flag "Digital Herpes" given that it never seems to fully go away........frankly I'm surprised Sen Stevens didn't also include ANWAR drilling in this bill, too......rf Broadcast Flag Returns on Draft Senate Telecom Bill Posted by Alex Curtis May 1, 2006 - 2:44pm http://www.publicknowledge.org/blog/2 The Chairman of the Senate Commerce Committee, Senator Ted Stevens, has released a draft of this Telecom bill (link to bill coming soon!). Weighing in at 135 pages, I guess we could say it?s a ?hulk? of a bill. Unfortunately, part of the bill includes language to authorize the FCC to instate the broadcast flag, but with some interesting exceptions that Public Knowledge has said, at a minimum, would have to be part of such a tech mandate. They include: * the transmission of short excerpts of broadcast digital television over the Internet; * the transmission to a limited number of devices over a home or otherwise localized network * over the Internet for distance learning purposes * redistributing news and public affairs (except for sports) This proposition is a step forward from previous attempts, in that it actually contemplates limitations on flag technology. However, PK still thinks these kinds of tech mandates are anti-competitive and harm consumers and innovators. At first glance, one problem that comes up immediately is that under the redistributing news and public affairs provision, it?s for programming ?in which the primary commercial value depends on timeliness as determined by the broadcaster or broadcasting network.? If the broadcaster is given the gatekeeper decision of what?s ?timeliness,? does anyone think they?re going to say the news is timely? For reasons of news and commentary under copyright law, no authorization from the copyright owner is necessary. This isn?t copyright law, but that?s why we asked for the exception. Even though the bill gives broadcasters a complaint process at the FCC on abuse of this kind of use of their timely news, there?s a concern that fair use protections might not be extended as the FCC is not equiped to make that kind of determination. Of course, all of this might be irrelevant because the content industry has said numerous times that they would accept no broadcast flag carve-outs. So, if they don?t like it, this part of the bill won?t see the light of day?or at least the exceptions won?t. Here?s the full text of that section of the bill, take a look for yourself: Subtitle C-Video and Audio Flag SEC. 451. SHORT TITLE. This subtitle may be cited as the ?Digital Content Protection Act of 2006?. SEC. 452. DIGITAL VIDEO BROADCASTING. Part I of title III (47 U.S.C. 301 et seq.) is amended by adding at the end the following: ?SEC. 342. PROTECTION OF DIGITAL VIDEO BROADCASTING CONTENT. ?(a) IN GENERAL.???Within 30 days after the date of enactment of the Digital Content Protection Act of 2006, the Commission shall initiate, and within 6 months after that date conclude, a proceeding??? ?(1) to implement its Report and Order in the matter of Digital Broadcast Content Protection, FCC 03-273 and its Report and Order in the matter of Digital Output Protection Technology and Recording Method Certifications, FCC 04-193; and ?(2) to modify, if necessary, such Reports and Orders to meet the requirements of subsection (b) of this section. ?(b) REQUIREMENTS.???In the regulations promulgated under this section, the Commission shall permit transmission of ? ?(1) short excerpts of broadcast digital television content over the Internet; and ?(2) broadcast digital television content over a home network or other localized network accessible to a limited number of devices connected to such network; or ?(C) broadcast digital television content over the Internet for distance learning purposes; ?(2) permit government bodies or accredited nonprofit educational institutions to use copyrighted work in distance education courses pursuant to the Technology, Education, and Copyright Harmonization Act of 2002 and the amendments made by that Act; ?(3) permit the redistribution of news and public affairs programming (not including sports) in which the primary commercial value depends on timeliness as determined by the broadcaster or broadcasting network; and ?(4) require that any authorized redistribution control technology and any authorized recording method technology approved by the Commission under this Section that is publicly offered to licensees, be licensed on reasonable and nondiscriminatory terms and conditions. ?(c) REVIEW OF DETERMINATIONS.???The Commission may review any such determination described in subsection (b)(3) by a broadcaster or broadcasting network if the Commission receives a bona fide complaint alleging, or otherwise has reason to believe, that the determination is inconsistent with the requirements of that subsection or the regulations promulgated thereunder. ?(d) EFFECTIVE DATE OF REGULATIONS.???Regulations promulgated under this section shall take effect months after the date on which the Commission issues a final rule under this section.??????. From rforno at infowarrior.org Tue May 2 10:02:50 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 02 May 2006 10:02:50 -0400 Subject: [Infowarrior] - Resource: How the GWOT affects access to Information and the Public's Right to Know Message-ID: How the War on Terrorism Affects Access to Information and the Public's Right to Know Prepared by The Reporters Committee for Freedom of the Press http://www.rcfp.org/homefrontconfidential/index.html From rforno at infowarrior.org Tue May 2 10:07:43 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 02 May 2006 10:07:43 -0400 Subject: [Infowarrior] - Schneier on Microsoft's BitLocker Message-ID: Schneier on Security http://www.schneier.com/blog/archives/2006/05/bitlocker.html May 02, 2006 Microsoft's BitLocker BitLocker Drive Encryption is a new security feature in Windows Vista, designed to work with the Trusted Platform Module (TPM). Basically, it encrypts the C drive with a computer-generated key. In its basic mode, an attacker can still access the data on the drive by guessing the user's password, but would not be able to get at the drive by booting the disk up using another operating system, or removing the drive and attaching it to another computer. There are several modes for BitLocker. In the simplest mode, the TPM stores the key and the whole thing happens completely invisibly. The user does nothing differently, and notices nothing different. The BitLocker key can also be stored on a USB drive. Here, the user has to insert the USB drive into the computer during boot. Then there's a mode that uses a key stored in the TPM and a key stored on a USB drive. And finally, there's a mode that uses a key stored in the TPM and a four-digit PIN that the user types into the computer. This happens early in the boot process, when there's still ASCII text on the screen. Note that if you configure BitLocker with a USB key or a PIN, password guessing doesn't work. BitLocker doesn't even let you get to a password screen to try. For most people, basic mode is the best. People will keep their USB key in their computer bag with their laptop, so it won't add much security. But if you can force users to attach it to their keychains -- remember that you only need the key to boot the computer, not to operate the computer -- and convince them to go through the trouble of sticking it in their computer every time they boot, then you'll get a higher level of security. There is a recovery key: optional but strongly encouraged. It is automatically generated by BitLocker, and it can be sent to some administrator or printed out and stored in some secure location. There are ways for an administrator to set group policy settings mandating this key. There aren't any back doors for the police, though. You can get BitLocker to work in systems without a TPM, but it's kludgy. You can only configure it for a USB key. And it only will work on some hardware: because BItLocker starts running before any device drivers are loaded, the BIOS must recognize USB drives in order for BitLocker to work. Encryption particulars: The default data encryption algorithm is AES-128-CBC with an additional diffuser. The diffuser is designed to protect against ciphertext-manipulation attacks, and is independently keyed from AES-CBC so that it cannot damage the security you get from AES-CBC. Administrators can select the disk encryption algorithm through group policy. Choices are 128-bit AES-CBC plus the diffuser, 256-bit AES-CBC plus the diffuser, 128-bit AES-CBC, and 256-bit AES-CBC. (My advice: stick with the default.) The key management system uses 256-bit keys wherever possible. The only place where a 128-bit key limit is hard-coded is the recovery key, which is 48 digits (including checksums). It's shorter because it has to be typed in manually; typing in 96 digits will piss off a lot of people -- even if it is only for data recovery. So, does this destroy dual-boot systems? Not really. If you have Vista running, then set up a dual boot system, Bitlocker will consider this sort of change to be an attack and refuse to run. But then you can use the recovery key to boot into Windows, then tell BitLocker to take the current configuration -- with the dual boot code -- as correct. After that, your dual boot system will work just fine, or so I've been told. You still won't be able to share any files on your C drive between operating systems, but you will be able to share files on any other drive. The problem is that it's impossible to distinguish between a legitimate dual boot system and an attacker trying to use another OS -- whether Linux or another instance of Vista -- to get at the volume. BitLocker is not a panacea. But it does mitigate a specific but significant risk: the risk of attackers getting at data on drives directly. It allows people to throw away or sell old drives without worry. It allows people to stop worrying about their drives getting lost or stolen. It stops a particular attack against data. Right now BitLocker is only in the Ultimate and Enterprise editions of Vista. It's a feature that is turned off by default. It is also Microsoft's first TPM application. Presumably it will be enhanced in the future: allowing the encryption of other drives would be a good next step, for example. From rforno at infowarrior.org Tue May 2 11:44:17 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 02 May 2006 11:44:17 -0400 Subject: [Infowarrior] - WIPO: Broadcasting/ Webcasting Treaty Hits the Fast Track Message-ID: Blogging WIPO: The Broadcasting/ Webcasting Treaty Hits the Fast Track - SCCR 14, Day 1 May 02, 2006 http://www.eff.org/deeplinks/archives/004619.php The U.N. World Intellectual Property Organization's Standing Committee on Copyright and Related Rights Committee meets this week to discuss the latest redraft of the contentious new Broadcasting Treaty. The treaty would give broadcasters, cablecasters, and potentially webcasters, broad new 50 year rights to control transmissions over the Internet, irrespective of the copyright status of the transmitted material. It also requires countries to provide legal protection for broadcaster technological protection measures that will require Broadcast Flag-like technology mandates. As we?ve noted elsewhere, EFF believes that these new rights will stifle innovation, create a new layer of liability for Internet intermediaries, impair consumers? existing rights, restrict the public's access to knowledge and culture, and change the nature of the Internet as a communication medium. Many of these concerns could be addressed by limiting the scope of the treaty to its intended purpose -- signal theft. Unfortunately the new draft doesn't remove any of our concerns, but only deepens them.. Webcasting is now back in the treaty, after spending last year in a separate "working paper" because the majority of countries opposed its inclusion in 2004. Despite many counties' opposition again in 2005, it?s been included in the treaty as a non-mandatory Appendix. Countries that sign the treaty have the option ? at any time -- to grant webcasters the same exclusive rights given to broadcasters and cablecasters by depositing a notice with WIPO. At the same time, some of the key proposals to balance the impact of the new treaty have been removed from the new draft treaty text (the Draft Basic Proposal) and relegated to a new separate "Working Paper". For instance, the alternative that the treaty not include the contentious Technological Protection Measure obligations is not in the Draft Basic Proposal, but has been sidelined to the Draft Working Paper. Brazil and Chile's exceptions proposals (including exceptions for national competition regulation and temporary reproductions of broadcast works that are crucial for digital technology innovation) have also been cast off to the Draft Working Paper. The WIPO Committee Chair's decision to create two separate documents, rather than a consolidated draft proposal including all views, has been highly controversial. As expected, many countries were not pleased with the implied sleight of hand involved in categorizing countries' proposals as "core" (in the Draft Basic Proposal) or "alternatives" (in the Draft Working Paper). It's particularly troubling that some items, such as webcasting, that have been consistently rejected by the majority of Member States, have made it into the Draft Basic Proposal -- so selection for the Draft Basic Proposal was clearly not based on majority support. Many Member States voiced concerns about transparency when they took the floor. India, South Africa, Brazil, Iran, and Uruguay stated that their views had not been taken into account in the draft treaty. And there's also little consensus on substantive issues. Many Member States clearly disagree with including webcasting in the treaty. Several Member States, including Thailand (on behalf of the Asia Group), Argentina, Jamaica, Nigeria, Colombia and Peru, also expressed concern about the potential for broadcaster technological protection measures to impair exceptions and limitations and restrict access to public domain materials. The draft treaty is now officially on the fast track. The draft that emerges from this meeting will form the basis for convening a 2007 intergovernmental Diplomatic Conference when the WIPO General Assembly votes in September. That means this week is the last chance for WIPO member countries to act to protect Internet innovation and the public's access to knowledge. As usual, we'll be blogging developments from Geneva. The NGO Coalition's notes of Day 1 are after the jump. http://www.eff.org/deeplinks/archives/004619.php From rforno at infowarrior.org Tue May 2 22:14:55 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 02 May 2006 22:14:55 -0400 Subject: [Infowarrior] - Young Americans geographically illiterate: survey Message-ID: Young Americans geographically illiterate: survey May 02 3:41 PM US/Eastern http://www.breitbart.com/news/2006/05/02/060502194146.rasscash.html Young Americans know little about world geography, with the majority unable to locate Iraq on a map and three quarters unable to find Indonesia, according to a study. The Roper poll conducted on behalf of National Geographic found that most of the young adults questioned between the ages of 18 and 24 also had little knowledge about their own country, with half or fewer unable to identify the states of New York or Ohio on a map. Moreover, the study said, many of those questioned were not bothered by their lack of geographic knowledge. "Half think it is 'important but not absolutely necessary' either to know where countries in the news are located (50%) or to be able to speak a foreign language (47%)," a report on the survey said. The report said that despite nearly constant news coverage since the US invasion of Iraq in March 2003, 63 percent of respondents could not find Iraq on a map and 75 percent could not find Israel or Iran. It added that that nine in ten also could not find Afghanistan on a map of Asia and 70 percent could not find North Korea. When questioned about natural disasters, only a third (33%) correctly chose Pakistan from four possible choices as the country hit by a huge earthquake in October 2005. China fared better than most countries, with seven in ten (69%) respondents able to find it on a map. Still, the study found, young Americans have a number of misconceptions about China. Nearly 75 percent believe English is the most widely spoken native language, rather than Mandarin Chinese, and half think that China is the biggest exporter of goods and services rather than the United States. The survey was conducted between December 2005 and January 2006 and involved 510 interviews. National Geographic released the survey in launching a five-year campaign to improve geographic literacy among young people in the United States. "Geographic illiteracy impacts our economic well-being, our relationships with other nations and the environment, and isolates us from our world," said John Fahey, National Geographic Society president. "Without geography, our young people are not ready to face the challenges of the increasingly interconnected and competitive world of the 21st century." From rforno at infowarrior.org Wed May 3 06:59:46 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 03 May 2006 06:59:46 -0400 Subject: [Infowarrior] - FW: [attrition] Dangers of L33t 5p3ak In-Reply-To: Message-ID: So what else is new? Parents have ALWAYS had a hard time understanding their kids.....rf ------ Forwarded Message From: security curmudgeon From: Small Grey Beware, parents: Online Language Leaves Parents in the Dark Reported by Heather Pick Leet Speak is part of a complicated and potentially dangerous code designed to keep parents in the dark when children are chatting on the Internet. [...] "It gives criminals, kids, whomever, another way to communicate covertly with one another without maybe parents catching on to what the kids are saying," Westerville Police Department Scott Dollison explained. [...] =-=-= Wh4t dumb5h|t5. m~ -- M|cr0s0f+ W0rd h4s |n5p|r3d m3 +o r4g3 f4r b3y0nd 4ny+h|ng +h3s3 r0b0t5 3ng3nd3r. --R0g3r 3b3r+, r3v|ew|ng "|, R0b0t" From rforno at infowarrior.org Wed May 3 07:03:48 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 03 May 2006 07:03:48 -0400 Subject: [Infowarrior] - Administration Conducting Research Into Laser Weapon Message-ID: Administration Conducting Research Into Laser Weapon By WILLIAM J. BROAD http://www.nytimes.com/2006/05/03/washington/03laser.html?ei=5094&en=d7c1adf 7a14592f1&hp=&ex=1146715200&partner=homepage&pagewanted=print The Bush administration is seeking to develop a powerful ground-based laser weapon that would use beams of concentrated light to destroy enemy satellites in orbit. The largely secret project, parts of which have been made public through Air Force budget documents submitted to Congress in February, is part of a wide-ranging effort to develop space weapons, both defensive and offensive. No treaty or law forbids such work. The laser research was described by federal officials who would speak only on the condition of anonymity because of the topic's political sensitivity. The White House has recently sought to play down the issue of space arms, fearing it could become an election-year liability. Indeed, last week Republicans and Democrats on a House Armed Services subcommittee moved unanimously to cut research money for the project in the administration's budget for the 2007 fiscal year. While Republicans on the panel would not discuss their reasons for the action, Congressional aides said it reflected a bipartisan consensus for moving cautiously on space weaponry, a potentially controversial issue that has yet to be much debated. The full committee is expected to take up the budget issue today. The laser research is far more ambitious than a previous effort by the Clinton administration nearly a decade ago to test an antisatellite laser. It would take advantage of an optical technique that uses sensors, computers and flexible mirrors to counteract the atmospheric turbulence that seems to make stars twinkle. The weapon would essentially reverse that process, shooting focused beams of light upward with great clarity and force. Though futuristic and technically challenging, the laser work is relatively inexpensive by government standards ? about $20 million in 2006, with planned increases to some $30 million by 2011 ? partly because no weapons are as yet being built and partly because the work is being done at an existing base, an unclassified government observatory called Starfire in the New Mexico desert. In interviews, military officials defended the laser research as prudent, given the potential need for space arms to defend American satellites against attack in the years and decades ahead. "The White House wants us to do space defense," said a senior Pentagon official who oversees many space programs, including the laser effort. "We need that ability to protect our assets" in orbit. But some Congressional Democrats and other experts fault the research as potential fuel for an antisatellite arms race that could ultimately hurt this nation more than others because the United States relies so heavily on military satellites, which aid navigation, reconnaissance and attack warning. In a statement, Representative Loretta Sanchez, a California Democrat on the subcommittee who opposes the laser's development, thanked her Republican colleagues for agreeing to curb a program "with the potential to weaponize space." Theresa Hitchens, director of the Center for Defense Information, a private group in Washington that tracks military programs, said the subcommittee's action last week was a significant break with the administration. "It's really the first time you've seen the Republican-led Congress acknowledge that these issues require public scrutiny," she said. In a statement, the House panel, the Armed Services Subcommittee on Strategic Forces, made no reference to such policy disagreements but simply said that "none of the funds authorized for this program shall be used for the development of laser space technologies with antisatellite purposes." It is unclear whether the Republican-controlled Congress will sustain the subcommittee's proposed cut to the administration's request, even if the full House Armed Services Committee backs the reduction. The Air Force has pursued the secret research for several years but discussed it in new detail in its February budget request. The documents stated that for the 2007 fiscal year, starting in October, the research will seek to "demonstrate fully compensated laser propagation to low earth orbit satellites." The documents listed several potential uses of the laser research, the first being "antisatellite weapons." The overall goal of the research, the documents said, is to assess unique technologies for "high-energy laser weapons," in what engineers call a proof of concept. Previously, the laser work resided in a budget category that paid for a wide variety of space efforts, the documents said. But for the new fiscal year, it has moved under the heading "Advanced Weapons Technology." In interviews, Pentagon officials said the policy rationale for the arms research dated from a 1996 presidential directive in the Clinton administration that allows "countering, if necessary, space systems and services used for hostile purposes." In 1997, the American military fired a ground-based laser in New Mexico at an American spacecraft, calling it a test of satellite vulnerability. Federal experts said recently that the laser had had no capability to do atmospheric compensation and that the test had failed to do any damage. Little else happened until January 2001, when a commission led by Donald H. Rumsfeld, then the newly nominated defense secretary, warned that the American military faced a potential "Pearl Harbor" in space and called for a defensive arsenal of space weapons. The Starfire research is part of that effort. Federal officials and private experts said the antisatellite work drew on a body of unclassified advances that have made the Starfire researchers world-famous among astronomers. Their most important unclassified work centers on using small lasers to create artificial stars that act as beacons to guide the process of atmospheric compensation. When astronomers use the method, they aim a small laser at a point in the sky close to a target star or galaxy, and the concentrated light excites molecules of air (or, at higher altitudes, sodium atoms in the upper atmosphere) to glow brightly. Distortions in the image of the artificial star as it returns to Earth are measured continuously and used to deform the telescope's flexible mirror and rapidly correct for atmospheric turbulence. That sharpens images of both the artificial star and the astronomical target. Unclassified pictures of Starfire in action show a pencil-thin laser beam shooting up from its hilltop observatory into the night sky. The Starfire researchers are now investigating how to use guide stars and flexible mirrors in conjunction with powerful lasers that could flash their beams into space to knock out enemy satellites, according to federal officials and Air Force budget documents. "These are really smart folks who are optimistic about their technology," said the senior Pentagon official. "We want those kind of people on our team." But potential weapon applications, he added, if one day approved, "are out there years and years and years into the future." The research centers on Starfire's largest telescope, which Air Force budget documents call a "weapon-class beam director." Its main mirror, 11.5 feet in diameter, can gather in faint starlight or, working in the opposite direction, direct powerful beams of laser light skyward. Federal officials said Starfire's antisatellite work had grown out of one of the site's other military responsibilities: observing foreign satellites and assessing their potential threat to the United States. In 2000, the Air Force Research Laboratory, which runs Starfire, said the observatory's large telescope, by using adaptive optics, could distinguish objects in orbit the size of a basketball at a distance of 1,000 miles. Another backdrop to the antisatellite work is Starfire's use of telescopes, adaptive optics and weak lasers to track and illuminate satellites. It is considered a baby step toward developing a laser powerful enough to cripple spacecraft. Col. Gregory Vansuch, who oversees Starfire research for the Air Force Research Laboratory, said in an interview that the facility used weak lasers and the process of atmospheric compensation to illuminate satellites "all the time." Such tests, Colonel Vansuch emphasized, are always done with the written permission of the satellite's owner. He said that about once a month, Starfire conducted weeklong experiments that illuminate satellites up to 20 times. Though the House subcommittee recommended eliminating all financing next year for antisatellite laser research, it retained money for other laser development. Congressional aides said the proposed cut to the Air Force's $21.4 million budget request for such work would eliminate two of three areas of development, for a total reduction of $6.5 million. At least one public-interest group has seized on the issue. Last week, the Global Network Against Weapons and Nuclear Power in Space, based in Brunswick, Me., said that if Congress approved the antisatellite money, "the barrier to weapons in space will have been destroyed." From rforno at infowarrior.org Wed May 3 07:13:35 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 03 May 2006 07:13:35 -0400 Subject: [Infowarrior] - Louis Rukeyser, Television Host, Dies at 73 In-Reply-To: Message-ID: Louis Rukeyser, Television Host, Dies at 73 BY JAMES GRANT http://www.nytimes.com/2006/05/03/business/media/03rukeyser.html?_r=1&oref=s login&pagewanted=print Louis Rukeyser, the exquisitely tailored and pun-loving television host who helped millions of Americans believe that they could get rich in the stock market, or at least begin to understand it, died yesterday at his home in Greenwich, Conn. He was 73. He died of multiple myeloma, said his brother Bud Rukeyser. When "Wall Street Week" was broadcast for the first time on Nov. 20, 1970, probably nobody, not even the always self-assured Mr. Rukeyser, dreamed that the show would run for 32 years while attracting the biggest audience on public television and making its host a celebrity in the improbable field of light-hearted, free-market-oriented financial commentary. The Dow Jones Industrial Average was then languishing, and the population of American mutual funds numbered a scant 323. And though the Dow continued to languish (not until 1982 did it push above 1,000, a mark it had first set in 1966), "Wall Street Week" prospered. "I invented the job of economic commentary on television," Mr. Rukeyser said in 1980. He was already well along in inventing the medium of investment broadcasting. "Fridays at 8:30 find me ? amply fed, digestive organs ruminating contentedly to the rhythmic sloshing of martini juice ? sitting in my Louis Quinze armchair awaiting another installment of 'Wall Street Week,' " wrote Russell Baker in The New York Times at the beginning of the show's second decade. "By 8:33 my mind is reeling so wildly with gyrations of the Dow Jones average and the pinwheeling of money funds, Treasury bills and gold markets that I often require a calming infusion of brandy." The show attained its biggest audience, some six million viewers, in the mid-1980's. Mr. Rukeyser, though he prodded the financial gurus who appeared on the program to forecast the stock market (the rosier the outlook, the better he liked it, as a rule), he usually kept his own predictive counsel. But when, in 1980, he uncharacteristically ventured part way out on a limb ? "I think we have entered the decade of the common stock," he said ? he proved only partly correct. In fact, the market had embarked on a nearly two-decade up-cycle, and Mr. Rukeyser was started on his own professional bull market. "Wall Street Week" had as its point of origin not the beating heart of American finance in Lower Manhattan but the leafy Baltimore suburb of Owings Mills, Md. The show was the brainchild of Anne Truax Darlington, a producer with Maryland Public Broadcasting, and the original corps of panelists was recruited from the Baltimore financial community, not previously noted for its telegenic possibilities. Mr. Rukeyser's supporting cast members (later augmented by experts from outside Baltimore) became little celebrities in their own right. "I get recognized in bus lines," one long-serving panelist, Monte Gordon, remarked in 1990. "I get recognized when I'm eating in restaurants. There's a lot of psychic satisfaction to being on the show." There was money at stake, too. The value of an appearance on "Wall Street Week" to each week's "special guest"? mutual-fund portfolio manager, bank trust officer, economist ? climbed as the bull stock market went higher and higher. "So how badly do people want to get on?" The Times asked a New York publicist, Len Kessler, in 1990. "It's spelled k-i-l-l," said Mr. Kessler. Louis Richard Rukeyser was second of four sons of the financial journalist Merryle S. Rukeyser, who wrote a syndicated column in the Hearst newspapers. Louis Rukeyser graduated from the Woodrow Wilson School of Princeton University in 1954. He took a reporting job at The Baltimore Sun and, within five years, was made London bureau chief, an unusually swift rise through the newsroom ranks. He joined ABC News in 1965 as a correspondent and commentator. Not until 1973 did he judge it safe to quit his day job for a still-unproven "Wall Street Week." It was a decision that he never regretted. After 20 years on the air, Mr. Rukeyser was earning $300,000 a year from the show and $1 million or more in annual speaking income, each speech bearing the same title, "What's Ahead for the Economy" ? the echo of the title of a book he wrote for Simon & Schuster in 1983. He produced, in addition, a thrice-weekly newspaper column and a book on investing ("How to Make Money in Wall Street," Doubleday, 1974). Later he added a pair of newsletters, Louis Rukeyser's Wall Street and Louis Rukeyser's Mutual Funds. He flew first class, loved to gamble, slept in the best and gaudiest suites in the finest hotels and dressed every inch the sybarite he was. In 1991, The Fashion Foundation of America pronounced him the "best-dressed man in finance." The host of "Wall Street Week" ("with Louis Rukeyser," he never failed to add to the show's title) and self-described champion of the "little guy" could be openly contemptuous of professional investors, a sentiment many of them warmly reciprocated. Mr. Rukeyser reserved his most withering scorn for the "gloomy Guses" and "Wrong-Way Corrigans" who warned of financial troubles that, during the prosperous 1990's, never transpired. An eternal bull on the stock market, the more bullish, and less tolerant of dissenting bears he became, the higher the averages climbed. On the program of Nov. 5, 1999, Mr. Rukeyser announced the firing of the veteran panelist Gail Dudak for her 156 consecutive weeks of bearishly errant forecasting. Ms. Dudak heard the news from her neighbors the next morning. The stock market peaked four months later. Though "Wall Street Week" never fell from the top of the heap of TV financial programs (a pile that owed much of its impressive height to Mr. Rukeyser's success), viewership slipped as stock prices fell and as competition from other financial media increased. In March 2002, Maryland Public TV announced that the snowy-haired Mr. Rukeyser would be eased out to make room for a youth movement led by the staff of Fortune Magazine. Mr. Rukeyser would have none of it. "I want you to rise up out of your chairs," he summoned his viewers from the set of "Wall Street Week' the next Friday evening, "not to shout, 'I'm mad as hell and not going to take it anymore!' but," he added, to "write or e-mail your local PBS station saying you heard Louis Rukeyser is still going to have a program and that you'd like to see it." Mr. Rukeyser was fired. But he quickly re-established the show at CNBC. He took pride in his new success and glee in the spectacle of Maryland Public Broadcasting suffering a forced retrenchment as his sponsors decamped from public television with him. (The Fortune version of "Wall Street Week" was canceled in 2005.) Failing health forced Mr. Rukeyser off the air in 2003. He was presented with the Gerald Loeb Lifetime Achievement Emmy for Business and Financial Reporting in 2004. Besides his brother Bud, of West Palm Beach, Fla., he is survived by his wife, Alexandra; three daughters, Beverley Bellisio of Middletown, Conn., Susan Rukeyser of Amarillo, Tex., and Stacy Rukeyser of West Hollywood, Calif.; two grandchildren; and two other brothers, William S., of Knoxville, Tenn., and Robert, of Greenwich. One cost of celebrity for Mr. Rukeyser was the jibes he would have to bear while indulging his fondness for casino gambling. No sooner had he settled into a blackjack game, he once recalled, than someone would ask him if the odds at the table were really better than those on Wall Street. James Grant was a panelist on "Wall Street Week" for 10 years, beginning in 1988. From rforno at infowarrior.org Wed May 3 07:17:14 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 03 May 2006 07:17:14 -0400 Subject: [Infowarrior] - FrontRow Enabler is back! (Get it while you can) Message-ID: (c/o R.L.) One developer's Front Row Enabler software (along with instructions), which allows any Mac to use Apple's Front Row multimedia software, has reposted the software after questioning the validity of the 'Cease and Desist' from Apple's legal team.. http://www.andrewescobar.com/frontrow From rforno at infowarrior.org Wed May 3 07:26:28 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 03 May 2006 07:26:28 -0400 Subject: [Infowarrior] - Interesting Time factoid today Message-ID: http://www.caballe.cat/2006/05/03.html#a7227 Tonight, shortly after 1 AM, our clocks will show a really funny time and date combination: 01:02:03 04.05.06. This will no happen again until next millennium ....except in the US and elsewhere, who view that date as April 5 and not May 5. :) Who says time isn't open for interpretation? :) -rf From rforno at infowarrior.org Wed May 3 15:44:12 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 03 May 2006 15:44:12 -0400 Subject: [Infowarrior] - FCC approves Net-wiretapping taxes Message-ID: FCC approves Net-wiretapping taxes By Declan McCullagh http://news.com.com/FCC+approves+Net-wiretapping+taxes/2100-1028_3-6067971.h tml Story last modified Wed May 03 11:41:46 PDT 2006 WASHINGTON--Broadband providers and Internet phone companies will have to pick up the tab for the cost of building in mandatory wiretap access for police surveillance, federal regulators ruled Wednesday. The Federal Communications Commission voted unanimously to levy what likely will amount to wiretapping taxes on companies, municipalities and universities, saying it would create an incentive for them to keep costs down and that it was necessary to fight the war on terror. Universities have estimated their cost to be about $7 billion. "The first obligation is...the safety of the people," said FCC Commissioner Michael Copps, a Democrat. "This commission supports efforts to protect the public safety and homeland security of the United States and its people." Federal police agencies have spent years lobbying for mandatory backdoors for easy surveillance, saying "criminals, terrorists and spies" could cloak their Internet communications with impunity unless centralized wiretapping hubs become mandatory. Last year, the FCC set a deadline of May 14, 2007, for compliance. But universities, libraries and some technology companies have filed suit against the agency, and arguments before a federal court are scheduled for Friday. "We're going to have a lot of fights over cost reimbursement," Al Gidari, a partner at the law firm of Perkins Coie, who is co-counsel in the lawsuit, said in an interview after the vote. "It continues the lunacy of their prior order and confirms they've learned nothing from what's been filed" in the lawsuit, he said. The original 1994 law, called the Communications Assistance for Law Enforcement Act, or CALEA, authorized $500 million to pay telecommunications carriers for the cost of upgrading their networks to facilitate wiretapping. Some broadband and voice over Internet Protocol (VoIP) providers had hoped that they'd be reimbursed as well. Jonathan Askin, general counsel of Pulver.com, likened Wednesday's vote to earlier FCC rules extending 911 regulations to VoIP. "It essentially imposed a mandate on the industry without giving the industry the necessary support to abide by the rules--and the same thing seems to be happening here," Askin said. Even without the CALEA regulations, police have the legal authority to conduct Internet wiretaps--that's precisely what the FBI's Carnivore system was designed to do. Still, the FBI has argued, the need for "standardized broadband intercept capabilities is especially urgent in light of today's heightened threats to homeland security and the ongoing tendency of criminals to use the most clandestine modes of communication." The American Council on Education, which represents 1,800 colleges and universities, estimates that the costs of CALEA compliance could total roughly $7 billion for the entire higher-education community, or a tuition hike of $450 for every student in the nation. Documents filed in the lawsuit challenging the FCC's rules put the cost at hundreds of dollars per student. But during Wednesday's vote, commissioners dismissed those concerns as unfounded. "I am not persuaded merely by largely speculative allegations that the financial burden on the higher-education community could total billions of dollars," said FCC Commissioner Deborah Taylor Tate, a Republican. From rforno at infowarrior.org Wed May 3 19:56:46 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 03 May 2006 19:56:46 -0400 Subject: [Infowarrior] - Backer of ISP snooping slams industry Message-ID: ...while a noble goal that I support -- protecting children and jailing those who prey on them in any environment -- does anyone else think "online predators" and "child pornography" is becoming the justification rationale for lawmakers to do whatever they want on the Internet? IIRC in recent months, the MPAA/RIAA was saying P2P was responsible for kiddie porn in their latest attempt to control the net, too. Calling Mrs. Lovejoy.... -rf Backer of ISP snooping slams industry By Declan McCullagh http://news.com.com/Backer+of+ISP+snooping+slams+industry/2100-1028_3-606833 9.html Story last modified Wed May 03 16:27:38 PDT 2006 WASHINGTON--Congress' leading proponent of forcing Internet service providers to retain records about their users' activities lashed out at the industry on Wednesday, saying such a federal law will be a "very minor burden" to bear. Rep. Diana DeGette, a Colorado Democrat, said at a House of Representatives hearing that new laws were necessary to thwart child pornographers and other Internet predators. Investigations into illicit behavior have been hampered because data may be routinely deleted in the normal course of business, DeGette and other data retention proponents claim. "This created havoc among the Internet service provider community," DeGette said, referring to her proposed legislation announced last week (click for PDF). "I am horrified that the provider community is not working with us on this because it seems to me to be a very simple piece of legislation and I'm going to continue to fight for it." < ... > From rforno at infowarrior.org Wed May 3 20:01:35 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 03 May 2006 20:01:35 -0400 Subject: [Infowarrior] - Cyberattack knocks millions of blogs offline Message-ID: Cyberattack knocks millions of blogs offline By Joris Evers http://news.com.com/Cyberattack+knocks+millions+of+blogs+offline/2100-7349_3 -6068344.html Story last modified Wed May 03 16:50:15 PDT 2006 About 10 million LiveJournal and TypePad blogs were offline or barely reachable for several hours on Tuesday as the result of a massive denial-of-service attack. The attack started at about 4 p.m. PDT, targeting the popular blogging services and the corporate Web site of their provider Six Apart, company vice president Anil Dash said in an interview Wednesday. Service was back to normal at midnight, according to Six Apart's Web site. "Any large service tends to have a pretty constant level of attacks, but this was on a scale that I don't think anybody could have anticipated," Dash said. "I think it is of a scale that would have impacted any large site on the Web." In a distributed denial-of-service, or DDoS, attack the target is overloaded with requests for information. The requests come from a large number of hosts, typically compromised computers. As a result, legitimate users can no longer access the site. Six Apart intends report the attack to the authorities, such as the FBI, but hasn't done so yet, Dash said. "We have not yet had the time to think about the next steps yet," he said. The San Francisco company has some theories on the origin and motivation of the attack, but Dash declined to speculate. Unlike large online businesses, Six Apart isn't typically the object of large-scale onslaughts, Dash said. If it does face an attack, often the problem is related to the content posted on one of the blogs it hosts, he said. Six Apart's main hosting facility is in a large data center located at 365 Main in San Francisco. The attack morphed as the blog company tried to respond, making it more challenging to deal with. "They were changing pretty rapidly," Dash said. "We have learned enough that if it does happen again, we know what to do." Six Apart plans to make amends to its customers, but has not yet decided how. Late last year, when it had some performance issues, it let its users decide how they wanted to be compensated, Dash said. "We will definitely do whatever makes things right for them," he said. From rforno at infowarrior.org Thu May 4 09:07:15 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 04 May 2006 09:07:15 -0400 Subject: [Infowarrior] - FW: Fake Television News - Trend Micro In-Reply-To: Message-ID: (c/o WK) http://www.prwatch.org/fakenews/execsummary Over a ten-month period, the Center for Media and Democracy (CMD) documented television newsrooms' use of 36 video news releases (VNRs)?a small sample of the thousands produced each year. CMD identified 77 television stations, from those in the largest to the smallest markets, that aired these VNRs or related satellite media tours (SMTs) in 98 separate instances, without disclosure to viewers. One of the curious examples was for none other than Trend Micro http://www.prwatch.org/fakenews/vnr4 A Fake News Report About Fake E-Mail Software company VNR is nationally syndicated through the Tribune network On November 3, 2005, KOKH-25 (Oklahoma City, OK) ran a two-minute story on "phishing" scams: fraudulent e-mails designed by identity theives to trick people into divulging personal financial information. The news report featured testimony from Jessica Sweedler, a Bay Area phishing victim; Mikael Niehoff, a technology crime unit detective; and David Perry, and a computer security expert from Trend Micro Software. In no uncertain terms, the report recommended PC-Cilin, a $50 Internet security program from Trend Micro, as "a first line of defense" against phishing scams. What viewers couldn't have possibly known is that the KOKH-25 story was a scam in itself. The report was actually a video news release (VNR) created by D S Simon Productions and funded by Trend Micro. Without a hint of attribution, KOKH-25 dropped the complete and uncut VNR into their 9:00 PM newscast. To help disguise the promotional video as their own journalism, editors at KOKH-25 inserted station-branded text overlays and anchor Andrew Speno introduced the VNR's narrating publicist, Jim Lawrence, as if he were a local reporter. Along with KOKH-25, the VNR was picked up by Kurt Knutsson, a KTLA-5 (Los Angeles, CA) technology reporter whose "CyberGuy" segments are syndicated through the Tribune Broadcasting Network on newscasts in over 150 markets. From rforno at infowarrior.org Thu May 4 09:12:20 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 04 May 2006 09:12:20 -0400 Subject: [Infowarrior] - OT: "Original" unaltered Star Wars coming to DVD ! Message-ID: (I consider this as partial compensation for Jake Lloyd, Jar Jar, and horrible love scenes! -rf) This September: Original Unaltered Trilogy on DVD May 03, 2006 http://www.starwars.com/episode-iv/release/video/news20060503.html [ doc_title ] Fans can look forward to a September filled with classic Star Wars nostalgia, led by the premiere of LEGO Star Wars II: The Original Trilogy video game and the long-awaited DVD release of the original theatrical incarnations of the classic Star Wars trilogy. In response to overwhelming demand, Lucasfilm Ltd. and Twentieth Century Fox Home Entertainment will release attractively priced individual two-disc releases of Star Wars, The Empire Strikes Back and Return of the Jedi. Each release includes the 2004 digitally remastered version of the movie and, as bonus material, the theatrical edition of the film. That means you'll be able to enjoy Star Wars as it first appeared in 1977, Empire in 1980, and Jedi in 1983. [ doc_title ] This release will only be available for a limited time: from September 12th to December 31st. International release will follow on or about the same day. Each original theatrical version will feature Dolby 2.0 Surround sound, close-captioning, and subtitles in English, French and Spanish for their U.S. release. International sound and subtitling vary by territory. "Over the years, a truly countless number of fans have told us that they would love to see and own the original version that they remember experiencing in theaters," said Jim Ward, President of LucasArts and Senior Vice President of Lucasfilm Ltd. "We returned to the Lucasfilm Archives to search exhaustively for source material that could be presented on DVD. This is something that we're very excited to be able to give to fans in response to their continuing enthusiasm for Star Wars. Topping it off with a new interactive adventure makes September 12 a red-letter day for Star Wars fans." From rforno at infowarrior.org Thu May 4 09:17:54 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 04 May 2006 09:17:54 -0400 Subject: [Infowarrior] - Schneier: Everyone Wants to 'Own' Your PC Message-ID: Everyone Wants to 'Own' Your PC http://www.wired.com/news/columns/1,70802-0.html By Bruce Schneier 02:00 AM May, 04, 2006 When technology serves its owners, it is liberating. When it is designed to serve others, over the owner's objection, it is oppressive. There's a battle raging on your computer right now -- one that pits you against worms and viruses, Trojans, spyware, automatic update features and digital rights management technologies. It's the battle to determine who owns your computer. You own your computer, of course. You bought it. You paid for it. But how much control do you really have over what happens on your machine? Technically you might have bought the hardware and software, but you have less control over what it's doing behind the scenes. Using the hacker sense of the term, your computer is "owned" by other people. It used to be that only malicious hackers were trying to own your computers. Whether through worms, viruses, Trojans or other means, they would try to install some kind of remote-control program onto your system. Then they'd use your computers to sniff passwords, make fraudulent bank transactions, send spam, initiate phishing attacks and so on. Estimates are that somewhere between hundreds of thousands and millions of computers are members of remotely controlled "bot" networks. Owned. Now, things are not so simple. There are all sorts of interests vying for control of your computer. There are media companies that want to control what you can do with the music and videos they sell you. There are companies that use software as a conduit to collect marketing information, deliver advertising or do whatever it is their real owners require. And there are software companies that are trying to make money by pleasing not only their customers, but other companies they ally themselves with. All these companies want to own your computer. Some examples: * Entertainment software: In October 2005, it emerged that Sony had distributed a rootkit with several music CDs -- the same kind of software that crackers use to own people's computers. This rootkit secretly installed itself when the music CD was played on a computer. Its purpose was to prevent people from doing things with the music that Sony didn't approve of: It was a DRM system. If the exact same piece of software had been installed secretly by a hacker, this would have been an illegal act. But Sony believed that it had legitimate reasons for wanting to own its customers? machines. * Antivirus: You might have expected your antivirus software to detect Sony's rootkit. After all, that's why you bought it. But initially, the security programs sold by Symantec and others did not detect it, because Sony had asked them not to. You might have thought that the software you bought was working for you, but you would have been wrong. * Internet services: Hotmail allows you to blacklist certain e-mail addresses, so that mail from them automatically goes into your spam trap. Have you ever tried blocking all that incessant marketing e-mail from Microsoft? You can't. * Application software: Internet Explorer users might have expected the program to incorporate easy-to-use cookie handling and pop-up blockers. After all, other browsers do, and users have found them useful in defending against internet annoyances. But Microsoft isn't just selling software to you; it sells internet advertising as well. It isn't in the company's best interest to offer users features that would adversely affect its business partners. * Spyware: Spyware is nothing but someone else trying to own your computer. These programs eavesdrop on your behavior and report back to their real owners -- sometimes without your knowledge or consent -- about your behavior. * Internet security: It recently came out that the firewall in Microsoft Vista will ship with half its protections turned off. Microsoft claims that large enterprise users demanded this default configuration, but that makes no sense. It's far more likely that Microsoft just doesn't want adware -- and DRM spyware -- blocked by default. * Update: Automatic update features are another way software companies try to own your computer. While they can be useful for improving security, they also require you to trust your software vendor not to disable your computer for nonpayment, breach of contract or other presumed infractions. Adware, software-as-a-service and Google Desktop search are all examples of some other company trying to own your computer. And Trusted Computing will only make the problem worse. There is an inherent insecurity to technologies that try to own people's computers: They allow individuals other than the computers' legitimate owners to enforce policy on those machines. These systems invite attackers to assume the role of the third party and turn a user's device against him. Remember the Sony story: The most insecure feature in that DRM system was a cloaking mechanism that gave the rootkit control over whether you could see it executing or spot its files on your hard disk. By taking ownership away from you, it reduced your security. If left to grow, these external control systems will fundamentally change your relationship with your computer. They will make your computer much less useful by letting corporations limit what you can do with it. They will make your computer much less reliable because you will no longer have control of what is running on your machine, what it does, and how the various software components interact. At the extreme, they will transform your computer into a glorified boob tube. You can fight back against this trend by only using software that respects your boundaries. Boycott companies that don't honestly serve their customers, that don't disclose their alliances, that treat users like marketing assets. Use open-source software -- software created and owned by users, with no hidden agendas, no secret alliances and no back-room marketing deals. Just because computers were a liberating force in the past doesn't mean they will be in the future. There is enormous political and economic power behind the idea that you shouldn't truly own your computer or your software, despite having paid for it. - - - Bruce Schneier is the CTO of Counterpane Internet Security and the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. You can contact him through his website. From rforno at infowarrior.org Thu May 4 09:19:17 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 04 May 2006 09:19:17 -0400 Subject: [Infowarrior] - Feds' Watch List Eats Its Own Message-ID: Feds' Watch List Eats Its Own By Ryan Singel| 02:00 AM May, 04, 2006 http://www.wired.com/news/technology/1,70783-0.html What do you say about an airline screening system that tends to mistake government employees and U.S. servicemen for foreign terrorists? Newly released government documents show that even having a high-level security clearance won't keep you off the Transportation Security Administration's Kafkaesque terrorist watch list, where you'll suffer missed flights and bureaucratic nightmares. According to logs from the TSA's call center from late 2004 -- which black out the names of individuals to protect their privacy -- the watch list has snagged: * A State Department diplomat who protested that "I fly 100,00 miles a year and am tired of getting hassled at Dulles airport -- and airports worldwide -- because my name apparently closely resembles that of a terrorist suspect." * A person with an Energy Department security clearance. * An 82-year-old veteran who says he's never even had a traffic ticket. * A technical director at a science and technology company who has been working with the Pentagon on chemical and biological weapons defense. * A U.S. Navy officer who has been enlisted since 1984. * A high-ranking government employee with a better-than-top-secret clearance who is also a U.S. Army Reserve major. * A federal employee traveling on government business who says the watch list matching "has resulted in ridiculous delays at the airports, despite my travel order, federal ID and even my federal passport." * A high-level civil servant at the Federal Deposit Insurance Corporation. * An active-duty Army officer who had served four combat tours (including one in Afghanistan) and who holds a top-secret clearance. * A retired U.S. Army officer and antiterrorism/force-protection officer with expertise on weapons of mass destruction who was snared when he was put back on active-duty status while flying on a ticket paid for by the Army. * A former Pentagon employee and current security-cleared U.S. Postal Service contractor. Also held up was a Continental Airlines flight-crew member traveling as a passenger, who complained to TSA, "If I am safe enough to work on a plane then I should be fine to be a passenger sleeping." The outcomes of these complaints are not recorded in the documents. Attorney Marcia Hoffman with the Electronic Privacy Information Center, who obtained the documents under the Freedom of Information Act, emphasizes that "an effective redress process to clear your name from the list is critical." Currently, individuals who want to clear their names have to submit several notarized copies of their identification. Then, if they're lucky, TSA might check their information against details in the classified database, add them to a cleared list and provide them with a letter attesting to their status. More than 28,000 individuals had filed the paperwork by October 2005, the latest figures available, according to TSA spokeswoman Amy Kudwa. She says the system works. "We work rigorously to resolve delays caused by misidentifications," Kudwa says. Citing national security, Kudwa declined to state how many of those 28,000 were ultimately placed on the cleared list, nor would she say how many names are on the no-fly and "selectee" lists or what the selection criteria for those lists are. Those on the no-fly list are banned from air travel and are likely to be arrested at the airport if they attempt to fly, while those on the selectee list face additional scrutiny at the airport. The watch list is still not very accurate, according to 31-year-old Massachusetts resident Bethan Brome Lilja. Two weeks ago, Lilja finally grew tired of her and her son's continual selection for extra screening and contacted the TSA call center. An employee named Eva told Lilja that the FBI was looking for someone with her name, and advised her to watch what she was saying since the call was recorded and "some guys might come knocking on your door," Lilja told Wired News. "I interpreted that as a threat," says Lilja, a full-time mother and entrepreneur. "When I call a government agency to ask for help and they tell me someone might come knock on my door, you have to take it seriously." Lilja thinks her full name is too distinctive for it to match someone else's, and notes that her husband Jonathan does not get pulled aside for extra screening. The TSA's lists are only a subset of the larger, unified terrorist watch list, which consists of 250,000 people associated with terrorists, and an additional database of 150,000 less-detailed records, according to a recent media briefing by Terrorist Screening Center director Donna Bucella. The unified list is used by border officials, embassies issuing visas and state and local law enforcement agents during traffic stops. That larger list and its increasingly wide usage concerns Lilja, who wonders, for example, what will happen when she visits Canada this summer and attempts to return to the states. "If I get pulled over for speeding by some small-town cop from western Massachusetts, who sees I'm a terrorist suspect from Boston, it's hard to know if someone is going to overreact," Lilja said. Lilja has since contacted her congressman, sought legal advice and launched an online campaign called Americans for Terror Watchlist Reform. Lilja isn't the only one interested in reforming how watch lists are used or how citizens can contest false matches or false inclusions. Currently, airlines check their own passengers' names against the lists provided to them by the TSA, but each airline chooses how it will match variations of names such as Ted, Teddy and Theodore. For the past three years, the TSA has been trying to replace the current system, known as CAPPS, with the so-called Secure Flight program that would require airlines to forward passenger lists to the government, a process the TSA hopes will reduce the number of false name matches by standardizing the process. Some notable homeland security experts suggest, however, that more transparency and responsiveness are needed. A paper published last year by the conservative Heritage Foundation suggested the government should establish a centralized watch-list-dispute-resolution clearinghouse that would handle complaints about all terrorism watch lists and report publicly on its work. That paper, which also advocated for the right to take watch list disputes to court, was co-authored in 2005 by technologist Jeff Jonas -- best known for his work catching casino cheats in Las Vegas and then adapting that software to enable data sharing within the federal government -- and Paul Rosenzweig, a former Heritage Foundation research fellow who recently joined the Department of Homeland Security's policy office. Rosenzweig's faith in transparency seems not to have filtered down to the TSA's Freedom of Information Office. The Electronic Privacy Information Center filed an identical request for the 2005 complaint logs last month, but the TSA denied the organization's arguments that the records are in the public interest, and wants to charge the group nearly $70,000 to search for the database records. EPIC is appealing that decision. From rforno at infowarrior.org Thu May 4 15:41:32 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 04 May 2006 15:41:32 -0400 Subject: [Infowarrior] - Interesting use of 'phantom rings' in advertising Message-ID: May 4, 2006 I Hear Ringing and There's No One There. I Wonder Why. By BRENDA GOODMAN http://www.nytimes.com/2006/05/04/fashion/thursdaystyles/04phan.html?ei=5090 &en=98d2a4d5b5a61cd4&ex=1304395200&partner=rssuserland&emc=rss&pagewanted=pr int SIX minutes 39 seconds into the Richard Thompson song "Calvary Cross," Mike Pelusi, a music reviewer in Philadelphia, will almost invariably check his cellphone. Minka Wiltz, an actress in Atlanta, has tried to answer her phone to the thrrrrup, thrrrrup, thrrrrup of a truck bouncing down a pothole-pocked street. Others say they thought they heard phones ring while taking a shower, using a blow-dryer or watching commercials. What they are hearing is a barely discernable sound ? perhaps chimes, a faint trill or an electronic bleat ? that they mistake for the ringtone of their cellphone, which isn't ringing. This audio illusion ? called phantom phone rings or, more whimsically, ringxiety or fauxcellarm ? has emerged recently as an Internet discussion topic and has become a new reason for people to either bemoan the techno-saturation of modern life or question their sanity. Some sound experts believe that because cellphones have become a fifth limb for many, people now live in a constant state of phone vigilance, and hearing sounds that seem like a telephone's ring can send an expectant brain into action. "My experience has been hearing just a few notes that are similar to my phone's ring, my brain will fill in the rest," said David Laramie, a doctoral student at the Los Angeles campus of the California School of Professional Psychology, who is writing his dissertation about the effect of cellphones on behavior. He plans to send questionnaires this summer to learn when and how often phantom rings happen and who is most likely to experience them. A few notes in the background of a television commercial can fool him, he said. Other times the culprit will be the sound effects in a song on the radio. "Another place I hear it is running water, so I sometimes hear it while I'm shaving," Mr. Laramie said. Phantom rings are a "psycho-acoustic phenomenon" related to the way the human brain interprets sound, said Rob Nokes, president of Sound Dogs, a sound effects company in California. The ear gives unequal weights to certain frequencies, making it particularly sensitive to sounds in the range of 1,000 to 6,000 hertz, scientists say. Babies cry in this range, for example, and the familiar "brrring, brrring" ringtone hits this sweet spot, too. (Simple ringtones are more likely to produce phantom rings than popular music used as a ringtone.) "Your brain is conditioned to respond to a phone ring just as it is to a baby crying," Mr. Nokes said. Why people seem to be hearing phantom rings more often now is another question. The answers range from the paranoid to the vast exposure to cellphones in people's lives ? there were 207 million wireless subscribers nationwide at the end of 2005, a nearly sevenfold increase in just a decade, according to the Cellular Telecommunications and Internet Association. On blogs, some cellphone users wonder if an ominous agenda is at work when a phantom ring is triggered by a television or radio broadcast. A writer posting as Koan on forumgarden.com said that at first, songs played on the radio triggered a phantom ring. "Thing is, the high-pitched sounds, although a lot fainter, are still present during announcements now," Koan wrote. "What is this? Is it subliminal advertising ... or something else?" Peter Arnell, the chief creative officer of the Arnell Group in New York and a major force in the marketing business, said that theory might not be far off the mark. While he said he has never been asked by a client to include sounds in an advertisement that would mimic a ringing cellphone, he thinks the increasing use of high-pitched, electronic tones is very much by design. "People are using a sound trigger to control emotions," Mr. Arnell said. "The most controlling device in our life right now is a cellphone." He suggested that a sound trick that sent confused listeners hunting for their cellphones might be especially effective for ads ending with a call to action. (An example is a directive to "Call this toll-free number now!") "Hollywood has always known how to use sound to control emotions, right?" Mr. Arnell continued. "But this is newer to advertising. Sound effects have become the big deal on Madison Avenue." Michael Sweet, the creative director of Audio Brain, a sonic branding company in New York that has done work for NBC and Verizon, also said that he had never been asked to use a sound for the purpose of generating a phantom ring. But he also said he believes that the ear-brain trick isn't a mistake. "I think it's definitely intentional," Mr. Sweet said. "Do ad agencies know they're getting your attention? Sure. Do they know it's because you're trying to answer your phone to the TV? Not necessarily." Allen Henderson, who runs the blog AwfulCommericals.com, was bothered by a Toyota ad showing a man dragging a rusted heap of a car uphill as if it were a ball and chain. The chain eventually snaps and the man is free to drive a Toyota. Mr. Henderson lamented what he called the spot's overblown premise, but that wasn't the only thing. "Most of all," Mr. Henderson wrote on his blog, "I hate this commercial for making me check my phone every time it came on the air." Steve R. Chavez, creative director for Saatchi & Saatchi, the Los Angeles agency that created the spot, "Ball and Chain," seemed tickled when told of Mr. Henderson's phantom ring experience. "You know, it only took us 20 years to develop that," Mr. Chavez said impishly. "I'm soooo kidding. "I think, as an industry, we're often accused of manipulation. It's simply not true." And after this reporter was taunted by phantom rings from "Homage," a television spot for Marriott Hotels, the ad agency that created it, McGarry Bowen in New York, said any confusion was purely unintentional. "Everyone here is kind of baffled," said Rob Kaplan, the director of music production at McGarry Bowen. "No one meant to put anything that sounded like a cellphone ringtone in the spot." In "Homage," which was conceived as a tribute to business travelers, a series of twinkling chimes punctuate shots of hotel rooms, a traveler falling back on a bed, and shoes kicked off on the floor. Mr. Kaplan said the spot was created before he was hired but that the sound design wasn't meant to fool the ear. "I've worked on a lot of spots that have used a lot of modern, atonal sounds," Mr. Kaplan said. "It is kind of cutting edge and compliments visuals really well." Intentional or not, audio experts say fooling the ear into hearing a ringing phone isn't hard. As long as it's a more traditional trill, a telephone ring is a simple tone that can be reproduced relatively easy, said Adam Jenkins, a sound effects mixer who has worked on movies like "Crash" and "Apollo 13." "It's a 1,000 hertz tone that can be generated by just about anything," Mr. Jenkins said. And because most sounds are the result of two or more tones put together ? human speech is multitonal, for example ? simple tones really stand out. Tones that are generated around 1,000 hertz have another special characteristic that helps them hoodwink those within range. It is tough to tell where they are coming from. Because humans have ears on each side of their head, they are able to localize most sounds. The direction of high-frequency sounds is pinpointed based on their volume level in each ear, and low frequency sounds based on their arrival time in each ear. But Guy Moore, an assistant professor of physics at McGill University in Montreal, said human ears do not do a good job finding the source of sounds around 1,000 hertz using either method, so that a noise in that range seems just as likely to be coming from the television to the right as a purse sitting to the left. "That's also why it's so hard to tell where an ambulance siren is coming from in traffic," Mr. Moore said. So, primed as busy people are to respond to a ring, the phone usually is the first response to the question, "Where is that coming from?" Jonathan Wolff, a retired sound designer in Lexington, Ky., who created the theme songs for "Will & Grace" and "Seinfeld," said he has unintentionally created sound mixes that generate phantom phone rings. "But I take it out if I think its going to be annoying," he said. While phantom rings may generate reactions from curiosity to irritation, at least explanations for the phenomenon exist. More mysterious are phantom phone vibrations, a cellphone side effect that many people said they also have experienced. It seems that having a phone set to vibrate can cause a particularly physical kind of false alarm. Charles Maniaci, a special education teacher from Atlanta, said he used to feel phantom vibrations almost constantly. Then about a year ago he developed a lump on his thigh underneath the pocket where he kept his cellphone. "Nobody could tell me what it was," he said. For a while, he moved his phone to a belt clip. But the vibrations eventually stopped, and he moved the phone back to his pocket. "I've thought that maybe the nerves got so irritated from the phone vibrating that this tissue grew around them," he said. "That's what the body does, it grows tissue around things to protect them. But it's exactly where I used to keep the phone." From rforno at infowarrior.org Thu May 4 16:46:50 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 04 May 2006 16:46:50 -0400 Subject: [Infowarrior] - Tucows under DDOS attack Message-ID: (from Anonymous, noting that they've not seen this discussed in the MSM yet.) ******* Begin forwarded message: From: Date: May 4, 2006 2:42:18 PM EDT To: Subject: Update [Service Performance]-04/05/2006 Greetings, Yesterday, beginning at approximately 1600 UTC, a distributed denial of service (DDOS) attack using recursive name servers was launched against Tucows DNS system. The target of the attack was a single domain using Tucows DNS but registered through another registrar. As a result of this attack, Managed DNS was offline until approximately 0800 UTC today. Because the attack was unusually aggressive, two of Tucows' upstream providers experienced intermittent network outages. Therefore the following services had degraded performance until approximately 0300 UTC today: * Domain Name Registration and Management * Tucows Email and Email Defense * Blogware * Website Building Tools Tucows Hosted Email solution was unaffected. During the DDOS, Tucows took the following steps: * Tucows DNS was renumbered. * Tucows contacted the domain's registrar and requested that DNS be moved away from our servers. Due to the registrar's hours of operation there was a delay in contacting them to request the change. Our operations staff noted an immediate improvement in service performance as soon as these two actions were completed. Service providers and their customers may experience delays in service performance until DNS changes have propagated worldwide. We are contacting major ISPs to speed this process. This outage occurred while we are in the final stages of planned bandwidth and hardware upgrades to our data centers later this month. This work continues with renewed urgency. Malicious attacks are a common concern to all reputable providers within the Internet community. This attack was unique in terms of its aggressiveness and widespread impact. We would like to thank everyone who contacted us for their understanding and offers of assistance. Times like this remind us that our customers are extraordinary. Sincerely, Judy Fields VP, Operations Tucows Inc ******** From 3 May 2006 ******** Subject: - DDOS Attack 05/03/2006 Date: May 4, 2006 2:02:57 AM EDT To: To all: Beginning at approximately noon Wednesday May 3rd the Tucows network has been under a severe DDOS (Distributed Denial Of Service) attack whose impact has been amplified by the attack's use of recursive name servers. The extent of the DDOS attack was enough to knock out two of the three upstream providers to our colocation facility. Because of this, for the first four and a half hours of the attack, it was assumed by all involved that this was a network outage. It was only when the upstream providers were able to recover from the initial blow that we were able to determine that it was in fact an DDOS attack. The attack, while apparently directed at a single website, had an impact beyond its target making large portions of our network inaccessible for periods of time throughout the day. While the site under attack used our Managed DNS Service, Tucows is not the domain's registrar and as such our options for resolving without impact have been limited. Our operations staff, along with those of both our colocation provider and their upstream providers have been working diligently to return service to normal. Our operations staff will be working through the night to make this situation as painless as possible. I can only tell you all that I am sorry and we will continue to do everything in our power to make this better. Regards, Elliot Noss From rforno at infowarrior.org Fri May 5 09:52:05 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 05 May 2006 09:52:05 -0400 Subject: [Infowarrior] - IBM demos RFID tag with privacy-protecting features Message-ID: http://www.networkworld.com/news/2006/050106-ibm-rfid-privacy.html IBM demos RFID tag with privacy-protecting features By Ann Bednarz, Network World, 05/01/06 As use of radio frequency identification technology in supply chain settings progresses, industry experts have been devising ways to address consumer privacy concerns related to item-level RFID tagging. The latest to tackle the issue is IBM, which this week is expected to demonstrate its design for an RFID tag with a disabling feature that limits - but doesn't kill - a wireless chip's ability to broadcast item information. The Clipped Tag gives consumers the option to disable RFID tags on items they purchase without eliminating the possibility that the tags could be used later to expedite product returns or recalls, says Paul Moskowitz, a research staff member at IBM's Watson Research Center in Hawthorne, N.Y. The design calls for a product label with perforations "like a sheet of postage stamps," he says. After purchasing a tagged item, a consumer can tear the Clipped Tag label along the perforations to remove a portion of the tag's antenna, reducing its transmission capability. "When you do that, you do not kill the tag completely. The chip is still there, and it has some of the antenna left. But you've just taken a tag that may have had a 30-foot range and reduced the range to just a few inches." Once it's torn, the tag can't be read unless it's presented directly to a reader. "The tag becomes a close proximity tag rather than a long-distance tag," Moskowitz says. By preserving the tag's functionality, retailers can still read the information stored on the chip if necessary. Typically, an item-level RFID tag stores a single Electronic Product Code (EPC). An EPC is a 96-bit identification number that indicates a manufacturer's code and product code, along with a serial number unique to the item. Retailers and consumer goods manufacturers can link an EPC number with other supply chain data to determine information such as where an item was shipped from, how long it sat on store shelves and price history. An EPC code isn't readily associated with a consumer's personal information, such as who bought the item or the buyer's credit card number. But privacy advocates say the association with particular items purchased is enough to compromise privacy. For example, since RFID tags don't require direct contact with a reader and can be read simultaneously, a wireless reader could potentially reveal the contents of a shopper's bag by determining the manufacturers' codes and product codes. Just as barcodes aren't encrypted, neither are EPC codes typically encrypted, according to Moskowitz. So far, in the supply chain world, most RFID implementations involve labeling shipping cases and pallets. But before long, individual retail items will sport RFID labels, Moskowitz says. "This where privacy becomes a concern, because RFID tags can be read at a distance and they can be read by wireless means," he says. To address the issue, standards body EPCglobal built a kill command into the new Gen2 communications protocol for UHF tags. Retailers can execute the kill command at the point of sale - but it deactivates tags permanently. This means tags can't be revived and used to help facilitate a product return or product recall, Moskowitz says. Another disadvantage of the kill command is that it will require retailers to manage passwords for every item, Moskowitz says. "If you have a kill command and it's not password-protected, you open yourself to vandalism. Somebody could just kill all the tags." Yet password management for item-level tags would be very difficult given the millions of items each retailer handles, he says. IBM - which makes RFID middleware - developed the Clipped Tag with partners Marlen RFID and Printronix. Label manufacturer Marlen RFID has produced versions of the Clipped Tag that can be fed into standard RFID printers, such as those from Printronix. Moskowitz, who holds 67 U.S. patents, has been working with RFID technology for 13 years. This week he's at the RFID Journal Live conference in Las Vegas demonstrating the Clipped Tag. IBM has filed a patent application for the Clipped Tag. So far it hasn't made any decisions about how it might license the technology, Moskowitz says. All contents copyright 1995-2005 Network World, Inc. http://www.networkworld.com From rforno at infowarrior.org Fri May 5 22:44:10 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 05 May 2006 22:44:10 -0400 Subject: [Infowarrior] - CNN hits a new all-time low (for me) Message-ID: While I tend to not place much cable news in high regard these days, I am floored that CNN's Anderson Cooper has spent the past 43 minutes discussing exclusively the Rep Kennedy driving incident, drugs, and practically explained the pharmacology of Ambien...yet only mentioned the resignation of CIA Director Porter Goss (something a bit more important to the country, IMHO) as a teaser going into a commercial break. Talk about a warped sense of priorities in the CNN newsroom..... -rf From rforno at infowarrior.org Sat May 6 10:55:52 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 06 May 2006 10:55:52 -0400 Subject: [Infowarrior] - Mandate for ID Meets Resistance From States Message-ID: Mandate for ID Meets Resistance From States By PAM BELLUCK http://www.nytimes.com/2006/05/06/us/06id.html?ei=5094&en=567da5a5237d1520&h p=&ex=1146974400&partner=homepage&pagewanted=print Reacting to the Sept. 11 attacks, Congress passed the Real ID law last year, intending to make it tougher for terrorists to obtain driver's licenses and for people without proper identification to board planes or enter federal buildings. But with the deadline for setting up the law two years away, states are frustrated. They say the law ? which requires states to use sources like birth certificates and national immigration databases to verify that people applying for or renewing driver's licenses are American citizens or legal residents ? will be too expensive and difficult to put in place by the May 2008 deadline. Another issue is the privacy impact of the requirement that states share, through databases, the personal information needed for a driver's license. Concerns are so great that last week, the National Governors Association, the National Conference of State Legislatures and the American Association of Motor Vehicle Administrators issued a report saying that the states have not been given the time or money to comply with the law and that they need at least another eight years. Two states have considered resolutions calling for the law to be repealed, the New York City Council passed a resolution opposing it and New Hampshire is considering opting out entirely. "It's absolutely absurd," said Gov. Mike Huckabee of Arkansas, chairman of the National Governors Association, which takes a stand on issues only when it has a broad consensus. "The time frame is unrealistic; the lack of funding is inexcusable." Another concern, Mr. Huckabee, a Republican, said, is "whether this is a role that you really want to turn over to an entry-level, front-line, desk person at the D.M.V." "If we're at a point that we need a national ID card, then let's do that," Mr. Huckabee said. "But let's not act like we're addressing this at a federal level and then blame the states if they mess it up. There's not a governor in America that wants that responsibility." Some of the law's defenders, noting that some of the Sept. 11 hijackers had driver's licenses, say the states' complaints are unfounded. "We passed a very workable, reasonable, common-sense piece of legislation," said Jeff Lungren, a spokesman for the law's main sponsor, Representative F. James Sensenbrenner Jr., the Wisconsin Republican who heads the House Judiciary Committee. "The American people will not stand for and should not have to allow for some state bureaucracies that do not want to try and address this gaping security hole we have." But critics among state lawmakers say problems with the law outweigh its value against terrorists and illegal immigrants. Grumbling has been loud in New Hampshire, where the House overwhelmingly passed a bill to opt out of Real ID, and the Senate voted Thursday to form a commission to study it. The chambers will reconcile their bills in coming weeks. Gov. John Lynch, a Democrat, supports rejecting Real ID. "There are unanswered concerns about privacy," said Pamela Walsh, a spokeswoman for Mr. Lynch. "There are a lot of questions about cost to states for implementing this, and there are the potential unintended consequences of turning our Department of Motor Vehicle workers into agents for the Department of Homeland Security." Many states raised objections before the law was enacted, and some say there was too little debate about the law, which was attached to a large Iraq spending bill. The National Conference of State Legislatures says that no state is currently in complete compliance with the law because the Department of Homeland Security will not issue rules for putting it in place until later this year. A few states have introduced preliminary legislation to achieve compliance, but most are waiting for the rules to be issued. Governor Lynch and others hope New Hampshire's action, along with complaints from other states, will encourage Congress to "look at how to revise" the law, Ms. Walsh said. Resolutions were introduced in Kentucky and Washington State urging repeal of the law. Neither made it to a full vote, but the sponsors want to try again. "We'll be back," said Representative Toby Nixon, a Republican who sponsored the Washington resolution. Mr. Nixon said that the law would cost his state $50 million a year and that linking data from each state would create "effectively a national citizenship database." "I can just hear the black helicopters arriving now," he said. The sponsor of Kentucky's resolution, Representative Kathy W. Stein, a Democrat, said: "New Hampshire ? is their state slogan 'Live Free or Die'? We're more of a guns, God, gays and gynecology state. But this is one of those issues where the extreme left, which I'm always characterized as, and the extreme right meet." Indeed, in New Hampshire, those testifying in favor of rejecting Real ID included the Cato Institute and the American Civil Liberties Union. In Virginia, a governor's commission said that "Congress must further act" to strengthen Real ID's privacy protections, limit paperwork and increase financing. It said Virginia's start-up costs could be up to $169 million, with annual costs of up to $63 million. That compares with $40 million in federal money allocated for all states combined, said Jarrod Agen, a spokesman for the Department of Homeland Security. Mr. Agen said his department was considering states' concerns in writing the rules. But financing, timing and other major issues could be changed only by Congress. The law's Congressional supporters say that is unlikely. "The bill will not be opened up," said Representative Dana Rohrabacher, Republican of California, adding that if a state rejects Real ID, its residents will need passports to take domestic flights. "Any state that's opting out is opting out in doing their part in solving these national challenges, and I don't have any sympathy for them." Mr. Lungren, the aide to Mr. Sensenbrenner, said complaints that Real ID could imperil privacy or lead to a national identification card were "not even worth responding to," because states would share information through electronic queries to one another, not a central database. Mr. Lungren, citing a Congressional Budget Office estimate of a $100 million total cost, said states' estimates were "baseless" and "pie in the sky." And he called states' concerns about the 2008 deadline "completely ridiculous." Real ID has defenders at the state level, even in New Hampshire. The Senate president, Theodore L. Gatsas, a Republican, supports Real ID, saying the state already adheres to many of its requirements, is slated for a $3 million federal grant to set it up, and "I'd hate to see the people from New Hampshire heading to Florida in the week of vacation and not be able to get on the plane." The state's two congressmen, both Republicans, support Real ID, as does Senator Judd Gregg, a Republican. Senator John E. Sununu, also a Republican, opposes it. It has clearly touched a nerve in a state where independence is so valued that New Hampshire's Constitution includes a "right of revolution." Supporters of New Hampshire's bill include Senator Margaret Wood Hassan, a Democrat, who said that she worried that Real ID could lead to a national ID card and that "the more you centralize data, the easier it is for someone to break into it." Representative Neal M. Kurk, a Republican who quoted Patrick Henry in a speech that helped sway the House, and who is so privacy-conscious he refused to disclose his occupation or age in an interview, said that Real ID would not demonstrably improve security because terrorists would find ways to get the cards, and that the law would mean too many compromises. "If you say you can't board a plane without a Real ID driver's license, it's not that far of a stretch to say you can't do other things unless you have this type of identification," like get a job, he said. "It reminds us all of '1984' and more importantly, 'Papers, please,' in the Nazi era." Supporters of New Hampshire's bill staged a rally with Nazi regalia and fake checkpoints. The cause has also been embraced by some evangelical Christians, who say Real ID sets the stage for a number for each citizen, which, according to the Book of Revelation, presages the Apocalypse. Some New Hampshire residents showed sympathy for the uprising. "I'm really against the federal government getting any more information from me," said Jeffrey Rabinowitz, 41, of Franklin. But Rachel Waterman, 25, called Real ID "a good idea," adding, "I don't see the big deal." Most people sounded like Betsey Andrews Parker, 33, of Dover. "So I'll use a passport," Ms. Parker said. "Real ID is a back door to national ID." From rforno at infowarrior.org Sun May 7 09:32:51 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 07 May 2006 09:32:51 -0400 Subject: [Infowarrior] - Problems plague World of Warcraft Message-ID: Problems plague World of Warcraft By Mark Ward Technology Correspondent, BBC News website Players are being left frustrated and angry by ongoing problems with online game World of Warcraft. Some are suffering long delays to get into the game, others report countless small hold-ups during play and the disappearance of the interactive parts of the Warcraft world. Intermittent server crashes have thrown players out of the game at key moments. To answer criticisms, Warcraft maker Blizzard has posted a long explanation of how it is tackling the glitches. Game over Since it launched in November 2004, World of Warcraft has proved hugely popular and now boasts more than six million regular players around the globe. The game lets players control different sorts of characters, including warriors, warlocks, wizards, druids and rogues and take them adventuring in the fantasy world of Azeroth. However, some fear that this growth has come at a high price and the playability of the game is suffering as Blizzard, the company behind WoW, struggles to support those millions of players. Greg Lastowka, a regular WoW player and an assistant professor of law at Rutgers University in New Jersey, said in the most extreme cases huge queues had formed to get into the Warcraft game world. In one example, some members of the same guild as Mr Lastowka were attending a conference together and arranged to play WoW via computers and a 50-inch plasma screen at a local research lab. "It sounds great, but the person with the plasma set got the pleasure of staring at the log-in screen for an hour, waiting for the server to authenticate," he said. "It's extremely, extremely frustrating." The login delays can be particularly bad for players that control high level characters trying to complete some of the big dungeon areas in WoW. These feature tough monsters, valuable treasure and take hours to play through. Gathering enough players together to sack these dungeons takes huge amounts of organisation - the biggest areas demand contributions from up to 40 people. Mr Lastowka said his guild scheduled dungeon raids a week in advance but all the planning often came to naught because of the stability problems. One player contacted by the BBC News website said these delays were particularly bad at battlegrounds where players take each other on in huge brawls. The delays meant people often waited hours to be in the game for only a few minutes, said the player who uses the nickname Naunet in WoW. Population boom Jeff Woleslagle, a keen WoW player and editor at online game news site Ten Ton Hammer, said the over-loading could cause all kinds of strange errors when players got in the game. Often, he said, loot grabbed from dead monsters took seconds to transfer from the corpse to the backpack carried by characters. Others have complained of "layer peeling" in which players find themselves in an empty world as delays strip out the interactive elements of the game - such as monsters, computer-controlled characters and gatherable resources - which are not refreshed as characters explore. These tiny delays often occured at the most inconvenient times, said Mr Woleslagle. For instance, he said, they could mean that healing spells were not cast in time and player-controlled characters got overwhelmed by foes. "It's no secret that Blizzard's a victim of its own success," he said adding that the game maker was "tight-lipped to the point of creepy" about the problems. Mr Woleslagle said some of the problems were caused by poor management of the numbers of players on each server - each one of which is a copy of the Warcraft world. To answer the ongoing complaints, Shane Dabiri, lead producer on the World of Warcraft development team, posted a lengthy document to the game's official forums on 3 May. In it he said Blizzard was "not happy" with the performance of the game's 336 realms in the US and Europe. Each realm is a copy of the Warcraft game world. He said Blizzard was adding 22 realms in North America and 30 in Europe to help manage growth. Also ongoing were upgrades to hardware and software to support existing copies of the world. Blizzard also planned to start a migration scheme which would let players, for a fee, move to a server so they can adventure with their friends. Finally, he said, Blizzard was moving to improve the log-in system to reduce delays. He said a new authentication system was being rolled out that should be in place in the US and Europe by the end of May. Mr Dabiri wrote: "We feel it's unacceptable when even one player can't enter the game, gets unexpectedly disconnected at a key moment, or experiences any other interruptions while playing." Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/1/hi/technology/4974456.stm Published: 2006/05/05 09:59:17 GMT ? BBC MMVI From rforno at infowarrior.org Tue May 9 07:53:35 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 09 May 2006 07:53:35 -0400 Subject: [Infowarrior] - Expert: McAfee Mac Security Report Is 'Scaremongering' Message-ID: (c/o D) NewsFactor Network Expert: McAfee Mac Security Report Is 'Scaremongering' By Walaika K. Haskins May 8, 2006 9:15AM Andrew Jaquith, an analyst at the Yankee Group, called the McAfee report "sloppily written and sloppy in its use of statistics." It is, he said, "a speculative house of cards resting on a foundation of shaky statistics and questionable assumptions." < snip > From rforno at infowarrior.org Tue May 9 08:01:50 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 09 May 2006 08:01:50 -0400 Subject: [Infowarrior] - Change in Microsoft Vista security system promises Windows migration headaches In-Reply-To: Message-ID: This story appeared on Network World at http://www.networkworld.com/news/2006/050806-microsoft-vista.html Change in Microsoft Vista security system promises Windows migration headaches By John Fontana, Network World, 05/08/06 Corporate users with third-party, Windows-based authentication systems such as VPNs could face a difficult transition to Microsoft's Vista because of an overhaul of the core Windows logon architecture, according to independent software vendors and analysts. The good news for users is that those same observers say Vista, which is being touted for its security features, will eventually deliver a more secure and flexible authentication architecture than exists today in Windows. But ISVs say rewriting their code for the new architecture will produce headaches that will extend to their customers that have deployed strong authentication such as biometrics or tokens, enterprise single sign-on and a number of other systems integrated with the Windows authentication architecture. "Not only the vendors, but the customers that have [authentication systems] already deployed are going to go through a lot of pain," says one ISV who asked not to be named. "We knew there were going to be changes, but we didn't know there would be wholesale changes." Users will have to go through testing periods after vendors deliver new interfaces for their products. During migrations, users will have key security infrastructures that straddle two different authentication environments, one for Vista and one for earlier versions of Windows, until migrations are complete. They also will have to support different client-side code and separate interfaces that will present retraining issues, experts say. In addition, users with any homegrown authentication mechanisms linked to Windows will have to rewrite their code from the ground up. ISVs also have to completely rewrite and certify the custom code they write to interface with Winlogon, the Windows process that manages logon and logoff. That task will be painful in part because ISVs say Vista's new authentication architecture is incomplete in the beta released in February. The new architecture, called Winlogon Re-Architecture, includes a model for building modules called Credential Provider. The February CTP also was the first time Microsoft included in the release notes the fact that the GINA architecture had been abandoned even though the company had started talking about it at its Professional Developers Conference last September. The previous model, called Graphical Identification and Authentication (GINA), is used by ISVs such as Check Point, Cisco, Citrix, Nortel, Novell, RSA Security and Symantec to link their authentication technology into the Windows authentication architecture. "There are things built into GINA that are not in the existing Winlogon module you get with the Vista beta," says the ISV who requested anonymity. "Other pieces must be coming in later betas. If not, this makes the strategy of waiting for the first Vista service pack even more valid." Historically, many corporate users have waited for Service Pack 1 of a new operating system before adopting it. The ISV says customers with multiple products that hook into GINA will have the most difficult support and migration issues. "There will be a relatively significant migration challenge to go from a GINA-dependent architecture to the new Vista authentication interfaces," says the ISV, adding that a systems integrator told him he "anticipates a big business in helping customers migrate." Another systems integrator says users always have faced this danger with custom code added to Windows. "No doubt there is going to be an impact on the industry; every time you change Windows code there is an impact on the industry," says Nelson Ruest, a consultant and systems integrator with Resolutions Enterprises in Victoria, British Columbia. "We often recommend to our customers to be very careful about custom modifications to the Windows environment. Vendors' GINA integrations are 100% custom code," he says. Ruest says Vista will replace a GINA architecture - which dates back to Windows NT - that has problems of its own. The issue over the Vista authentication architecture began to emerge last week when RSA CEO Art Coviello lamented in a press interview the fact that Vista is not providing native support initially for RSA's SecureID for Windows. RSA refused to comment further, but the company will have to rewrite its GINA code using the Credential Provider model. Microsoft also refused comment on Coviello's remarks. A company spokesman says the strategic direction now is Smart Cards, which Microsoft is supporting natively in Vista. The GINA model is a Dynamic Link Library file that displays in Windows the "Press Ctrl+Alt+Del to log on" screen and accepts a username and password. The Credential Provider model is based on .Net, Component Object Model and Windows Shell Extensions, and supports the creation of modules that plug into Winlogon. The GINA model is based on Win32, but Windows can run only one copy of it. A complex method called chaining is required to support the use of multiple GINA models. Vendors can modify GINA to include their interface on the logon screen or write their own GINA to replace the logon interface completely. With Credential Provider, vendors will not be able to replace the logon user interface. "To extend authentication we need to move away from GINA," says Austin Wilson, director of product management for Windows client at Microsoft. He said GINA replacements are difficult to write and often present problems when service packs and security fixes are applied to the operating system. Those issues are solved in the Credential Provider model, Wilson says. He said all the tools needed to write Credential Providers are in the Vista beta today, but he did acknowledge that there would not be any backward compatibility for GINA. "ISVs have to write [Credential Providers], and customers have to move to them, but in the long run it should provide more flexibility, stability and a more consistent experience," Wilson says. Some analysts say given the inevitability of change, the next move is up to vendors and users. "This is a wake-up call for the vendors," says Phil Schacter, vice president and group services director for the Burton Group. "For users the question is, do I roll out a GINA architecture in parallel at the same time I bet on Vista and its different architecture?" From rforno at infowarrior.org Tue May 9 20:46:27 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 09 May 2006 20:46:27 -0400 Subject: [Infowarrior] - Music industry in UK: "it's okay to legally copy music" Message-ID: Legalise personal music copying, says BPI By Andrew Murray-Watson (Filed: 07/05/2006) http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2006/05/07/cnbpi07.xm l&menuId=242&sSheet=/money/2006/05/07/ixcitytop.html The British music industry is to recommend to the Government that consumers be allowed to legally copy music without fear of prosecution. The BPI, the body that represents British record companies, believes copyright on CDs and records should be changed to allow consumers to copy music if it is for personal use. Currently, it is technically illegal for anyone to copy a CD onto their computer for the purposes of downloading music onto their own portable music player. In its submission to the Gowers Review - the independent review body set up by the Treasury to examine the UK's intellectual property framework - the BPI has asked for the issue of this area of music copyright to be addressed. It is believed the organisation, which represents the likes of EMI and Sanctuary, prefers the option of altering copyright protections on music without the requirement for a change in legislation. The BPI has vigorously prosecuted consumers who share music illegally over the internet using peer-to-peer (P2P) websites. It wants the current legislative protections to remain in place for these music "pirates", but believes allowances should be made for individuals who simply want to copy music for their own use. "This is about the UK music industry responding effectively to the changing way music is consumed," said a senior industry figure yesterday. If Gowers endorses the BPI's preferred solution to the issue of copying music, it will lead to one of the most significant changes in UK copyright law in decades. Some of the UK's existing music copyright laws date back nearly 100 years, to the days when the gramophone was cutting-edge technology. The Gowers Review, led by Andrew Gowers, the former editor of the Financial Times, will look to update a raft of antiquated laws and address the contentious issue of artists losing copyright protection on recorded music after 50 years. Print this page as text onlyPrint Email this storyEmail this story From rforno at infowarrior.org Wed May 10 10:20:06 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 May 2006 10:20:06 -0400 Subject: [Infowarrior] - USG: Computers' Loyalty Questioned Message-ID: Computers' Loyalty Questioned Speaking of how just about everything -- and not just low-tech stuff -- is made in China these days, it seems the State Department has decided to buy 16,000 computers from Lenovo, a Chinese-owned company. This set off the security sensors at the U.S.-China Economic and Security Review Commission, especially over 900 of the computers that are to be part of a classified network that would carry Pentagon as well as secret State Department information. That, in turn, set off the sensors in the office of Rep. Frank R. Wolf (R-Va.). Wolf last week wrote the secretary of state to say he was "distressed to learn that your department may be jeopardizing this [$4.2 billion] investment in a secure [information technology] infrastructure." "These computers should not be used in the classified network," Wolf wrote. < snip > http://www.washingtonpost.com/wp-dyn/content/article/2006/05/09/AR2006050901 593_pf.html From rforno at infowarrior.org Wed May 10 10:25:25 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 May 2006 10:25:25 -0400 Subject: [Infowarrior] - Spot a Bug, Go to Jail Message-ID: Spot a Bug, Go to Jail http://www.wired.com/news/columns/circuitcourt/1,70857-0.html By Jennifer Granick| Also by this reporter 02:00 AM May, 10, 2006 A new federal prosecution again raises the issue of whether computer security experts must fear prison time for investigating and reporting vulnerabilities. On April 28, 2006, Eric McCarty was arraigned in U.S. District Court in Los Angeles. McCarty is a professional computer security consultant who noticed that there was a problem with the way the University of Southern California had constructed its web page for online applications. A database programming error allowed outsiders to obtain applicants' personal information, including Social Security numbers. For proof, the man copied seven applicants' personal records and anonymously sent them to a reporter for SecurityFocus. The journalist notified the school, the school fixed the problem, and the reporter wrote an article about it. The incident might have ended there, but didn't. The school went through its server logs and easily traced the activity back to McCarty, who had made no attempt to hide his tracks. The FBI interviewed McCarty, who explained everything to the agents. Then the U.S. Attorney's Office in Los Angeles charged the security expert with violating 18 U.S.C. 1030, the federal computer crime law. Will they ever learn? In 2002, the U.S. Attorney in Texas charged Stefan Puffer with violating section 1030 after Puffer demonstrated to the Harris County District Court clerk that the court's wireless network was readily accessible to attackers. The prosecution claimed that Puffer, a security consultant, unlawfully accessed the system. Puffer argued that he was trying to help the county. A jury acquitted Puffer in about 15 minutes. In 2004, Bret McDanel was convicted of violating section 1030 when he e-mailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company e-mail server by sending the messages, and that the access was unauthorized within the meaning of the law because the company didn't want this information distributed. They even claimed the integrity of the system was impaired because a lot more people (customers) now knew that the system was insecure. Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal, and argued that reporting on security flaws doesn't impair the integrity of computer systems. In an extremely unusual turn of events, the prosecution did not defend its actions, but voluntarily moved to vacate the conviction. The McCarty prosecution, brought by the same office that so egregiously mishandled the McDanel incident, is in the same vein. As with Puffer and McDanel, the government will have to prove not only that McCarty accessed the school system without authorization, but also that he had some kind of criminal intent. Likely, they will point to the fact that McCarty copied some applicant records. "It wasn't that he could access the database and showed that it could be bypassed," Michael Zweiback, an assistant attorney for the Department of Justice's cybercrime and intellectual property crimes section, told the SecurityFocus reporter. "He went beyond that and gained additional information regarding the personal records of the applicant." But if he wanted to reveal USC's security gaffe, it's not clear what else he could have done. He had to get a sampling of the exposed records to prove that his claims were true. SecurityFocus reported that USC administrators initially claimed that only two database records were exposed, and only acknowledged that the entire database was threatened after additional records were shown to them. In any event, McCarty had arguably already done enough to get himself prosecuted by this Justice Department. The federal statute and copycat state laws prohibit accessing computers or a computer system without authorization, or in excess of authorization, and thereby obtaining information or causing damage. What does it mean to access a networked computer? Any communication with that computer -- even if it's simply one system asking another "are you there?" -- transmits data to the other machine. The cases say that e-mail, web surfing and port scanning all access computers. One court has even held that when I send an e-mail, not only am I accessing your e-mail server and your computer, but I'm also "accessing" every computer in between that helps transmit my message. That means the law frequently rests on the definition of "authorization." Many cases suggest that if the owner doesn't want you to use the system, for whatever reason, your use is unauthorized. In one case I took on appeal, the trial court had held that searching for airline fares on a publicly available, unprotected website was unauthorized access because the airline had asked the searcher to stop. One Western District of Washington case, Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., says that when a company employee knows he is going to leave his position to go work for a competitor, but continues to use his computer account and copy information there for the purposes of aiding his new bosses, his access is unauthorized. A federal court in Maryland went the other way in a case with similar facts: In International Association of Machinists and Aerospace Workers v. Werner-Matsuda, a union employee who accessed her computer account for the purposes of helping a rival union recruit members did not violate the law. The statute proscribes unauthorized access, not authorized access for unwanted purposes, said the court. What this means for McCarty is that there are ample legal reasons for the prosecution to drop the charges against him. Yet, there are also ample legal reasons why a security professional, upon finding a database flaw, might worry that the find would bring criminal charges rather than thanks. This situation must change. People need to be able to exercise a little bit of self-help before plugging their data into web forms, and security professionals who happen upon vulnerabilities shouldn't have to choose between leaving the system wide open to attack and prosecution. One solution might be to focus more heavily on whether the user has criminal intent when accessing the system. Another might be to criminalize specific activities on the computer, but not access to a public system itself. A third might be to define unlawful access as the circumvention of some kind of security measure. As we have more cases like McCarty's, McDanel's and Puffer's, perhaps security professionals will pressure state legislatures and Congress to improve the computer crime laws. - - - Jennifer Granick is executive director of the Stanford Law School Center for Internet and Society, and teaches the Cyberlaw Clinic. From rforno at infowarrior.org Wed May 10 13:14:37 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 May 2006 13:14:37 -0400 Subject: [Infowarrior] - DHS reinventing the wheel? Message-ID: >From this Fed Register entry pertaining to the upcoming DHS Data Privacy and Integrity Advisory Committee Public Meeting: "The Committee is researching effective means to receive public comments during their public meetings." Is it just me expecting too much that DHS look to other similar federal advisory committees or the Library of Congress to see how they've handled receiving public comments in the past? Or must DHS let a million-plus-dollar contract to a Beltway Bandit to determine the best way to reinvent the wheel? Talk about the Not-Invented-Here Syndrome! Full Fed Register entry http://cryptome.org/dhs051006.htm -rick Infowarrior.org From rforno at infowarrior.org Wed May 10 19:48:29 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 May 2006 19:48:29 -0400 Subject: [Infowarrior] - An end to the software police? Message-ID: An end to the software police? By Colin Barker http://news.com.com/An+end+to+the+software+police/2100-1013_3-6070951.html Story last modified Wed May 10 16:41:11 PDT 2006 After months of delay, the ISO has finally published a standard for software asset management that may protect companies from legal and financial threats over licensing issues. The International Standards Organization finally published its standard for software asset management on Monday. In the last few years, software asset management (SAM) has become a key issue for companies trying to keep track of what tools they are using, how much they are paying in software licensing costs and, crucially, what they could save by better use of those assets. The issue has been brought into sharper focus through the activities of the Business Software Alliance (BSA), the U.K.-based Federation Against Software Theft (FAST) and companies such as Microsoft that have made clear the penalties for companies that use improperly licensed software. The new standard, called ISO/IEC 17990-1, is published jointly by the ISO and the International Electrotechnical Commission. It had been due for arrival this March, after missing its original 2005 release date. Investors in Software is one of the organizations involved in the development of the standard, which it has been working on for four years. The group said in a statement on its Web site: "The underlying justification for SAM is the need to apply good governance to software assets--without it, organizations could be subjected to significant risks, including legal and financial exposure." Shawn Frohlich of IIS is delighted the standard has been finally accepted. "Until Monday night, companies had no way of establishing that they were properly managing their assets. They had no way of proving it. Now they do," Frohlich said. "There is a standard to work towards." However, ISO has only published Part 1, which covers processes. The second part of the standard, covering tools, is expected later this year. Part 1 is divided into risk management, cost control and competitive advantage. For Frohlich, risk management is a key area. "You couldn't demonstrate a clean bill of health before," he said. Risk management covers issues that could arise from improper licensing, such as interruption or deterioriation of IT services, legal and regulatory exposure and damage to public image. It is the latter two areas that have focused CIOs and IT managers on software asset management. Businesses that have been caught infringing on software licenses have suffered high-profile, and often very expensive, humiliation at the hands of Fast and the BSA. Frohlich believes both interest groups will welcome the new standard: "The BSA has already welcomed it, and I believe Fast is preparing something as well." Neil MacBride, BSA's vice president of legal affairs, said in a statement that the organization is "delighted that the ISO has launched this standard, and we congratulate all those in the standards and software asset management community around the world who have worked so hard to bring this to fruition." MacBride said it was a milestone in the global development of software management best practices and would help organizations of all sizes to ensure that they are fully software compliant and making best use of their software assets. According to the ISO, the standard will "enable an organization to prove that it is performing SAM to a standard sufficient to satisfy corporate governance requirements and ensure effective support for IT service management overall." Colin Barker reported for ZDNet UK in London. From rforno at infowarrior.org Wed May 10 19:51:31 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 May 2006 19:51:31 -0400 Subject: [Infowarrior] - US-VISIT: We May Get Worms, But Our PR is Stellar Message-ID: US-VISIT: We May Get Worms, But Our PR is Stellar http://blog.wired.com/27BStroke6/index.blog?entry_id=1477236 Homeland Security employees are likely tasking themselves with action items following Kevin's piece on his Freedom of Information Act battle that led to the revelation that the Zotob worm took down the nation's system for registering and identifying visitors to the country, a system known as US-VISIT. At least, one should hope they are, given that the Department of Homeland Security is paying PR giant Fleishman Hillard some $13 million a year to scan the news for coverage of US-VISIT, ghost-write editorials, and educate Americans and foreigners about the benefits of the program. In all, US-VISIT may spend more than $70 million dollars over five years for the services of Fleishman Hillard flacks. According to the task order: As part of the overall plan, the contractor will provided daily media scans of the coverage on US-VISIT and related DHS programs, analyze the coverage for issues and actions, provide rapid-response counsel, draft press related materials such as releases, letters-to-the-editor, opinion pieces, etc.[?] The public education plan must continue to be targeted to reach both domestic and international audiences. The contract (.pdf), also obtained through a Freedom of Information Request, covers 2005-2006, with the option to extend the work order for four more years. >From April 1, 2005 to March 31, 2006, US-VISIT was obligated to pay $10,429, 241 for 30,000 hours of PR services. That works out to $347 per hour of 'outreach services.' That's a lot of money for PR for a system that only records exits from the country at 12 airports and 2 seaports, is somehow vulnerable to internet worms despite ostensibly being a closed network and which still doesn't inter-operate with the FBI's fingerprint DB. Just last week, Sen. Judd Gregg and Sen. Robert Byrd attached an amendment to next year's Homeland Security funding bill that would, among other things, provide $60 million to upgrade US-VISIT's fingerprint scanners. Seems that the current ones only take two fingerprints, while criminal databases contain 10. That means that trying to check a visitor's prints against criminal records works about as well as a state police officer sending the FBI close-ups of a suspect's left and right eye and asking the agency to find a match against the mugshot book. That $60 million might not make it through Congress since the administration has threatened to veto the spending bill if it comes in higher than $94.5 billion and the current version clocks in at nearly $109 billion, according to Christian Beckner at Homeland Security Watch. While the task order doesn't specifically task Fleishman Hillard with responding to blog entries, the comments are open, even to messages crafted by PR reps pulling down taxpayer dollars at the rate of $347 per hour. From rforno at infowarrior.org Wed May 10 20:04:01 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 May 2006 20:04:01 -0400 Subject: [Infowarrior] - MS Strongarm Sales Tactics Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti cleId=111186 May 08, 2006 (Computerworld) -- It's bad enough when Microsoft strong-arms other software vendors into submission as a means of thwarting competition. But when it engages in underhanded tactics to intimidate users in order to land a software deal, we have a very disturbing situation on our hands. And someone needs to have the guts to speak out about it. Fortunately, someone has. Last week, Dale Frantz, CIO at Auto Warehousing Co., brought to my attention an alarming business practice that shows Microsoft at its shoddy and arrogant worst. AWC was contacted several weeks ago by Janet Lawless, a software asset management engagement manager at Microsoft, who claimed that "a preliminary review of [AWC's software licensing] information indicates that your company may not be licensed properly." Lawless urged AWC to "understand that the potential inconsistency in licensing is an urgent matter and needs immediate attention." She wanted to send a consultant to AWC to conduct an inventory of its installed software. Frantz was stunned. He says he always errs on the side of caution with respect to software licenses. He does regular audits and maintains extensive records of purchases, license keys and registration codes. Frantz had no doubt that he was 100% compliant. When he told Lawless that, she ratcheted up the threatening tone of her e-mail correspondence. "Simply commenting on your licensing environment does not address our concerns in a tangible, proven manner," she wrote. "We continue to believe that Auto Warehousing may not be licensed properly. Since this is a compliance issue, I am obligated to notify an officer of Auto Warehousing of the situation and the significant risk your organization may be subject to by not resolving this situation in a timely manner." At that point, Frantz got his corporate attorney involved. The attorney suggested that an olive branch be proffered to avoid legal action, so Frantz offered to send Lawless detailed records of all purchases of Microsoft software in the past five years. But Lawless blew that off as well. She seemed determined to get a consultant into the IT bowels of AWC. "Thank you for your offer to send your purchase records to me," she wrote, "however our Software Asset Management (SAM) program is the only unbiased way to create an accurate baseline and resolve this matter." That did it. Frantz informed Lawless that he wasn't going to waste anymore time with her, and he left the matter with his attorney. The attorney, suspecting that Lawless' actions were part of an elaborate sales effort, basically told her to back off. Indeed, according to Microsoft's Web site, the responsibility of someone with Lawless' title of "engagement manager" is to "perform as an integrated member of the account team, drive business development and closing of new services engagements in targeted accounts." So why was someone in a sales position leaning so hard on AWC about a supposed licensing compliance concern? When I phoned Lawless to find out, she referred me to Microsoft's PR machine. The responses I got through that channel stressed that Microsoft's aim is to help customers navigate the complexities of software licensing and that one of the roles of engagement managers is to assist in that effort by informing customers of a potential licensing risk. I was told to attribute the responses to Lawless. The fact is, if Microsoft really has reason to believe that a company is using unlicensed copies of its software, it sics the Business Software Alliance on the company. It doesn't turn the matter over to one of its sales managers. The folks at Microsoft should have done their homework. They would have realized that trying to intimidate Dale Frantz would be a fruitless effort. And what a rotten fruitless effort it was. Don Tennant Don Tennant is editor in chief of Computerworld. Contact him at don_tennant at computerworld.com. From rforno at infowarrior.org Wed May 10 21:37:59 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 May 2006 21:37:59 -0400 Subject: [Infowarrior] - Congress targets social network sites Message-ID: Congress targets social network sites By Declan McCullagh http://news.com.com/Congress+targets+social+network+sites/2100-1028_3-607104 0.html Story last modified Wed May 10 18:10:01 PDT 2006 MySpace.com has recently found itself pummeled by critical media reports describing how teens are divulging personal information without much thought to the consequences. A Newsweek article in January was titled "Predator's Playground?" A Dateline NBC report last month warned that teens using MySpace--now part of Rupert Murdoch's News Corp. and boasting some 80 million users--are not as safe "as they think." Now MySpace and other social networking sites like LiveJournal.com and Facebook are facing a new threat: A proposed federal law that would effectively require most schools and libraries to render those Web sites inaccessible to minors, an age group that includes some of the category's most ardent users. "When children leave the home and go to school or the public library and have access to social networking sites, we have reason to be concerned," Rep. Mike Fitzpatrick, a Pennsylvania Republican, told CNET News.com in an interview. Fitzpatrick and fellow Republicans, including House Speaker Dennis Hastert, on Wednesday endorsed new legislation (click here for PDF) that would cordon off access to commercial Web sites that let users create public "Web pages or profiles" and also offer a discussion board, chat room, or e-mail service. That's a broad category that covers far more than social networking sites such as Friendster and Google's Orkut.com. It would also sweep in a wide range of interactive Web sites and services including Blogger.com, AOL and Yahoo's instant messaging features, and Microsoft's Xbox 360, which permits in-game chat. Fitzpatrick's bill, called the Deleting Online Predators Act, is part of a new, poll-driven effort by Republicans to address topics that they view as important to suburban voters. Republican pollster John McLaughlin polled 22 suburban districts and presented his research at a retreat earlier this year. Rep. Mark Kirk, an Illinois Republican, is cosponsoring the measure. The group, which is calling itself the "Suburban Caucus," convened a press conference on Wednesday to announce new legislation it hopes will rally conservative supporters--and prevent the Democrats from retaking the House of Representatives during the November mid-term election. For its part, MySpace has taken steps in recent weeks to assuage concerns among parents and politicians (Massachusetts Attorney General Tom Reilly also took aim at MySpace this week). It has assigned about 100 employees, about one-third of its workforce, to deal with security and customer care, and hired Hemanshu (Hemu) Nigam, a former Justice Department prosecutor as chief security officer last month. "We have been working collaboratively on security and safety issues with an array of government agencies, law enforcement and educational groups, nonprofits and leading child safety organizations," said Rick Lane, vice president for government affairs at MySpace owner News Corp. "We've also met with several state and federal legislators and are working with them to address their concerns. We hope this healthy dialogue will continue." Fitzpatrick, who represents a suburban district outside Philadelphia, acknowledged that MySpace "is working" on this. Still, he said, children are "unattended on the Internet through the course of the day" when they're at libraries and schools. "My bill is both timely and needed and will be very well accepted, certainly by the constituents I represent," Fitzpatrick said. Backers of the proposal argue, however, that it's necessary to protect children. Hastert said on Wednesday that it "would put filters in schools and libraries so that kids can be protected... We've all heard stories of children on some of these social websites meeting up with dangerous predators. This legislation adds another layer of protection." Fitzpatrick's bill, called the Deleting Online Predators Act, is part of a new, poll-driven effort by Republicans to address topics that they view as important to suburban voters. Republican pollster John McLaughlin polled 22 suburban districts and presented his research at a retreat earlier this year. Rep. Mark Kirk, an Illinois Republican, is cosponsoring the measure. To curb teenage access to interactive Web sites, Republicans chose to target libraries and schools by expanding a federal law called the Children's Internet Protection Act. That law, signed by President Clinton in December 2000, requires schools and libraries that receive federal funding to block access to off-color materials. Librarians challenged it in federal court on First Amendment grounds, and the U.S. Supreme Court upheld the law by a 6-3 vote in June 2003. The Deleting Online Predators Act, or DOPA, would add an additional requirement. It says that libraries, elementary and secondary schools must prohibit "access to a commercial social networking Web site or chat room through which minors" may access sexual material or be "subject to" sexual advances. Those may be made available to an adult or a minor with adult supervision "for educational purposes." Lynne Bradley, director of the American Library Association's office of government relations, said she was still reviewing the legislation. She added that: "We're as protective of kids as any other protection in this whole field, but we do know there are legitimate uses (of social networking sites)." "ALA is always in favor of having quality and detailed education on how best to use the Internet and these other digital tools and the best user is an informed user that knows the risks, how to avoid them, and knows how to keep him or herself safe," Bradley said. According to the Federal Communications Commission, there have been 25,707 agreements to provide federal funding to school districts or individual schools, and 3,902 agreements to libraries or library systems. The ALA estimates that as many as two-thirds of libraries receive federal funding and would be affected by DOPA. DOPA would also require the Federal Trade Commission to set up a Web site about the "potential dangers posed by the use of the Internet by children" and order the Federal Communications Commission to create a committee and publish a list of Web sites "that have been known to allow sexual predators" access to minors' personal information. Rosa Aronson, director of advocacy for the National Association of Secondary School Principals also said her organization did not currently have a position on DOPA. "We are grappling with the tension between promoting our normal policy, which is to promote local control for schools, and on the other end of the spectrum, there is the issue of protection of students," Aronson said. Adam Thierer, a senior fellow at the free-market Progress & Freedom Foundation, was not as reticent. "This is the next major battlefield in the ongoing Internet censorship wars: social networking Web sites," he said. "Many in government will want to play the role of cyber traffic cop here, just as they have for other types of speech on the Internet," Thierer said, adding that it will "chill legitimate forms of speech or expression online." Laws restricting Web sites tend to be challenged in the courts. The ALA, for instance, sued to overturn the Communications Decency Act in 1996 and the library-filtering requirement a few years later. But DOPA seems to have been written to benefit from the high court's 2003 ruling that library filtering was permissible. Bob Corn-Revere, a partner at the law firm of Davis Wright Tremaine who has argued before the Supreme Court, said the eventual fate of DOPA may depend on whether it's implemented narrowly or broadly. Even so, Corn-Revere said, "treating MySpace sites like poison seems like an extreme overreaction." CNET News.com's Anne Broache contributed to this report. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Wed May 10 21:40:13 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 May 2006 21:40:13 -0400 Subject: [Infowarrior] - Hacker fears Guantanamo Bay as judge urges his extradition Message-ID: Hacker fears wrath of US court as judge urges his extradition By Fran Yeoman http://www.timesonline.co.uk/article/0,,2-2174677,00.html Gary McKinnon leaves Bow Street Magistrates' Court yesterday after a judge recommended that he be extradited to the US (DAVID BEBBER) A BRITISH man accused of the biggest military hacking operation yet faces trial in the US after a judge recommended him for extradition yesterday. Gary McKinnon believes that he could be sent to Guantanamo Bay and tried by a military tribunal if his extradition goes ahead. He said that he was ?practically already hung and quartered? if US government claims that he would face a federal court in Virginia proved correct. Mr McKinnon, 40, is alleged to have caused $700,000 (?375,000) of damage in 2001-02 by hacking into US military computers, including army, navy, Pentagon and Nasa systems, using software available on the internet. At Bow Street Magistrates? Court in London yesterday, District Judge Nicholas Evans said that Mr McKinnon, of Wood Green, North London, should be recommended for extradition. The case is expected to be passed to John Reid, the Home Secretary, for a final decision. The US Government said it had given assurances that it would not make Mr McKinnon subject to ?Military Order No 1?, which allows President Bush to detain suspects indefinitely. But outside court, Mr McKinnon said that he remained fearful. ?As one person has said to me, most people in Guantanamo have not been proved to be terrorists but allegedly I directly attacked the military. And Virginia is famously conservative. I?m practically already hung and quartered over there,? he said. Speaking after being released on conditional bail, he said that he had expected yesterday?s ruling and was now preparing to appeal. In a direct appeal to Mr Reid, he added: ?Do right by your subjects.? Mr McKinnon is alleged to have stolen 950 passwords and deleted system files from computers at the Earle US Naval Weapons Station in New Jersey, shutting down the entire base for a week immediately after September 11. Although he said yesterday that he regretted his actions, he denied that he had ever intended to disrupt security. ?The fact that I logged on there and there were no passwords means that there was no security. ?I was amazed at the lack of security and the reason I left not just one note but multiple notes on multiple desktops was to say, ?Look, this is ridiculous?.? When asked why he had hacked into US defence systems, Mr McKinnon, whose hacking name was Solo, said that he had been looking for evidence of UFOs. In a lengthy judgment delivered a month after April?s extradition hearing, Judge Evans said that the risk of Mr McKinnon being sent to Guantanamo was ?fanciful? given the assurances made on behalf of the American Government. ?I have no difficulty in concluding that anyone facing extradition to the United States who faced a real risk of being charged under Military Order No 1 should not be extradited. For over 150 years we have had extradition arrangements with the United States. Many hundreds of extraditions have taken place over the years in both directions . . . It is inconceivable, given the unequivocal assurances, and all that history and extradition experience, that the Government would risk damaging, perhaps irretrievably damaging, our extradition arrangements by not honouring the assurances.? The judge rejected claims under Article 8 of the European Convention on Human Rights that Mr McKinnon?s right to private and family life should prevent his extradition. He told the court: ?I readily accept, if convicted in the United States, the probable sentence is likely to be appreciably harsher than, in comparable circumstances, it would be in the United Kingdom. It must be obvious to any defendant that if you choose to commit a crime in a foreign country, you run the risk of being prosecuted in that country.? Mr McKinnon faces seven charges of ?computer fraud and related activity? in Virginia, according to the US Department of Justice website. Each charge carries a maximum sentence of ten years? imprisonment and a $250,000 fine. From rforno at infowarrior.org Thu May 11 06:58:55 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 May 2006 06:58:55 -0400 Subject: [Infowarrior] - NSA has massive database of Americans' phone calls Message-ID: NSA has massive database of Americans' phone calls Updated 5/11/2006 12:30 AM ET By Leslie Cauley, USA TODAY http://www.usatoday.com/news/washington/2006-05-10-nsa_x.htm The National Security Agency has been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth, people with direct knowledge of the arrangement told USA TODAY. The NSA program reaches into homes and businesses across the nation by amassing information about the calls of ordinary Americans ? most of whom aren't suspected of any crime. This program does not involve the NSA listening to or recording conversations. But the spy agency is using the data to analyze calling patterns in an effort to detect terrorist activity, sources said in separate interviews. "It's the largest database ever assembled in the world," said one person, who, like the others who agreed to talk about the NSA's activities, declined to be identified by name or affiliation. The agency's goal is "to create a database of every call ever made" within the nation's borders, this person added. For the customers of these companies, it means that the government has detailed records of calls they made ? across town or across the country ? to family members, co-workers, business contacts and others. The three telecommunications companies are working under contract with the NSA, which launched the program in 2001 shortly after the Sept. 11 terrorist attacks, the sources said. The program is aimed at identifying and tracking suspected terrorists, they said. The sources would talk only under a guarantee of anonymity because the NSA program is secret. Air Force Gen. Michael Hayden, nominated Monday by President Bush to become the director of the CIA, headed the NSA from March 1999 to April 2005. In that post, Hayden would have overseen the agency's domestic call-tracking program. Hayden declined to comment about the program. The NSA's domestic program, as described by sources, is far more expansive than what the White House has acknowledged. Last year, Bush said he had authorized the NSA to eavesdrop ? without warrants ? on international calls and international e-mails of people suspected of having links to terrorists when one party to the communication is in the USA. Warrants have also not been used in the NSA's efforts to create a national call database. In defending the previously disclosed program, Bush insisted that the NSA was focused exclusively on international calls. "In other words," Bush explained, "one end of the communication must be outside the United States." As a result, domestic call records ? those of calls that originate and terminate within U.S. borders ? were believed to be private. Sources, however, say that is not the case. With access to records of billions of domestic calls, the NSA has gained a secret window into the communications habits of millions of Americans. Customers' names, street addresses and other personal information are not being handed over as part of NSA's domestic program, the sources said. But the phone numbers the NSA collects can easily be cross-checked with other databases to obtain that information. Don Weber, a senior spokesman for the NSA, declined to discuss the agency's operations. "Given the nature of the work we do, it would be irresponsible to comment on actual or alleged operational issues; therefore, we have no information to provide," he said. "However, it is important to note that NSA takes its legal responsibilities seriously and operates within the law." The White House would not discuss the domestic call-tracking program. "There is no domestic surveillance without court approval," said Dana Perino, deputy press secretary, referring to actual eavesdropping. She added that all national intelligence activities undertaken by the federal government "are lawful, necessary and required for the pursuit of al-Qaeda and affiliated terrorists." All government-sponsored intelligence activities "are carefully reviewed and monitored," Perino said. She also noted that "all appropriate members of Congress have been briefed on the intelligence efforts of the United States." The government is collecting "external" data on domestic phone calls but is not intercepting "internals," a term for the actual content of the communication, according to a U.S. intelligence official familiar with the program. This kind of data collection from phone companies is not uncommon; it's been done before, though never on this large a scale, the official said. The data are used for "social network analysis," the official said, meaning to study how terrorist networks contact each other and how they are tied together. Carriers uniquely positioned AT&T recently merged with SBC and kept the AT&T name. Verizon, BellSouth and AT&T are the nation's three biggest telecommunications companies; they provide local and wireless phone service to more than 200 million customers. The three carriers control vast networks with the latest communications technologies. They provide an array of services: local and long-distance calling, wireless and high-speed broadband, including video. Their direct access to millions of homes and businesses has them uniquely positioned to help the government keep tabs on the calling habits of Americans. Among the big telecommunications companies, only Qwest has refused to help the NSA, the sources said. According to multiple sources, Qwest declined to participate because it was uneasy about the legal implications of handing over customer information to the government without warrants. Qwest's refusal to participate has left the NSA with a hole in its database. Based in Denver, Qwest provides local phone service to 14 million customers in 14 states in the West and Northwest. But AT&T and Verizon also provide some services ? primarily long-distance and wireless ? to people who live in Qwest's region. Therefore, they can provide the NSA with at least some access in that area. Created by President Truman in 1952, during the Korean War, the NSA is charged with protecting the United States from foreign security threats. The agency was considered so secret that for years the government refused to even confirm its existence. Government insiders used to joke that NSA stood for "No Such Agency." In 1975, a congressional investigation revealed that the NSA had been intercepting, without warrants, international communications for more than 20 years at the behest of the CIA and other agencies. The spy campaign, code-named "Shamrock," led to the Foreign Intelligence Surveillance Act (FISA), which was designed to protect Americans from illegal eavesdropping. Enacted in 1978, FISA lays out procedures that the U.S. government must follow to conduct electronic surveillance and physical searches of people believed to be engaged in espionage or international terrorism against the United States. A special court, which has 11 members, is responsible for adjudicating requests under FISA. Over the years, NSA code-cracking techniques have continued to improve along with technology. The agency today is considered expert in the practice of "data mining" ? sifting through reams of information in search of patterns. Data mining is just one of many tools NSA analysts and mathematicians use to crack codes and track international communications. Paul Butler, a former U.S. prosecutor who specialized in terrorism crimes, said FISA approval generally isn't necessary for government data-mining operations. "FISA does not prohibit the government from doing data mining," said Butler, now a partner with the law firm Akin Gump Strauss Hauer & Feld in Washington, D.C. The caveat, he said, is that "personal identifiers" ? such as names, Social Security numbers and street addresses ? can't be included as part of the search. "That requires an additional level of probable cause," he said. The usefulness of the NSA's domestic phone-call database as a counterterrorism tool is unclear. Also unclear is whether the database has been used for other purposes. The NSA's domestic program raises legal questions. Historically, AT&T and the regional phone companies have required law enforcement agencies to present a court order before they would even consider turning over a customer's calling data. Part of that owed to the personality of the old Bell Telephone System, out of which those companies grew. Ma Bell's bedrock principle ? protection of the customer ? guided the company for decades, said Gene Kimmelman, senior public policy director of Consumers Union. "No court order, no customer information ? period. That's how it was for decades," he said. The concern for the customer was also based on law: Under Section 222 of the Communications Act, first passed in 1934, telephone companies are prohibited from giving out information regarding their customers' calling habits: whom a person calls, how often and what routes those calls take to reach their final destination. Inbound calls, as well as wireless calls, also are covered. The financial penalties for violating Section 222, one of many privacy reinforcements that have been added to the law over the years, can be stiff. The Federal Communications Commission, the nation's top telecommunications regulatory agency, can levy fines of up to $130,000 per day per violation, with a cap of $1.325 million per violation. The FCC has no hard definition of "violation." In practice, that means a single "violation" could cover one customer or 1 million. In the case of the NSA's international call-tracking program, Bush signed an executive order allowing the NSA to engage in eavesdropping without a warrant. The president and his representatives have since argued that an executive order was sufficient for the agency to proceed. Some civil liberties groups, including the American Civil Liberties Union, disagree. Companies approached The NSA's domestic program began soon after the Sept. 11 attacks, according to the sources. Right around that time, they said, NSA representatives approached the nation's biggest telecommunications companies. The agency made an urgent pitch: National security is at risk, and we need your help to protect the country from attacks. The agency told the companies that it wanted them to turn over their "call-detail records," a complete listing of the calling histories of their millions of customers. In addition, the NSA wanted the carriers to provide updates, which would enable the agency to keep tabs on the nation's calling habits. The sources said the NSA made clear that it was willing to pay for the cooperation. AT&T, which at the time was headed by C. Michael Armstrong, agreed to help the NSA. So did BellSouth, headed by F. Duane Ackerman; SBC, headed by Ed Whitacre; and Verizon, headed by Ivan Seidenberg. With that, the NSA's domestic program began in earnest. AT&T, when asked about the program, replied with a comment prepared for USA TODAY: "We do not comment on matters of national security, except to say that we only assist law enforcement and government agencies charged with protecting national security in strict accordance with the law." In another prepared comment, BellSouth said: "BellSouth does not provide any confidential customer information to the NSA or any governmental agency without proper legal authority." Verizon, the USA's No. 2 telecommunications company behind AT&T, gave this statement: "We do not comment on national security matters, we act in full compliance with the law and we are committed to safeguarding our customers' privacy." Qwest spokesman Robert Charlton said: "We can't talk about this. It's a classified situation." In December, The New York Times revealed that Bush had authorized the NSA to wiretap, without warrants, international phone calls and e-mails that travel to or from the USA. The following month, the Electronic Frontier Foundation, a civil liberties group, filed a class-action lawsuit against AT&T. The lawsuit accuses the company of helping the NSA spy on U.S. phone customers. Last month, U.S. Attorney General Alberto Gonzales alluded to that possibility. Appearing at a House Judiciary Committee hearing, Gonzales was asked whether he thought the White House has the legal authority to monitor domestic traffic without a warrant. Gonzales' reply: "I wouldn't rule it out." His comment marked the first time a Bush appointee publicly asserted that the White House might have that authority. Similarities in programs The domestic and international call-tracking programs have things in common, according to the sources. Both are being conducted without warrants and without the approval of the FISA court. The Bush administration has argued that FISA's procedures are too slow in some cases. Officials, including Gonzales, also make the case that the USA Patriot Act gives them broad authority to protect the safety of the nation's citizens. The chairman of the Senate Intelligence Committee, Sen. Pat Roberts, R-Kan., would not confirm the existence of the program. In a statement, he said, "I can say generally, however, that our subcommittee has been fully briefed on all aspects of the Terrorist Surveillance Program. ... I remain convinced that the program authorized by the president is lawful and absolutely necessary to protect this nation from future attacks." The chairman of the House Intelligence Committee, Rep. Pete Hoekstra, R-Mich., declined to comment. One company differs One major telecommunications company declined to participate in the program: Qwest. According to sources familiar with the events, Qwest's CEO at the time, Joe Nacchio, was deeply troubled by the NSA's assertion that Qwest didn't need a court order ? or approval under FISA ? to proceed. Adding to the tension, Qwest was unclear about who, exactly, would have access to its customers' information and how that information might be used. Financial implications were also a concern, the sources said. Carriers that illegally divulge calling information can be subjected to heavy fines. The NSA was asking Qwest to turn over millions of records. The fines, in the aggregate, could have been substantial. The NSA told Qwest that other government agencies, including the FBI, CIA and DEA, also might have access to the database, the sources said. As a matter of practice, the NSA regularly shares its information ? known as "product" in intelligence circles ? with other intelligence groups. Even so, Qwest's lawyers were troubled by the expansiveness of the NSA request, the sources said. The NSA, which needed Qwest's participation to completely cover the country, pushed back hard. Trying to put pressure on Qwest, NSA representatives pointedly told Qwest that it was the lone holdout among the big telecommunications companies. It also tried appealing to Qwest's patriotic side: In one meeting, an NSA representative suggested that Qwest's refusal to contribute to the database could compromise national security, one person recalled. In addition, the agency suggested that Qwest's foot-dragging might affect its ability to get future classified work with the government. Like other big telecommunications companies, Qwest already had classified contracts and hoped to get more. Unable to get comfortable with what NSA was proposing, Qwest's lawyers asked NSA to take its proposal to the FISA court. According to the sources, the agency refused. The NSA's explanation did little to satisfy Qwest's lawyers. "They told (Qwest) they didn't want to do that because FISA might not agree with them," one person recalled. For similar reasons, this person said, NSA rejected Qwest's suggestion of getting a letter of authorization from the U.S. attorney general's office. A second person confirmed this version of events. In June 2002, Nacchio resigned amid allegations that he had misled investors about Qwest's financial health. But Qwest's legal questions about the NSA request remained. Unable to reach agreement, Nacchio's successor, Richard Notebaert, finally pulled the plug on the NSA talks in late 2004, the sources said. Contributing: John Diamond From rforno at infowarrior.org Thu May 11 07:00:03 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 May 2006 07:00:03 -0400 Subject: [Infowarrior] - Fractured phone system consolidating once again Message-ID: Fractured phone system consolidating once again Updated 5/11/2006 12:30 AM ET By Leslie Cauley, USA TODAY http://www.usatoday.com/news/washington/2006-05-10-phone-history_x.htm AT&T's relationship with the federal government has been a century in the making. The company was founded in 1885 and over the next century became the nation's de facto phone monopoly. At its peak in the early 1980s, it employed 1 million people. In 1984, the Bell Telephone System was broken up by a court decree. AT&T's local operating companies ? there were 22 in all ? were grouped into seven "regional Bells" and spun off as separate companies. Each had monopoly control over local phone service in a specific region of the country. The parent company, AT&T ? originally called the American Telephone & Telegraph Co. ? was also spun off. Its business was exclusively long-distance service. Since then, Ma Bell has been largely reconstituted. Today's AT&T is an amalgam of three Bells: Ameritech, Southwestern Bell and Pacific Telesis, plus AT&T, which is essentially the long-distance arm of the company. The carrier recently announced plans to buy BellSouth, another of the original seven regional Bells, for $67 billion. Once the BellSouth deal closes, AT&T will cement its position as the nation's biggest communications company. It will also assume control of Cingular, the nation's biggest cellphone carrier with more than 45 million customers. Verizon isn't far behind. The carrier, based in New York, is the result of mergers of two Bells ? Nynex and Bell Atlantic ? plus GTE and MCI. Verizon also controls the No. 2 wireless carrier, Verizon Wireless. BellSouth is the smallest of the lot. But its local phone territory covers the sprawling Southeast ? nine states in one of the fastest-growing regions in the USA today. That leaves Qwest. The carrier, based in Denver, is the product of a merger between one of the seven regional Bells, US West, plus Qwest, a long-distance carrier. Qwest provides service in a 14-state region in the West and Northwest. From rforno at infowarrior.org Thu May 11 07:23:30 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 May 2006 07:23:30 -0400 Subject: [Infowarrior] - Blizzard sued for WoW player's suicide in China Message-ID: Parents sue game firm in China after son's suicide http://www.washingtonpost.com/wp-dyn/content/article/2006/05/11/AR2006051100 350_pf.html Reuters Thursday, May 11, 2006; 7:14 AM BEIJING (Reuters) - The parents of a 13-year-old boy who killed himself after playing a computer game for 36 hours are suing the game's licensed Chinese distributor for 100,000 yuan ($12,500), a Chinese newspaper reported on Thursday. In 2004, Zhang Xiaoyi, from the northern Chinese city of Tianjin, jumped out of a window of his family's 24th floor apartment after playing Warcraft at an internet cafe. His parents said in a legal writ that China Cyber Port Co. Ltd.'s failure to clearly warn of the inherent "dangers" of Warcraft -- a game produced by American company Blizzard Entertainment -- was responsible for their son's death, the Beijing Times reported. "In America, Warcraft has a 'T' rating, where it's only suitable for children over 13... but we weren't aware," the paper quoted the parents as saying. The parents said that China Cyber Port clearly knew that the "violent" and "bloody" content of Warcraft was unsuitable for minors. They should have warned people about the risks of addiction and "taken measures to prevent players' from over-indulging themselves," they said. Apart from seeking damages, the parents demanded that packaging and materials for all Warcraft games distributed in China refer to the game's "level of violence" and have clear, written health warnings. "This is a public interest case," said Zhang Chunliang, an online addiction activist, in support of the parents. "We are appealing to the country to build a healthy and complete game regulation system." Computer and online gaming has exploded in China in recent years, with an estimated 13.8 million people taking part. Amid growing concern that more and more young people are becoming hooked, China has issued a raft of regulations aimed at curbing excessive game playing at internet cafes and heavily fining owners that admit minors. ($1=8.003 Yuan) ? 2006 Reuters From rforno at infowarrior.org Thu May 11 10:33:22 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 May 2006 10:33:22 -0400 Subject: [Infowarrior] - Security Issue Kills Domestic Spying Probe In-Reply-To: Message-ID: (via IP) Security Issue Kills Domestic Spying Probe By DEVLIN BARRETT, Associated Press Writer 2 hours, 22 minutes ago WASHINGTON - The government has abruptly ended an inquiry into the warrantless eavesdropping program because the National Security Agency refused to grant Justice Department lawyers the necessary security clearance to probe the matter. The Justice Department's Office of Professional Responsibility, or OPR, sent a fax to Rep. Maurice Hinchey (news, bio, voting record), D- N.Y., on Wednesday saying they were closing their inquiry because without clearance their lawyers cannot examine Justice lawyers' role in the program. "We have been unable to make any meaningful progress in our investigation because OPR has been denied security clearances for access to information about the NSA program," OPR counsel H. Marshall Jarrett wrote to Hinchey. Hinchey's office shared the letter with The Associated Press. Jarrett wrote that beginning in January, his office has made a series of requests for the necessary clearances. Those requests were denied Tuesday. "Without these clearances, we cannot investigate this matter and therefore have closed our investigation," wrote Jarrett. Justice Department spokesman Brian Roehrkasse said the terrorist surveillance program "has been subject to extensive oversight both in the executive branch and in Congress from the time of its inception." Roehrkasse noted the OPR's mission is not to investigate possible wrongdoing in other agencies, but to determine if Justice Department lawyers violated any ethical rules. He declined to comment when asked if the end of the inquiry meant the agency believed its lawyers had handled the wiretapping matter ethically. Hinchey is one of many House Democrats who have been highly critical of the domestic eavesdropping program first revealed in December. He said lawmakers would push to find out who at the NSA denied the Justice Department lawyers security clearance. "This administration thinks they can just violate any law they want, and they've created a culture of fear to try to get away with that. It's up to us to stand up to them," said Hinchey. In February, the OPR announced it would examine the conduct of its own agency's lawyers in the program, though they were not authorized to investigate NSA activities. Bush's decision to authorize the largest U.S. spy agency to monitor people inside the United States, without warrants, generated a host of questions about the program's legal justification. The administration has vehemently defended the eavesdropping, saying the NSA's activities were narrowly targeted to intercept international calls and e-mails of Americans and others inside the U.S. with suspected ties to the al-Qaida terror network. Separately, the Justice Department sought last month to dismiss a federal lawsuit accusing the telephone company AT&T of colluding with the Bush administration's warrantless wiretapping program. The lawsuit, brought by an Internet privacy group, does not name the government as a defendant, but the Department of Justice has sought to quash the lawsuit, saying it threatens to expose government and military secrets. http://news.yahoo.com/s/ap/20060510/ap_on_go_ca_st_pe/domestic_spying From rforno at infowarrior.org Thu May 11 11:13:55 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 May 2006 11:13:55 -0400 Subject: [Infowarrior] - ICANN chokes off .xxx porn registry Message-ID: Original URL: http://www.theregister.co.uk/2006/05/11/icann_kills_xxx/ ICANN chokes off .xxx porn registry By Kieren McCarthy Published Thursday 11th May 2006 11:49 GMT Plans for an area of the internet dedicated to pornography were killed last night in a vote by overseeing organisation ICANN. In a split 9-5 board decision (http://www.icann.org/announcements/announcement-10may06.htm), the organisation acted ruthlessly, against its own previous position, in order to put an end to an increasingly difficult and controversial issue - the approval of a .xxx top-level domain. Click Here The .xxx registry application has been the focus of enormous political pressure on ICANN for the past six months and was used at one point as a political football in a wider tussle for power within the internet. Despite everything that has been written and will continue to be written about the application however, two simple facts need to be recognised: * 1. The US government, despite its constant denials, has been the driving force in preventing the .xxx registry from being approved thanks to a campaign of right-wing Christians with close links to the current administration. * 2. The company behind .xxx, ICM Registry, has done all that has been asked of it in order to answer people's concerns, but has had its efforts ignored or misrepresented by those opposed to the registry. The history of the .xxx domain has been long and incredibly complex, with its approval constantly delayed or stymied for increasingly untenable reasons. It has also exposed ICANN's flawed decision-making processes and revealed the hidden hand behind what is supposed to be an autonomous organisation overseeing the internet. ICANN has had to decide against its own recommendations, and has been caught in a web of conflicting statements. A huge campaign against .xxx has seen ICANN's public comment board for the registry flooded (http://forum.icann.org/lists/xxx-tld-agreement/index.html) in recent days by hundreds of posters with little or no understanding of the .xxx bid, but all stating their opposition to its approval. The same campaign has been raging for months, with one ICANN Board member sent threatening letters due to an assumed bias for the registry. What happened behind the scenes was that the US administration told ICANN chairman Vint Cerf and head Paul Twomey that it did not approve of the domain, but due to the difficult political position that it would put both ICANN and the US government in were it to be seen to be directing internet policy (against its publicly stated "hands off" policy), there has been a carefully co-ordinated effort to kill the registry through delay. The final crunch came in a series of letters last week, and only just released, between the Government Advisory Committee (GAC) constituency of ICANN and ICANN head Paul Twomey. Effectively, the GAC made it clear it would continue to delay introduction of .xxx for as long as it deemed necessary and ratcheted up the pressure by asking ICANN to send it a written explanation of its decision with regard to .xxx. ICANN top brass decided the hot potato had started to burn and so decided to vote the whole application down in a board meeting. The split in the board vote, however, represents an ongoing, if slow, revolution at the heart of ICANN. A majority of the board can be relied upon to vote with chairman Vint Cerf without asking questions, but a new breed of board member has tired of the secretive approach the organisation continues to take and is fighting against its rubber-stamping image. It is no mistake that the 9-5 split is the same as the ICANN board's approval of a new contract which handed VeriSign control of the .com registry in perpetuity and handed it huge money-raising powers - a decision that was greeted with dismay and fury by internet observers across the world. In an effort to control the outbreak of rebellion within its own board, ICANN has repeated its constraints following the dotcom contract approval and put a gagging order on all board members for 48 hours. Supposedly, this action allows the non-English speaking board members to prepare their statements, but in reality it prevents what will no doubt be strong criticism of the .xxx decision and ICANN processes by ICANN's own board members from hitting the media at the same time as the announcement. Most furious today, though, will be the owner of ICM Registry Stuart Lawley who had spent years and millions of pounds pushing the .xxx domain. Only last month, when the .xxx issue was again delayed at ICANN's meeting in New Zealand, he told us he would continue to answer everyone's concerns. But his sense of injustice was clear: "ICANN have gone well outside their previous procedures for the other sTLDs on this one," he told us. "Given the political posturing I guess it is understandable, yet extremely frustrating. The contract was reviewed by the board during their 18 April call and by inference they must be happy with the terms as they did not ask for any amendments." The reality is that ICANN has again been compromised by political pressures - pressures that both sides claim not to exist. ? From rforno at infowarrior.org Thu May 11 11:58:57 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 May 2006 11:58:57 -0400 Subject: [Infowarrior] - Bush to Address Reports About NSA Activity Message-ID: Bush to Address Reports About NSA Activity May 11 11:45 AM US/Eastern http://www.breitbart.com/news/2006/05/11/D8HHLOF00.html By LAURIE KELLMAN Associated Press Writer WASHINGTON Congressional Republicans and Democrats demanded answers from the Bush administration Thursday about a report that the government secretly collected records of ordinary Americans' phone calls to build a database of every call made within the country. The White House said President Bush would speak to the issue. Bush was to comment before leaving for a commencement address at Mississippi Gulf Coast Community College in Biloxi. The top-ranking Democrat on the Senate Judiciary Committee said he was shocked by the revelation. "It is our government, it's not one party's government. It's America's government. Those entrusted with great power have a duty to answer to Americans what they are doing," Sen. Patrick Leahy of Vermont. AT&T Corp., Verizon Communications Inc., and BellSouth Corp. telephone companies began turning over records of tens of millions of their customers' phone calls to the National Security Agency program shortly after the Sept. 11, 2001, terrorist attacks, said USA Today, citing anonymous sources it said had direct knowledge of the arrangement. The Republican chairman of the Senate Judiciary Committee, Sen. Arlen Specter of Pennsylvania, said he would call the phone companies to appear before the panel "to find out exactly what is going on." The companies said Thursday that they are protecting customers' privacy but have an obligation to assist law enforcement and government agencies in ensuring the nation's security. "We prize the trust our customers place in us. If and when AT&T is asked to help, we do so strictly within the law and under the most stringent conditions," the company said in a statement, echoed by the others. The White House defended its overall eavesdropping program and said no domestic surveillance is conducted without court approval. "The intelligence activities undertaken by the United States government are lawful, necessary and required to protect Americans from terrorist attacks," said Dana Perino, the deputy White House press secretary, who added that appropriate members of Congress have been briefed on intelligence activities. On Capitol Hill, several lawmakers expressed incredulity about the program, with some Republicans questioning the rationale and legal underpinning and several Democrats railing about the lack of congressional oversight. "I don't know enough about the details except that I am willing to find out because I'm not sure why it would be necessary to keep and have that kind of information," said House Majority Leader John Boehner, R-Ohio. Republican Sen. Lindsey Graham, R-S.C., told Fox News Channel: "The idea of collecting millions or thousands of phone numbers, how does that fit into following the enemy?" Sen. Dick Durbin, D-Ill., said bringing the telephone companies before the Judiciary Committee is an important step. "We need more. We need to take this seriously, more seriously than some other matters that might come before the committee because our privacy as American citizens is at stake," Durbin said. Sen. Jeff Sessions, R-Ala., argued that the program "is not a warrantless wiretapping of the American people. I don't think this action is nearly as troublesome as being made out here, because they are not tapping our phones." The program does not involve listening to or taping the calls. Instead it documents who talks to whom in personal and business calls, whether local or long distance, by tracking which numbers are called, the newspaper said. The NSA and the Office of National Intelligence Director did not immediately respond to requests for comment. NSA is the same spy agency that conducts the controversial domestic eavesdropping program that has been acknowledged by President Bush. The president said last year that he authorized the NSA to listen, without warrants, to international phone calls involving Americans suspected of terrorist links. The report came as the former NSA director, Gen. Michael Hayden _ Bush's choice to take over leadership of the CIA _ had been scheduled to visit lawmakers on Capitol Hill Thursday. However, the meetings with Republican Sens. Rick Santorum of Pennsylvania and Lisa Murkowski of Alaska were postponed at the request of the White House, said congressional aides in the two Senate offices. The White House offered no reason for the postponement to the lawmakers. Other meetings with lawmakers were still planned. Hayden already faced criticism because of the NSA's secret domestic eavesdropping program. As head of the NSA from March 1999 to April Hayden also would have overseen the call-tracking program. Sen. Dianne Feinstein, D-Calif., who has spoken favorably of the nomination, said the latest revelation "is also going to present a growing impediment to the confirmation of Gen. Hayden." The NSA wants the database of domestic call records to look for any patterns that might suggest terrorist activity, USA Today said. Don Weber, a senior spokesman for the NSA, told the paper that the agency operates within the law, but would not comment further on its operations. One big telecommunications company, Qwest, has refused to turn over records to the program, the newspaper said, because of privacy and legal concerns. ___ Associated Press Writers Katherine Shrader and Elizabeth White in Washington and AP Business Writer Barbara Ortutay in New York contributed to this report. From rforno at infowarrior.org Thu May 11 12:44:18 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 May 2006 12:44:18 -0400 Subject: [Infowarrior] - Text: Bush Statement on USA Today NSA story Message-ID: President Bush's Statement Published: May 11, 2006 http://www.nytimes.com/2006/05/11/washington/11text-bush.html The following is the transcript of President Bush's statement regarding domestic spying, as provided by Federal News Service. After September the 11th, I vowed to the American people that our government would do everything within the law to protect them against another terrorist attack. As part of this effort, I authorized the National Security Agency to intercept the international communications of people with known links to al Qaeda and related terrorist organizations. In other words, if al Qaeda or their associates are making calls into the United States or out of the United States, we want to know what they're saying. Today there are new claims about other ways we are tracking down al Qaeda to prevent attacks on America. I want to make some important points about what the government is doing and what the government is not doing. First, our intelligence activities strictly target al Qaeda and their known affiliates. Al Qaeda is our enemy and we want to know their plans. Second, the government does not listen to domestic phone calls without court approval. Third, the intelligence activities I authorized are lawful and have been briefed to appropriate members of Congress, both Republican and Democrat. Fourth, the privacy of ordinary Americans is fiercely protected in all our activities. We're not mining or trolling through the personal lives of millions of innocent Americans. Our efforts are focused on links to al Qaeda and their known affiliates. So far, we've been very successful in preventing another attack on our soil. As a general matter, every time sensitive intelligence is leaked, it hurts our ability to defeat this enemy. Our most important job is to protect the American people from another attack, and we will do so within the laws of our country. Thank you. Q Sir, how is collecting phone calls not an intrusion on privacy? (No response from the president.) .... END From rforno at infowarrior.org Thu May 11 12:56:00 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 May 2006 12:56:00 -0400 Subject: [Infowarrior] - New data security proposal surfaces in Congress Message-ID: New data security proposal surfaces in Congress By Anne Broache http://news.com.com/New+data+security+proposal+surfaces+in+Congress/2100-734 8_3-6071216.html Story last modified Thu May 11 09:45:04 PDT 2006 WASHINGTON--A new proposal in Congress would force anyone who possesses electronic personal data to report "major" security breaches to federal authorities before alerting consumers--or face hefty fines and even imprisonment. The 11-page House of Representatives bill aims to deter identity thieves and dismantle cybercrime operations, such as phishing scams, that swipe personal information. It was introduced this week by House Judiciary Committee Chairman James Sensenbrenner and backed by three Republicans and one Democrat. Because of inadequate enforcement tools, "the scope and frequency of cybercrime is growing rapidly and now includes many intentional criminal syndicates and is threatening our economy, safety and prosperity," said Rep. Howard Coble, the North Carolina Republican who presided over Thursday's hearing. This measure, called the Cybersecurity Enhancement and Consumer Data Protection Act, is part of a constellation of proposals in Congress that seek to respond to a slew of high-profile data breaches that became public during the last year or two. Proposed solutions range from notification of data breaches to restricting some uses of Social Security numbers. The Republican-backed bill would require "whoever owns or possesses data in electronic form" that contains personally identifiable information--such as a person's name, Social Security number, or date of birth--to inform the U.S. Secret Service or the Federal Bureau of Investigation within two weeks of discovering a "major breach." Those law enforcement officials could then decide to delay notification to consumers by as much as 30 days if they determine that disclosure would harm criminal investigations or national security. The bill defines "major breach" as any incident that involves personal information of 10,000 or more individuals, databases owned by the federal government, or personal data about federal employees or contractors involved in "national security matters or law enforcement." Refusing to comply with the rules could result in up to five years in prison or fines of $50,000 for each day that the intrusion is not reported--an idea endorsed by the Justice Department. Balking at penalties Critics have raised the question of whether criminal penalties are appropriate. In a letter to the Coble, Ken Wasch, president of the Software and Information Industry Association, questioned whether the establishment of a new crime for failure to notify when a breach has occurred is "an appropriate response to combating the pernicious effects of identity theft." Such a tactic inappropriately places the burden on companies and individuals hoping to safeguard data, not the criminals looking to exploit it, Wasch said. The bill differs from data security bills pending in other House committees in that it does not specifically require consumers to be notified directly of breaches. Susanna Montezemolo, a policy analyst for Consumers Union, urged politicians to "tread carefully" on the latest proposal. "The legislation does not address some of the broader consumer protection issues," such as requiring direct notification to consumers whose data has been compromised and letting them review and update their personal information periodically for accuracy, she said. Those omissions also prompted a lukewarm response to the bill from Rep. Robert "Bobby" Scott, the senior Virginia Democrat on the Judiciary panel. "Some tweaking of bill is desirable to clarify intent and application of some of its provisions," he said. Other data security bills already approved by House committees do contain more consumer-oriented requirements, and the Judiciary Committee's version appears likely to be combined with one or more of those proposals. But some of those other bills, particularly one voted out of the House Financial Services Committee in March, have also encountered criticism from consumer groups. They've said they're concerned that bill's approval would water down identity-theft protection by trumping arguably stronger laws already passed at the state level, particularly California. The Judiciary proposal focuses more on the law enforcement angle of cybercrime. In addition to the notification requirements, it would also expand the legal definition of current computer fraud laws to penalize those who unlawfully obtain personally identifiable information. It also attempts to outlaw illicit use of "botnets," defined in the bill as "the capability to gain access to or remotely control without authorization" computers belonging to financial institutions or involved in commerce. For offenders of those crimes, the bill proposes beefing up penalties to as many as 30 years in prison--rather than the existing maximum of 10- to 20-year sentences. That move received the Justice Department's endorsement but drew skepticism from Rep. Dan Lungren, the California Republican who heads a cybersecurity panel in the House Homeland Security committee. Lungren said he's concerned the bill focuses too heavily on prosecuting crimes that have already been committed and not enough on the consumer side of combating the problem. "What I'm concerned about it the lack of knowledge among consumers of what they can do to protect themselves...and I am one of those consumers," he said. The House hearing comes one day after President Bush met with identity theft victims at the White House and announced the creation of an identity theft "task force" chaired by the Attorney General and the chairman of the Federal Trade Commission. The FTC also launched its own identity theft education campaign in which it planned to dispatch videos and literature to "victim advocate" organizations for distribution to the public. From rforno at infowarrior.org Thu May 11 13:01:31 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 May 2006 13:01:31 -0400 Subject: [Infowarrior] - NJ measure calls for picture security Message-ID: Measure calls for picture security Thursday, May 11, 2006 By PETE McCARTHY Staff Writer http://www.nj.com/news/sunbeam/index.ssf?/base/news-1/1147335696312460.xml&c oll=9 TRENTON -- Right now, any person can photograph or videotape a "high-risk" facility in the state and police are limited in how they can react. Take for example the Valero refinery in Paulsboro, in neighboring Gloucester County, where officials there allege suspicious activity is reported at least six times each year. "Some of it is pretty scary with some of the things that have happened," said Robert Lee, regional security manager for Valero. "Surveillance is one of the ways these terrorist units conduct their planning. These things have to be investigated." The state Senate Law and Public Safety Committee is expected to discuss a bill today which would make it a crime -- punishable by up to 18 months in jail -- to photograph, videotape or otherwise record for an extended period of time a power generation, waste treatment, public sewage, water treatment, public water, nuclear or flammable liquid storage facility, as well as any airport in the state. At the very least, it will allow law enforcement officials across the state to detain the individual or confiscate any recorded materials to further their investigation, according to state Sen. Fred Madden, D-4 of Turnersville, who is the bill's sponsor. Opponents of the bill said it "makes no sense" and is "awful." "If you have someone who lives in Gloucester County who looks at a plant and notices there are toxic fumes emanating from the plant, it's in the public's interest for that individual to get out a video camera and document it and give that to the (Department of Environmental Protection)," said Rick Engler, director of New Jersey Work Environment Council. "This bill will stop individuals from protecting the environment and will do nothing to thwart terrorism." Engler's non-profit group is made up of 70 labor, environmental and community organizations, which look to create safe jobs and a healthy environment. "We think (the proposed legislation) does violate the constitution," Engler said. Another key point of interest in the region would be Salem and Hope Creek Nuclear Generating Stations at Artificial Island in Lower Alloways Creek. "To me, this just makes sense to limit unauthorized surveillance like this," said PSEG Nuclear spokesman Skip Sindoni. However, watchdog group Unplug Salem, criticized the idea saying it will keep them from completing their mission. "It may be a good-faith attempt to protect vital institutions, but if we become a dictatorship, then terrorists win," said Unplug Salem coordinator Norm Cohen. His group needs access to ensure the nuclear facility is running properly and is safe to those living nearby. A watchdog group can "look at things in a different view and make suggestions," Cohen offered. The proposed bill "goes too far," Cohen added. State Sen. Stephen Sweeney, D-3, of West Deptford, and a co-sponsor of the bill defended the legislation on Wednesday. "We're not trying to violate anybody's rights," Sweeney said. "We're just looking to protect the public." Without identifying them, Sweeney said there were four locations in South Jersey which rank among the top 100 potential terrorist targets identified by the federal government. At the same time, Sweeney said it was "healthy" for advocacy groups to be out there monitoring the activities of such facilities because they can bring attention to "problems." "We're not going to punish anyone like that," Sweeney said. Both Sweeney and Madden admitted the bill is still being developed and a final hearing will not take place any time soon. Besides facing 18 months behind bars, those caught committing these potentially illegal activities would face up to $10,000 in fines if convicted, according to the proposed legislation. "Quite frankly, this bill is long overdue," Madden said. "The intent is to identify those individuals during the planning stages and apprehend them before the attack takes place." ? 2006 Today's Sunbeam ? 2006 NJ.com All Rights Reserved. From rforno at infowarrior.org Thu May 11 14:26:33 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 May 2006 14:26:33 -0400 Subject: [Infowarrior] - Serious vulnerability in Diebold DRE voting machines... In-Reply-To: <00203E26-378B-4B61-A060-BD13AD2F9937@farber.net> Message-ID: (via IP) ---- # Voting glitch said to be 'dangerous' # By Ian Hoffman, STAFF WRITER Inside Bay Area Elections officials in several states are scrambling to understand and limit the risk from a "dangerous" security hole found in Diebold Election Systems Inc.'s ATM-like touch-screen voting machines. The hole is considered more worrisome than most security problems discovered on modern voting machines, such as weak encryption, easily pickable locks and use of the same, weak password nationwide. Armed with a little basic knowledge of Diebold voting systems and a standard component available at any computer store, someone with a minute or two of access to a Diebold touch screen could load virtually any software into the machine and disable it, redistribute votes or alter its performance in myriad ways. "This one is worse than any of the others I've seen. It's more fundamental," said Douglas Jones, a University of Iowa computer scientist and veteran voting-system examiner for the state of Iowa. "In the other ones, we've been arguing about the security of the locks on the front door," Jones said. "Now we find that there's no back door. This is the kind of thing where if the states don't get out in front of the hackers, there's a real threat." The Argus is withholding some details of the vulnerability at the request of several elections officials and scientists, partly because exploiting it is so simple and the tools for doing so are widely available. A Finnish computer expert working with Black Box Voting, a nonprofit organization critical of electronic voting, found the security hole in March after Emery County, Utah, was forced by state officials to accept Diebold touch screens, and a local elections official allowed the expert to examine the machines. Black Box Voting was to issue two reports today on the security hole, one of limited distribution that explains the vulnerability fully and one for public release that withholds key technical details. The computer expert, Harri Hursti, quietly sent word of the vulnerability in March to several computer scientists who advise various states on voting systems. At least two of those scientists verified some or all of Hursti's findings. Several notified their states and requested meetings with Diebold to understand the problem. [...] The result, said Iowa's Jones, is a violation of federal voting system rules. "All of us who have heard the technical details of this are really shocked. It defies reason that anyone who works with security would tolerate this design," he said. Contact Ian Hoffman at ihoffman at angnewspapers.com. From rforno at infowarrior.org Thu May 11 15:25:08 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 May 2006 15:25:08 -0400 Subject: [Infowarrior] - Opinion: NSA Defines "Above the Law" Message-ID: NSA Defines "Above the Law" http://blog.washingtonpost.com/benchconference/2006/05/nsa_defines_above_the _law.html One day after the Justice Department's Office of Professional Responsiblity gave up trying to investigate the National Security Agency's domestic spying program, USA Today fronted a story about how the government is amassing billions of phone call records made by tens of millions of Americans. If there are appopriate checks and balances in place to ensure that the program and its cousins are being run legally, they are not nearly as apparent as they need to be. The feds believe that creating and maintaining the massive data base -- without warrants issued to telephone customers or to the companies themselves -- will help them track patterns in calling behavior by terrorists within the United States. And they maintain that only the phone records, and not the substance of the calls, are being monitored. The sources in the USA Today story also note that there is some sort of oversight -- by whom or what we do not know. All we know is that last year, the White House denied that any such warrantless intra-U.S. spying was going on at all. We know that this week, the NSA basically told the Justice Department to buzz off when it tried to undertake an investigation into the legality of the program (other investigations still are ongoing). We know that means that even within the executive branch of government, there is precious little oversight. And we know that the Senate Judiciary Committee is still hemming and hawing about pushing the Administration to better explain and justify these programs. If this week's news doesn't jolt Congress into swifter action, what will? Meanwhile, how about those telephone companies -- AT&T, BellSouth and Verizon were the ones mentioned by USA Today -- that cooperate with the NSA in its domestic spying? Think they have some explaining to do as to why they have entered into contracts to provide the information? Think it's interesting that Qwest has reportedly refused to go along with the program? That tells me that there is no law that requires companies to provide such material to the government without even the formality of a warrant. So, why would those other companies so willingly give up their customers' privacy rights? The USA Today story merely confirms what most of us thought anyway. That the domestic spy program is far more comprehensive and significant than we were led to believe. Now, that doesn't mean it is necessarily wrong, or undeniably illegal, it just means that an Administration that keeps telling us to trust it keeps coming up with new way to foster distrust. From rforno at infowarrior.org Thu May 11 15:26:53 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 May 2006 15:26:53 -0400 Subject: [Infowarrior] - DOJ Drops Wiretap Investigation Message-ID: DOJ Drops Wiretap Investigation http://www.wired.com/news/wireservice/1,70879-0.html Associated Press 09:30 AM May, 11, 2006 WASHINGTON -- The government has abruptly ended an inquiry into the warrantless eavesdropping program because the National Security Agency refused to grant Justice Department lawyers security clearance. The Justice Department's Office of Professional Responsibility, or OPR, sent a fax Wednesday to Democratic Rep. Maurice Hinchey of New York saying it was closing its inquiry because without clearance it could not examine department lawyers' role in the program. "We have been unable to make any meaningful progress in our investigation because OPR has been denied security clearances for access to information about the NSA program," OPR counsel H. Marshall Jarrett wrote to Hinchey. Hinchey's office shared the letter with The Associated Press. Jarrett wrote that beginning in January his office has made a series of requests for the necessary clearances. Those requests were denied Tuesday. "Without these clearances, we cannot investigate this matter and therefore have closed our investigation," Jarrett wrote. Justice Department spokesman Brian Roehrkasse said the terrorist surveillance program "has been subject to extensive oversight both in the executive branch and in Congress from the time of its inception." Roehrkasse noted the OPR's mission is not to investigate possible wrongdoing in other agencies, but to determine if Justice Department lawyers violated any ethical rules. He declined to comment when asked if the end of the inquiry meant the agency believed its lawyers had handled the wiretapping matter ethically. Hinchey is one of many House Democrats who have been highly critical of the domestic eavesdropping program first revealed in December. He said lawmakers would push to find out who at the NSA denied the Justice Department lawyers security clearance. "This administration thinks they can just violate any law they want, and they've created a culture of fear to try to get away with that. It's up to us to stand up to them," Hinchey said. In February, the OPR announced it would examine the conduct of its own agency's lawyers in the program, though they were not authorized to investigate NSA activities. Bush's decision to authorize the largest U.S. spy agency to monitor people inside the United States, without warrants, generated a host of questions about the program's legal justification. The administration has vehemently defended the eavesdropping, saying the NSA's activities were narrowly targeted to intercept international calls and e-mails of Americans and others inside the U.S. with suspected ties to the al-Qaida terror network. Separately, the Justice Department sought last month to dismiss a federal lawsuit accusing the telephone company AT&T of colluding with the Bush administration's warrantless wiretapping program. The lawsuit, brought by an internet privacy group, does not name the government as a defendant, but the Department of Justice has sought to quash the lawsuit, saying it threatens to expose government and military secrets. From rforno at infowarrior.org Thu May 11 19:56:19 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 May 2006 19:56:19 -0400 Subject: [Infowarrior] - Database Report Draws Focus on 'Analysis' Message-ID: Database Report Draws Focus on 'Analysis' Thursday May 11, 7:29 pm ET By Brian Bergstein, AP Technology Writer Experts Say NSA Database of Phone Records May Be Put to Use As Part of 'Social Network Analysis' http://biz.yahoo.com/ap/060511/nsa_data_mining.html?.v=9 BOSTON (AP) -- If the National Security Agency is indeed amassing a colossal database of Americans' phone records, one way to use all that information is in "social network analysis," a data-mining method that aims to expose previously invisible connections among people. Social network analysis has gained prominence in business and intelligence circles under the belief that it can yield extraordinary insights, such as the fact that people in disparate organizations have common acquaintances. Companies can buy social networking software to help determine who has the best connections for a particular sales pitch. So it did not surprise many security analysts to learn Thursday from USA Today that the NSA is applying the technology to billions of phone records. "Who you're talking to often matters much more than what you're saying," said Bruce Schneier, a computer security expert and author of "Beyond Fear: Thinking Sensibly About Security in an Uncertain World." The NSA declined to comment. But several experts said it seemed likely the agency would want to assemble a picture from more than just landline phone records. Other forms of communication, including cell phone calls, e-mails and instant messages, likely are trackable targets as well, at least on international networks if not inside the U.S. To be sure, monitoring newer communications services is probably harder than getting billing records from landline phones. USA Today reported that the NSA has collected call logs from the three largest U.S. phone companies, BellSouth Corp., AT&T Inc. and Verizon Communications Inc. That level of cooperation confirmed the fears of many privacy analysts, who pointed out that AT&T is already being sued in federal court in San Francisco for allegedly giving the NSA access to contents of its phone and Internet networks. The charges are based on documents from a former AT&T technician. It remains unclear whether other communications providers have been asked for their call logs or billing records. Verizon Wireless spokesman Jeffrey Nelson definitively said his company was "not involved in this situation." His counterparts at Cingular -- an AT&T/BellSouth joint venture -- and Sprint Nextel Corp. were less explicit and did not deny any participation. Even without cell phone carriers' help, of course, calls between wireless subscribers and Verizon, AT&T and BellSouth landlines presumably would be captured. Among Internet service providers, representatives for AOL LLC said the company complies with individual government subpoenas and court orders but does not have a blanket program for broader sharing of customer data. Microsoft Corp. had "never engaged in the type of activity referenced in these articles," according to a statement from Scott Charney, its vice president for trustworthy computing. Google Inc. spokesman Steve Langdon said his company does not participate, either. Yahoo Inc. officials say they comply with subpoenas, but refused to elaborate, saying they cannot comment on specific government interactions. Even without full inside help, the NSA has proven itself adept at capturing communications or at least analyzing traffic information. The Echelon program, for example, is known to have tapped into satellite, microwave and fiber-optic phone links -- including undersea cables -- in order to gain insights into what the rest of the world was talking about. The Internet does present new challenges for snoops, which has led federal authorities to seek an expansion of a key surveillance law so that it applies to new kinds of Web services. But even now authorities can tap into data feeds. There is a relatively small number of major Internet backbones and data junctions where networks hand information off to each other. And while e-mail, Internet calls and other data packets splinter and take varying routes across networks, each packet has a header identifying its source and destination. It's not obvious what the packet is part of -- whether an e-mail, a Web page or an Internet phone call -- but it still contains the equivalent of a phone billing record: who's talking to whom. "It's not trivial to analyze all the material, but it's trivial to get to the material," said Barry Steinhardt, director of the technology and liberty program at the American Civil Liberties Union. Even Skype, the popular Internet phone service that encrypts its calls -- which presumably prevents sweeping monitoring of their content -- is believed to be vulnerable to who's-calling-whom traffic analysis. Still, while the government clearly can parlay industry cooperation and technical firepower to grab lots of communications, there's bound to be a limit. For example, tiny, free voice-over-Internet services likely don't bother to maintain the kinds of call logs that Verizon, BellSouth and AT&T apparently handed over, said Jeff Pulver, an authority on the technology. Also, social network analysis would appear to be powerless against criminals and terrorists who rely on a multitude of cell phones, payphones, calling cards and Internet cafes. And then there are more creative ways of getting off the grid. The Madrid train bombings case has revealed that the plotters communicated by sharing one e-mail account and saving messages to each other as drafts that didn't traverse the Internet like regular mail messages would. Privacy activists worry that the government is likely to try to overcome these surveillance gaps by making more use of the information it does have -- by cross-referencing phone or other records with commercially harvested data. One effort in that direction, the Pentagon's infamous Total Information Awareness program, was technically shuttered by Congress, but the government still can access copious data from the private sector. Even if the NSA's surveillance went no further than the NSA's access to phone billing records, it clearly would raise hackles. The time and destination of dialed phone calls has long been available to authorities through "pen registers" and "trap and trace" devices -- but with a court order. USA Today noted that concerns about the legality of the NSA's phone-call database led Qwest Communications International Inc. to refuse to participate. "A court order couldn't be obtained to just wholesale surveil," said Kurt Opsahl, staff attorney for the Electronic Frontier Foundation, which is suing AT&T in San Francisco. "The legal standard requires something more specific. You can't get everybody's data unless you have some suspicion." AP Business Writer Bruce Meyerson and AP Internet Writer Anick Jesdanun contributed to this report. From rforno at infowarrior.org Fri May 12 07:21:34 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 May 2006 07:21:34 -0400 Subject: [Infowarrior] - Data Mining: Focus on Patterns, not Individuals Message-ID: U.S. PHONE-CALL DATABASE IGNITES PRIVACY UPROAR DATA MINING: Commonly used in business to find patterns, it rarely focuses on individuals - Matthew B. Stannard, Chronicle Staff Writer Friday, May 12, 2006 http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/05/12/MNG0AIQRPR1.DTL Somewhere in America, powerful computers ingest crumbs of data about your personal life. Your income level. The kind of car you drive. Your home address. Your credit rating. All input, assimilated and analyzed at lightning speed. The result: A piece of paper arrives in your mailbox offering you 10 percent off an oil change at your local service station. That, in a nutshell, is data mining as practiced for more than a decade by companies around the world to target current and potential customers. The methods have changed since the old days of reverse telephone directories and mailing lists, but the basic objective is the same. And data mining of some type, experts agree, is almost certainly what is behind the National Security Agency's reportedly successful efforts to obtain the phone records of tens of millions of Americans from private telecommunications companies. President Bush, commenting on the program -- which administration officials says is aimed at identifying and tracking suspected terrorists -- said that the government is not "mining or trolling through the personal lives of millions of innocent Americans." But security experts say the program virtually fits the dictionary definition of data mining -- a technique for analyzing large sets of data that American intelligence agencies have long been developing. "The interest has been around for years and decades," said Richard Forno, Principal Consultant for KRvW Associates, a Washington security consultancy. "That's part of what NSA was chartered to do." The fundamental use of data mining is to detect patterns -- in shopping habits or the activities of the nation's enemies. "Data mining is going through data from the past, historical data, and predicting what is likely to happen in the future based on patterns in the data," said Ken Bendix, president of North American operations at KXEN Inc., a company headquartered in San Francisco that develops data mining software for business applications. It is used by credit card companies to spot spending patterns that suggest a card has been stolen and by marketing companies who use enormous databases to target advertising. The technique has been gaining in popularity in the private sector thanks to advancements in computing technology and the mathematics underlying the software, Bendix said. "The data is very rarely at the individual level," Bendix said. "When people are doing these data mining analyses, they don't care that you are you. They don't care what your name is or what your social security number is. All they care about is what group you fit into and how you relate to everybody else out there." Government interest in data mining increased sharply after the Sept. 11 attacks. Unlike the private sector, intelligence officials began exploring ways to use the technique to identify and track individuals suspected of terrorist links. In 2002, the Department of Defense, through the Defense Advanced Research Project Agency (DARPA) launched the "Total Information Awareness" project -- later changed to "Terrorism Information Awareness" (TIA) to counter the impression that the program would spy on U.S. citizens. The goal of TIA, its now defunct Web site explained, was to link certain transactions -- applications for passports, visas, work permits, driver's licenses, automotive rentals, airline ticket purchases, receipts for chemical purchases -- to arrests or suspicious activities. The program, the brainchild of President Ronald Reagan's national security adviser John Poindexter, collapsed under public and political criticism in 2003. But the idea lived on, said Forno, who lectured on information warfare at the National Defense University from 2001 to 2003 and participated in the 2000 White House Office of Science and Technology Policy Information Security Education Research Project. "TIA may have died on paper," he said. "But it got parceled out to various other agencies, including the NSA." The NSA's interest in what is essentially copies of tens of millions of old phone bills is not hard to understand, Forno and other analysts said. In theory, a powerful computer could process all those numbers and find a link between a phone in, say, Iowa to a phone in an al Qaeda training camp on the Pakistan-Afghanistan border -- even by way of dozens of other phones, linkages far too scattered for a human eye to notice. And the search wouldn't necessarily stop there. "You have these phone numbers, you might also at a minimum run them against credit reporting companies," Forno said. "Local state DMV records. Tax records. Business employment records. All those other resources might help you narrow down your search." But while the program's defenders insist it is a crucial instrument in the U.S. war on terror, some private security experts question its usefulness. "We're looking for a needle in a haystack," said Bruce Schneier, a security technologist and chief technology officer of Counterpane Internet Security Inc. in Mountain View. "Dumping more hay on the pile doesn't necessarily get you anywhere." Even before Sept. 11, Forno noted, the NSA intercepted information suggesting a terrorist attack was imminent -- but failed to connect the dots in time. The New York Times reported in January that most of the leads generated by NSA surveillance of phone calls in the months after Sept. 11 led nowhere. In addition, said Forno, with multiple government agencies now using data mining techniques, the temptation exists for them to use information gathered to fight terror for completely unrelated criminal investigations. "I don't want to see that data mission creep," he said. "I think that is a very real potential problem." In August, the Government Accountability Office reported that of five data mining efforts used by federal agencies, none fully complied with Office of Management and Budget guidance for assessing privacy impacts. But data mining experts also say the technique can greatly benefit government agencies -- if it is used correctly and the agencies are mindful of privacy issues. "I just concluded an audit of the Department of Homeland Security for the Office of Inspector General," said Jesus Mena, an Alameda-based data mining consultant. "We frankly found that the DHS is not doing enough (data mining)." While he was concerned by the kind of privacy compromised suggested by media reports on the NSA program, Mena said, more and better use of data mining could be especially useful for terrorism-related countermeasures like monitoring shipboard cargo and border security. "It would mean that there would be a safer environment, and I think we are heading in that direction," he said. "It's just a matter of time." But the problem with applying data mining techniques to terrorism, Schneier argued, is that terrorism is so rare, and the databases being mined are so large, that false positives are inevitable and often more common than truly accurate results. And unlike using data mining to spot credit card fraud, where at most a false positive triggers a worried call from Visa to a cardholder and perhaps a temporary suspension of the card's use, a false positive in a terror investigation can put an innocent person in jail, he said. "If you believe in this nonsense, the goal is to get everything," he said. "They're looking for these fanciful connections. So if there's a bad guy who walks down the street and 1,000 people walk next to them, are they all under investigation?" Despite administration assurances that the NSA program is both legal and mindful of civil liberties, Schneier said he also fears the government may at least be tempted to approach cell phone companies, credit card companies, Internet service providers -- almost any industry with a major database. "Because more and more of our daily lives are mediated by computers ... we leave electronic footprints everywhere we go," he said. "What the government is doing is sucking up all those footprints." Despite the concerns and criticisms, data mining as a counterterrorism tool is probably here to stay, said Steven Aftergood, who directs the Federation of American Scientists' Project on Government Secrecy. "I think it is a technology and an approach that has enormous potential, and one that is likely to be a continuing part of the toolkit," he said. But, he added, "Nothing is more important than preserving constitutional protections. And it is disturbing to learn that the intelligence community is far out in front of what the public has consented to." How data mining works Data mining is the process of collecting large amounts of data from different sources and perspectives and then searching for patterns within the data using computerized tools such as statistical analysis and modeling with the goal of identifying significant relationships and predicting future trends and events. Examples: Data mining is used in the private sector in a number of ways, including tracking patterns in credit card activity that suggest fraud, targeting mailed advertisements based on the recipient's past purchases, income level and demographics, or suggesting purchases at an online store based on your past purchases and Web browsing history. Government uses of data mining include analyzing scientific and research information, detecting criminal activity or patterns and analyzing intelligence or detecting terrorist activities. E-mail Matthew B. Stannard at mstannard at sfchronicle.com. Page A - 1 URL: http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/05/12/MNG0AIQRPR1.DTL From rforno at infowarrior.org Fri May 12 07:55:39 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 May 2006 07:55:39 -0400 Subject: [Infowarrior] - Poll: Most Americans Support NSA's Efforts Message-ID: I'm reminded of the old saying by one of our Founders --- "Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety." -rf Poll: Most Americans Support NSA's Efforts By Richard Morin Washington Post Staff Writer Friday, May 12, 2006; 7:00 AM The new survey found that 63 percent of Americans said they found the NSA program to be an acceptable way to investigate terrorism, including 44 percent who strongly endorsed the effort. Another 35 percent said the program was unacceptable, which included 24 percent who strongly objected to it. A slightly larger majority--66 percent--said they would not be bothered if NSA collected records of personal calls they had made, the poll found. Underlying those views is the belief that the need to investigate terrorism outweighs privacy concerns. According to the poll, 65 percent of those interviewed said it was more important to investigate potential terrorist threats "even if it intrudes on privacy." Three in 10--31 percent--said it was more important for the federal government not to intrude on personal privacy, even if that limits its ability to investigate possible terrorist threats. Half--51 percent--approved of the way President Bush was handling privacy matters. < - > The survey results reflect initial public reaction to the NSA program. Those views that could change or deepen as more details about the effort become known over the next few days. < - > http://www.washingtonpost.com/wp-dyn/content/article/2006/05/12/AR2006051200 375_pf.html From rforno at infowarrior.org Fri May 12 08:16:44 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 May 2006 08:16:44 -0400 Subject: [Infowarrior] - NSA Stymies Justice Dept. Spying Probe Message-ID: NSA Stymies Justice Dept. Spying Probe By DEVLIN BARRETT, Associated Press WriterThu May 11, 6:59 AM ET http://news.yahoo.com/s/ap/domestic_spying&printer=1;_ylt=AhrzvSXjSi7nHoSzKM 6hWEiWwvIE;_ylu=X3oDMTA3MXN1bHE0BHNlYwN0bWE- The government has abruptly ended an inquiry into the warrantless eavesdropping program because the National Security Agency refused to grant Justice Department lawyers the necessary security clearance to probe the matter. The Justice Department's Office of Professional Responsibility, or OPR, sent a fax to Rep. Maurice Hinchey (news, bio, voting record), D-N.Y., on Wednesday saying they were closing their inquiry because without clearance their lawyers cannot examine Justice lawyers' role in the program. "We have been unable to make any meaningful progress in our investigation because OPR has been denied security clearances for access to information about the NSA program," OPR counsel H. Marshall Jarrett wrote to Hinchey. Hinchey's office shared the letter with The Associated Press. Jarrett wrote that beginning in January, his office has made a series of requests for the necessary clearances. Those requests were denied Tuesday. "Without these clearances, we cannot investigate this matter and therefore have closed our investigation," wrote Jarrett. Justice Department spokesman Brian Roehrkasse said the terrorist surveillance program "has been subject to extensive oversight both in the executive branch and in Congress from the time of its inception." Roehrkasse noted the OPR's mission is not to investigate possible wrongdoing in other agencies, but to determine if Justice Department lawyers violated any ethical rules. He declined to comment when asked if the end of the inquiry meant the agency believed its lawyers had handled the wiretapping matter ethically. Hinchey is one of many House Democrats who have been highly critical of the domestic eavesdropping program first revealed in December. He said lawmakers would push to find out who at the NSA denied the Justice Department lawyers security clearance. "This administration thinks they can just violate any law they want, and they've created a culture of fear to try to get away with that. It's up to us to stand up to them," said Hinchey. In February, the OPR announced it would examine the conduct of its own agency's lawyers in the program, though they were not authorized to investigate NSA activities. Bush's decision to authorize the largest U.S. spy agency to monitor people inside the United States, without warrants, generated a host of questions about the program's legal justification. The administration has vehemently defended the eavesdropping, saying the NSA's activities were narrowly targeted to intercept international calls and e-mails of Americans and others inside the U.S. with suspected ties to the al-Qaida terror network. Separately, the Justice Department sought last month to dismiss a federal lawsuit accusing the telephone company AT&T of colluding with the Bush administration's warrantless wiretapping program. The lawsuit, brought by an Internet privacy group, does not name the government as a defendant, but the Department of Justice has sought to quash the lawsuit, saying it threatens to expose government and military secrets. ___ On the Net: Justice's Office of Professional Responsibility: http://www.usdoj.gov/opr/index.html National Security Agency: http://www.nsa.gov/home_html.cfm From rforno at infowarrior.org Fri May 12 14:29:38 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 May 2006 14:29:38 -0400 Subject: [Infowarrior] - Breach case could curtail Web flaw finders Message-ID: Breach case could curtail Web flaw finders Robert Lemos, SecurityFocus 2006-04-26 http://www.securityfocus.com/print/news/11389 Security researchers and legal experts have voiced concern this week over the prosecution of an information-technology professional for computer intrusion after he allegedly breached a university's online application system while researching a flaw without the school's permission. Last Thursday, the U.S. Attorney's Office in the Central District of California leveled a single charge of computer intrusion against San Diego-based information-technology professional Eric McCarty, alleging that he used a Web exploit to illegally access an online application system for prospective students of the University of Southern California last June. The security issue--which could have allowed an attacker to manipulate a database of some 275,000 USC student and applicant records--was reported to SecurityFocus that same month. An article was published after the university was notified of the issue and fixed the vulnerable Web application. The prosecution of the IT professional that found the flaw shows that security researchers have to be increasingly careful of the legal minefield they are entering when reporting vulnerabilities, said Lee Tien, senior staff attorney for the Electronic Frontier Foundation, a digital-rights advocacy group. "I think the bottom line is that anybody that does disclosures of security vulnerabilities has to be very careful (so as to) not be accused of being a hacker," Tien said. "The computer trespass laws are very, very tricky." The case comes as reports of data breaches against corporations and universities are on the rise and could make security researchers less likely to bring flaws to the attention of Web sites, experts told SecurityFocus. This week, the University of Texas at Austin stated that a data thief attacking from an Internet address in the Far East likely copied 197,000 personal records, many containing social security numbers. In September, a Massachusetts teenager was sentenced to 11 months in a juvenile detention facility for hacking into telecommunications provider T-mobile and data collection firm Lexis-Nexis. And, in March, an unidentified hacker posted on the Business Week Online Web site instructions on how to hack into the admissions site of top business schools using a flaw in the ApplyYourself admissions program. Eric McCarty, reached on Friday at the cell phone number published in the affidavit provided by the FBI in the case, said security researchers should take note that Web sites would rather be insecure than have flaws pointed out. "Keep them to yourself--being a good guy gets you prosecuted," McCarty said during the interview. "I can say honestly that I am no longer interested in assisting anyone with their vulnerabilities." McCarty confirmed that he had contacted SecurityFocus in June, offered information about the means of contact as proof, and waived the initial agreement between himself and this reporter to not be named in subsequent articles. When the FBI came knocking in August, McCarty had told them everything, believing he had nothing to hide, he said. "The case is cut and dried," McCarty said. "The logs are all there and I never attempted to hide or not disclose anything. I found the vulnerability, and I reported it to them (USC) to try to prevent identity theft." McCarty admitted he had accessed the database at the University of Southern California, but stressed that he had only copied a small number of records to prove the vulnerability existed. The FBI's affidavit, which states that a file with seven records from the database was found on McCarty's computer, does not claim that the IT professional attempted to use the personal records for any other purpose. To other security researchers, the case underscores the asymmetric legal power of Web sites in confronting flaw finders: Because finding any vulnerability in a server online necessarily means that the researcher had exceeded authorization, the flaw finder has to rely on the mercy of the site when reporting, said HD Moore, a noted researcher and co-founder of the Metasploit Project. "It is just a crappy situation in general right now," Moore said. "You have to count on the good will of the people running the site. There are cases when there are vulnerable Web sites out there, but unless you have an anonymous Web browser and a way to hide your logs, there is no way to report a vulnerability safely." Moore points to McCarty's case and the case of Daniel Cuthbert--who fell afoul of British law when he checked out the security of a charity Web site by attempting to access top-level directories on the Web server--as warnings to researchers to leave Web sites alone. In October, Cuthbert was convicted of breaking the Computer Misuse Act, fined ?400, and ordered to pay ?600 in restitution. Other researchers should be ready to pay as well, Moore said. Anyone who affects the performance of a server on the Internet could find themselves in court, he said. "Even if you look at the port scanning stuff--which is not technically illegal--if you knock down the server in the process of port scanning it, then you are liable for all the damages of it being down," Moore said. Such legal issues are one reason for not testing Web sites at all, said security researcher David Aitel, chief technology officer of security services firm Immunity. "We don't do research on Web sites," Aitel said, adding that the increasing reliance of programs on communicating with other programs has made avoiding Web applications more difficult. "The more your applications are interconnected the more difficult it is to get permission to do vulnerability research." Moreover, such a legal landscape does not benefit the Internet companies, Aitel stressed. While companies may prefer to not know about a vulnerability rather than have it publicly reported, just because a vulnerability is not disclosed does not mean that the Web site is not threatened. "If this is an SQL injection flaw that Eric McCarty can find by typing something into his Web browser then it is retarded to think that no one else could do that," Aitel said. The U.S. Attorney's Office alleges that McCarty's actions caused the university to shutter its system for ten days, resulting in $140,000 in damages. The university had provided investigators with an Internet address which had suspiciously accessed the application system multiple times in a single hour, according to the affidavit provided by the FBI in the case. The information allowed the FBI to execute a search warrant against McCarty, discover the names of his accounts on Google's Gmail and subpoena those records from the Internet giant, the court document stated. Among the e-mails were messages sent from an account--"ihackedusc at gmail.com"--to SecurityFocus detailing the vulnerability, according to the affidavit. The U.S. Attorney's Office declined to comment for this article. A representative of the University of Southern California also declined to comment except to say that the school is cooperating with the investigation. "It wasn't that he could access the database and showed that it could be bypassed," Michael Zweiback, an assistant U.S. Attorney for the U.S. Department of Justice's cybercrime and intellectual property crimes section, said last week after his office announced the charge. "He went beyond that and gained additional information regarding the personal records of the applicant. If you do that, you are going to face--like he does--prosecution." The case has aspects similar to the prosecution of Adrian Lamo, dubbed the Homeless Hacker, for breaching systems at the New York Times. Lamo would frequently seek out vulnerabilities in online systems, exploit the vulnerabilities to gain proof of the flaws and then contact the company--and a reporter--to help close the security hole. In 2004, Lamo plead guilty to compromising the New York Times network and served six months under house arrest and had to pay $65,000 in restitution. In the University of Southern California case, McCarty identified the vulnerability in the USC system when he decided to apply to the school and, before registering, used a common class of flaws known as structured query language (SQL) injection to test the site, he said during last week's interview. Such attacks exploit a flaw in the code that processes user input on a Web site. In the USC case, special code could be entered into the username and password text boxes to retrieve applicants' records, according to the FBI's affidavit. USC administrators initially claimed to SecurityFocus that an analysis of the system and log files indicated that only two database records could be retrieved using the SQL injection flaw. After additional records were provided to the administrators, the university acknowledged that the entire database was threatened by the flaw. The FBI's affidavit contains the e-mail that McCarty allegedly sent to SecurityFocus with two additional records from the database. The events outlined in the affidavit indicated that McCarty tried to act responsibly, said Jennifer Granick, a cybercrime attorney and executive director of the Stanford Law School's Center for Internet and Society. "Here is a guy who didn't use the information, he notified the school--albeit through a third party--what was he supposed to do differently?" Granick said. "It's a Catch-22 for the security researcher, because they have arguably broken a law in finding the flaw." The case does underscore that researchers will have to become more savvy about dealing with the legal aspects of their craft, said David Endler, director of security research for 3Com subsidiary TippingPoint. "Finding a vulnerability in a Web site is a bit different than finding a vulnerability in a product," Endler said. "You can do a lot of things to a product that won't affect users. You shouldn't poke around a Web site unless you have permission or have been hired to do it. ... It's just not worth it." As the creator of two vulnerability-buying programs, Endler is familiar with the contorted legal issues that can sometimes face vulnerability researchers. He believes that cases, such as McCarty's prosecution, will likely lead to researchers either allying themselves with one of the flaw-bounty programs or declining to disclose any discoveries. Already, the influence of corporate legal teams had reduced the significance of the vulnerability disclosure movement, Immunity's Aitel said. "The peak of disclosure has long past us," he said. "Who out there is really giving away bugs these days? The disclosure movement passed us by more than two years ago and people have gone underground with their bugs." And having fewer security researchers looking over the shoulders of Web site administrators and Internet software makers will only mean less pressure to fix vulnerabilities and weaker security for sites on the Internet, said the EFF's Tien. "There is an under-disclosure of vulnerabilities and weaknesses, and that is bad thing for security, because the less people know about security problems, the less pressure is put on companies to improve security," Tien said. Author's note: As described in the article, the FBI's affidavit supporting the charge against Eric McCarty of computer intrusion alleges that he was the source for an article published on SecurityFocus by the author. The author did not cooperate with the FBI's investigation nor was he asked to do so. In an interview conducted on Friday and in an e-mail exchange, McCarty provided proof that he was the author's source and waived the condition of anonymity that he requested for the original article. From rforno at infowarrior.org Sat May 13 09:23:54 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 13 May 2006 09:23:54 -0400 Subject: [Infowarrior] - Cable firms: Law protects customers Message-ID: (Wonder if this will be used as a marketing tool for those who don't understand that VOIP is no more private than the POTS.....rf) Cable firms: Law protects customers Updated 5/11/2006 11:26 PM ET By David Lieberman, USA TODAY http://www.usatoday.com/money/industries/telecom/2006-05-11-cable-privacy_x. htm NEW YORK ? Leading cable operators say a 1984 federal law would stop them from handing customer calling records to the National Security Agency the way AT&T, Verizon and BellSouth have, as reported Thursday in USA TODAY. The phone giants agreed after Sept. 11, 2001, to create a database of customer calling logs to help the NSA find terrorists, according to the report. Comcast, the largest operator, doesn't "provide the federal government access to customer (video, Internet or phone calling) records, or the ability to monitor customer communications, in the absence of valid legal process" such as a court order or search warrant, says spokeswoman D'Arcy Rudnay. Time Warner and Cox also said that it would take such an order for them to give the government such access. The cable operators said that Congress, in its Cable Communications Policy Act in 1984, explicitly required operators to get subscriber consent before collecting "personally identifiable information" or disclosing it to third parties. The act lets them disclose information to the government in response to a court order, although customers must be notified and allowed to contest it if it involves video programming. The act also lets companies gather data without consent to provide customer service. In addition, the cable industry has a history of opposing government regulation. "There are probably good reasons the NSA would go to the phone companies instead of the cable companies," says Marc Rotenberg, executive director of the Electronic Privacy Information Center. "There isn't a tradition (in cable) of turning over customer records." Congress extended the cable privacy rules to satellite subscribers in a 2004 law. "They took the cable statute and substituted the words 'satellite operator' for 'cable provider,' " says DirecTV associate general counsel Chris Murphy. But cable operators said the government has made it more difficult to apply the privacy standards set in 1984 when they just offered video, to their Internet and phone services. Congress in 2001 amended the Cable Act to make it jibe with their Electronic Communications Privacy Act, which requires Internet providers to obey a government order to turn over data about Web habits without informing the subscriber. With phone service, the Federal Communications Commission "has not yet said what the privacy policy would be," says National Cable & Telecommunications Association general counsel Neal Goldberg. "We've suggested (the Cable Act) requirements. We're used to them. We know how to operate under them. At a minimum, we've said, don't impose inconsistent or conflicting requirements." Among third-party companies offering phone capability via broadband, Skyype had no comment. Vonage spokeswoman Brooke Schulz said, "Our position on this issue as it relates to Vonage is pretty clear. We don't supply any government authority with call record data or any sensitive customer information without a subpoena." Contributing: Edward C. Baig From rforno at infowarrior.org Sat May 13 18:44:55 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 13 May 2006 18:44:55 -0400 Subject: [Infowarrior] - US files motion to intervene in AT&T secrets case Message-ID: US files motion to intervene in AT&T secrets case Sat May 13, 2006 10:18 AM ET http://tinyurl.com/n7o8s WASHINGTON, May 13 (Reuters) - The U.S. government filed a motion on Saturday to intervene and seek dismissal of a lawsuit by a civil liberties group against AT&T Inc. (T.N: Quote, Profile, Research) over a federal program to monitor U.S. communications. The suit filed in the U.S. District Court of the Northern District of California accuses AT&T of unlawful collaboration with the National Security Agency in its surveillance program to intercept telephone and e-mail communications between the United States and people linked to al Qaeda and affiliated organizations. The class-action suit was filed by San Francisco-based Electronic Frontier Foundation on behalf of AT&T customers in January -- before reports this week that AT&T and two other phone companies were secretly helping the government compile a massive database of phone calls made in the United States. In its motion seeking intervention, posted on the court's Web site, the government said the interests of the parties in the lawsuit "may well be in the disclosure of state secrets" in their effort to present their claims or defenses. "Only the United States is in a position to protect against the disclosure of information over which it has asserted the state secrets privilege, and the United States is the only entity properly positioned to explain why continued litigation of the matter threatens the national security," said the motion, dated May 12. A hearing is scheduled for June 21 before federal Judge Vaughn Walker. The Electronic Frontier Foundation has said in court filings that a former AT&T technician had approached the group in January to share details of the company's role in the surveillance program. The revelation in December that the NSA was eavesdropping inside the United States without warrants on international calls and e-mails of terrorism suspects sparked an uproar. On Thursday, USA Today reported that the NSA, helped by AT&T, Verizon Communications Inc. (VZ.N: Quote, Profile, Research) and BellSouth Corp. (BLS.N: Quote, Profile, Research), was secretly collecting phone records of tens of millions of people, and using the data to analyze calling patterns in an effort to detect terrorist activity. U.S. President George W. Bush denied the government was "mining and trolling through" the personal lives of Americans. ? Reuters 2006. All Rights Reserved. From rforno at infowarrior.org Sat May 13 18:52:52 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 13 May 2006 18:52:52 -0400 Subject: [Infowarrior] - Verizon getting sued like crazy this weekend... Message-ID: I'm sure this is only the start. I'm also sure few if any of these will go anywhere. Still, the outcry begins. At the moment, most of the news items at this link are lawsuit- and investigation-of-Verizon related, but that's subject to change as Google updates. http://news.google.com/news?hl=en&ned=us&q=verizon&btnG=Search+News From rforno at infowarrior.org Sat May 13 20:12:58 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 13 May 2006 20:12:58 -0400 Subject: [Infowarrior] - More on...Verizon getting sued like crazy this weekend... In-Reply-To: Message-ID: ------ Forwarded Message From: Monty Solomon Date: Sat, 13 May 2006 19:11:00 -0400 Cheney Pushed U.S. to Widen Eavesdropping By SCOTT SHANE and ERIC LICHTBLAU Published: May 14, 2006 http://www.nytimes.com/2006/05/14/washington/14nsa.html?ex=1305259200&en=429 3d682ba33afda&ei=5090 Questions Raised for Phone Giants in Spy Data Furor By JOHN MARKOFF Published: May 13, 2006 http://www.nytimes.com/2006/05/13/washington/13phone.html?ex=1305172800&en=0 872ff5e182d5e7c&ei=5090 From rforno at infowarrior.org Sun May 14 10:03:22 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 14 May 2006 10:03:22 -0400 Subject: [Infowarrior] - AUS: Transferring music ruled legal Message-ID: Transferring music ruled legal By Kerry Anne Walsh May 14, 2006 http://www.theage.com.au/news/national/music-to-the-ears/2006/05/13/11469407 75897.html TRANSFERRING music from CDS onto iPods and other MP3 players will no longer be illegal after federal cabinet agreed to make sweeping changes to copyright laws. But beware the trap of downloading from the internet. The Government will increase surveillance and fines on internet piracy in a package to be announced by Attorney-General Philip Ruddock today. Once the new laws are passed, "format shifting" of music, newspapers and books from personal collections onto MP3 players will become legal. The new laws will also make it legal for people to tape television and radio programs for playback later, a practice currently prohibited although millions of people regularly do it. Under the current regime, millions of households a day are breaking the law when they tape a show and watch it at another time. Schools, universities, libraries and other cultural institutions will, in the future, be free to use copyright material for non-commercial purposes. But the Government is giving police greater powers to tackle internet piracy, signalling that the days of downloading music from the internet danger-free may be limited. Police will be able to issue on-the-spot fines and access and recover profits made by copyright pirates. Courts will be given powers to award larger damages payouts against internet pirates. Civil infringement proceedings will apply to copyright pirates who make electronic reproductions or copies of copyright material. In a win for recording artists, the new package will include the removal of the legislative 1 per cent cap on copyright licence fees paid by radio broadcasters for playing recordings. The Government is bracing for a stoush with commercial radio stations over the removal of the cap, which has been in place since 1968. But Mr Ruddock believes the archaic provision was established to protect radio broadcasters who were facing a difficult economic environment at the time. As they now operated in a "profitable and robust" industry, record companies and artists should be allowed to negotiate a fair market rate without legislative intervention, he will announce. If both sides cannot agree on fees, the Copyright Tribunal would be called upon to adjudicate. The Australian Institute of Criminology will be asked to undertake research into the extent of piracy and counterfeiting in Australia and the best methods of responding to the problem. "Copyright is important and should be respected," Mr Ruddock said. "Everyday consumers shouldn't be treated like copyright pirates. Copyright pirates should not be treated like everyday consumers." The Government will ask the Australian Crime Commission to investigate reports that organised crime is infiltrating piracy and counterfeiting rackets in Australia. From rforno at infowarrior.org Sun May 14 14:48:58 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 14 May 2006 14:48:58 -0400 Subject: [Infowarrior] - US could access EU data retention information Message-ID: US could access EU data retention information 12.05.2006 - 09:50 CET | By Helena Spongenberg US authorities can get access to EU citizens' data on phone calls, sms' and emails, giving a recent EU data-retention law much wider-reaching consequences than first expected, reports Swedish daily Sydsvenskan. The EU data retention bill, passed in February after much controversy and with implementation tabled for late 2007, obliges telephone operators and internet service providers to store information on who called who and who emailed who for at least six months, aimed at fighting terrorism and organised crime. A week later on 2-3 March, EU and US representatives met in Vienna for an informal high level meeting on freedom, security and justice where the US expressed interest in the future storage of information. The US delegation to the meeting "indicated that it was considering approaching each [EU] member state to ensure that the data collected on the basis of the recently adopted Directive on data retention be accessible to them," according to the notes of the meeting. Representatives from the Austrian EU presidency and from the European Commission said that these data were "accessible like any other data on the basis of the existing ... agreements" the notes said. The EU representatives added that the commission would convene an expert meeting on the issue. Under current agreements, if the FBI, for example, is interested in a group of EU citizens from a member state who are involved in an investigation, the bureau can ask for help with a prosecutor in that member state. The national prosecutor then requests telephone operators and internet service providers for information, which is then passed on to the FBI. This procedure opens the way for US authorities to get access under the EU data-retention law, according to the Swedish newspaper. In the US itself meanwhile, fury has broken out in the US congress after reports revealed that the Bush administration covertly collected domestic phone records of tens of millions of US citizens since the attacks in New York on 11 September 2001. President George Bush did not deny the allegations in a television statement last night, but insisted that his administration had not broken any laws. ? EUobserver.com 2006 Printed from EUobserver.com 14.05.2006 The information may be used for personal and non-commercial use only. This article and related links can be found at: http://euobserver.com/9/21580 From rforno at infowarrior.org Sun May 14 16:11:29 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 14 May 2006 16:11:29 -0400 Subject: [Infowarrior] - A PSA from NSA Message-ID: Let's all do our parts, okay? -rf From: Bruce Schneier Date: May 12, 2006 11:59:22 PM EDT This is the line that's done best for me on the radio this week: "The NSA wants to remind everyone to call their mother's this Sunday. They need to calibrate their system." From rforno at infowarrior.org Sun May 14 18:47:30 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 14 May 2006 18:47:30 -0400 Subject: [Infowarrior] - Question re: current telco lawsuits Message-ID: I know EFF, CPSR, EPIC, ACLU, and others are tracking the NSA monitoring item and many have filed lawsuits against the telcos for supporting various NSA programs in recent months. Over this weekend we're seeing both individual and class action suits filed against some of the involved telcos, and at least one state public utility commission (Maine) reportedly opening up an investigation into the allegations. Has anyone developed, or is anyone developing, an aggregate list of current or planned lawsuits against the telcos -- particularly class actions -- that folks can refer to and/or participate in? I've had a few folks ask about it, but I've not come across a "master list" of such endeavors yet. -rick Infowarrior.org From rforno at infowarrior.org Sun May 14 21:17:49 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 14 May 2006 21:17:49 -0400 Subject: [Infowarrior] - The NSA is on the line -- all of them Message-ID: http://www.salon.com/news/feature/2006/05/15/aid_interview/print.html The NSA is on the line -- all of them An intelligence expert predicts we'll soon learn that cellphone and Internet companies also cooperated with the National Security Agency to eavesdrop on us. By Kim Zetter May. 15, 2006 | When intelligence historian Matthew Aid read the USA Today story last Thursday about how the National Security Agency was collecting millions of phone call records from AT&T, Bell South and Verizon for a widespread domestic surveillance program designed to root out possible terrorist activity in the United States, he had to wonder whether the date on the newspaper wasn't 1976 instead of 2006. Aid, a visiting fellow at George Washington University's National Security Archive, who has just completed the first book of a three-volume history of the NSA, knew the nation's bicentennial marked the year when secrets surrounding another NSA domestic surveillance program, code-named Project Shamrock, were exposed. As fireworks showered New York Harbor that year, the country was debating a three-decades-long agreement between Western Union and other telecommunications companies to surreptitiously supply the NSA, on a daily basis, with all telegrams sent to and from the United States. The similarity between that earlier program and the most recent one is remarkable, with one exception -- the NSA now owns vastly improved technology to sift through and mine massive amounts of data it has collected in what is being described as the world's single largest database of personal information. And, according to Aid, the mining goes far beyond our phone lines. The controversy over Project Shamrock in 1976 ultimately led Congress to pass the 1978 Foreign Intelligence Surveillance Act and other privacy and communication laws designed to prevent commercial companies from working in cahoots with the government to conduct wholesale secret surveillance on their customers. But as stories revealed last week, those safeguards had little effect in preventing at least three telecommunications companies from repeating history. Aid, who co-edited a book in 2001 on signals intelligence during the Cold War, spent a decade conducting more than 300 interviews with former and current NSA employees for his new history of the agency, the first volume of which will be published next year. Jeffrey Richelson, a senior fellow at the National Security Archive, calls Aid the top authority on the NSA, alongside author James Bamford. Aid spoke with Salon about how the NSA has learned to maneuver around Congress and the Department of Justice to get what it wants. He compared the agency's current data mining to Project Shamrock and Echelon, the code name for an NSA computer system that for many years analyzed satellite communication signals outside the U.S., and generated its own controversy when critics claimed that in addition to eavesdropping on enemy communication, the satellites were eavesdropping on allies' domestic phone and e-mail conversations. Aid also spoke about the FBI's Carnivore program, designed to "sniff" e-mail traveling through Internet service providers for communication sent to and from criminal suspects, and how the NSA replaced the FBI as the nation's domestic surveillance agency after 9/11. Having studied the NSA and its history extensively, were you surprised and concerned to discover that, since 2001, the agency has been amassing a database of phone records, and possibly other information, on U.S. citizens? The fact that the federal government has my phone records scares the living daylights out of me. They won't learn much from them other than I like ordering pizza on Friday night and I don't call my mother as often as I should. But it should scare the living daylights out of everybody, even if you're willing to permit the government certain leeways to conduct the war on terrorism. We should be terrified that Congress has not been doing its job and because all of the checks and balances put in place to prevent this have been deliberately obviated. In order to get this done, the NSA and White House went around all of the checks and balances. I'm convinced that 20 years from now we, as historians, will be looking back at this as one of the darkest eras in American history. And we're just beginning to sort of peel back the first layers of the onion. We're hoping against hope that it's not as bad as I suspect it will be, but reality sets in every time a new article is published and the first thing the Bush administration tries to do is quash the story. It's like the lawsuit brought by EFF [Electronic Frontier Foundation] against AT&T -- the government's first reaction was to try to quash the lawsuit. That ought to be a warning sign that they're on to something. I'll tell you where this story probably will go next. Notice the USA Today article doesn't mention whether the Internet service providers or cellphone providers or companies operating transatlantic cables like Global Crossing cooperated with the NSA. That's the next round of revelations. The real vulnerabilities for the NSA are the companies. Sooner or later one of these companies, fearing the inevitable lawsuit from the ACLU, is going to admit what it did, and the whole thing is going to come tumbling down. If you want some historical perspective look at Operation Shamrock, which collapsed in 1975 because [Rep.] Bella Abzug [D-NY] subpoenaed the heads of Western Union and the other telecommunications giants and put them in witness chairs, and they all admitted that they had cooperated with the NSA for the better part of 40 years by supplying cables and telegrams. The newest system being added to the NSA infrastructure, by the way, is called Project Trailblazer, which was initiated in 2002 and which was supposed to go online about now but is fantastically over budget and way behind schedule. Trailblazer is designed to copy the new forms of telecommunications -- fiber optic cable traffic, cellphone communication, BlackBerry and Internet e-mail traffic. Were you really surprised to learn recently that the NSA was eavesdropping on phone calls, as the New York Times reported last December? I think most people assumed, or at least suspected, that the government had been monitoring some domestic conversations for years after the Echelon program was revealed. Echelon, though never confirmed by the government, was described as a global surveillance system that had the ability to intercept every phone, fax and e-mail conversation around the world. I think it was generally assumed that when I heard breathing on the other end of the phone, it was the FBI and not the NSA listening in. Since [the movie] "Enemy of the State" came out, everybody has assumed that the NSA had the ability to turn its antennas around and monitor us in the U.S. as much as they did anybody else. But I honestly believe that prior to 9/11, the NSA was not engaged in any domestic work at all. Then 9/11 changed the entire equation, and Congress, in its rush to prove how patriotic it was, passed the Patriot Act, which gave the government unlimited powers to conduct surveillance in the US. Basic freedoms were abridged. Echelon, in fact, is nothing more than a VAX microcomputer that was manufactured in the early 1970s by Control Data Corp. in St. Paul, Minn., and was used at six satellite intercept stations [to filter and sort data collected from the satellites and distribute it to analysts]. The computer has long since been obsolete. Since 9/11, whatever plans in place to modernize Echelon have been put on hold. The NSA does in fact have a global intercept network, but they just call it the intercept collection infrastructure. They don't have a code name or anything sexy to describe it, and it didn't do domestic spying. In 1988 Duncan Campbell, a U.K. journalist, wrote an article for the New Statesman based on an interview with a Lockheed Martin employee named Margaret Newsham, who had worked at an NSA satellite listening station in England. She claimed the NSA was eavesdropping on U.S. phone conversations back then and that she herself had eavesdropped on a conversation involving Senator Strom Thurmond. The stories reported then were that the NSA did have the ability to eavesdrop globally on conversations and was doing so domestically. I'm not sure what she heard, but I can tell you the NSA was not listening to domestic calls -- they were testing the system at the time that [Newsham] was in England, so while playing with the receiver they may have scrolled over some signals, but the system was not yet operational. Lockheed was in the process of installing the brand new processing stations and Newsham was sent to help put it in place. I asked a number of NSA people about this and they said their main focus at the time was the Soviet Union, with a minor focus on the Middle East. They had no U.S. intercept function whatsoever. If there was domestic work being done in the U.S., it was mostly being done by the FBI and not the NSA. It's true that some elements in the NSA really wanted to loosen the restrictions imposed by FISA but were told it's the law of the land. And we can't go to Congress and ask that the FISA statute be modified to allow the NSA to engage in domestic work. The assumption was that the Justice Department would never agree to it. Judging by the USA Today article last week they found a way to get around those FISA restrictions and the Justice Department. The USA Today article doesn't cover how the NSA convinced all of the phone companies to cooperate. Did General Hayden [former NSA director and current nominee to run the CIA] pick up the phone and call the CEOs? Or were they presented with National Security letters saying you will turn over all your records to us and keep it quiet within your organization? But it does seem clear that the Justice Department was excluded from all of this, or at least the parts of the Justice Department that would normally have some oversight over this. For example, they didn't refer the case down to the Civil Rights Division for their approval. They kept the number of people within the Justice Department who had knowledge of the program to a small number of people. I think they feared that if they passed it down to other departments that might have some purview over the program they might have encountered a stream of objections. It's all coming out now in dribs and drabs, but when it all becomes clear, we'll find out that the key oversight functions -- those functions that were put in place to protect the rights of Americans -- were deliberately circumvented. Key components of the Justice Department that would have rightly objected to this were never consulted or told about the program. Alberto Gonzales when he was the White House counsel knew about it, as did Attorney General Ashcroft and his deputy, but outside of that I don't think there were many others who knew all the details. According to President Bush, there were apparently some members of Congress who knew about the program. They can claim that they briefed individual members of Congress but there's a difference between briefing a few members of Congress and briefing a full committee. Only a few members of the intelligence committee were told and they were told in a way in which they couldn't do anything about it. And the briefings were very general and lacking in specifics, as I understand. What happens is that you're [privately] briefed about the program, and then even if you object to the program, you can't do anything about it because you can't tell the whole committee. Our system only works when information is given to the full committee. But the way they did it effectively handcuffed any opposition because you can't go to the full committee and say I object to this program and we ought to call some hearings and examine the legalistic background and justification for the program. Even if Senator Rockefeller or Senator Pelosi had some issues with it, they couldn't even tell their own staff, much less other members of the committee. They deliberately did it this way so the intelligence committees couldn?t do anything about it. Who's the person running the NSA's data collection program? James M. Cusick, assistant deputy director of the NSA for data acquisition. He's Mr. Data Acquisition. He's the specialist in charge of building collection systems that can acquire vast amounts of data, and his unit is the one that is running this program. Do you think such a program could be effective at catching terrorists? To the best of my knowledge, in the five years in which the program has been running, it has not caught a single person. How did we go from having the FBI doing domestic surveillance to having the NSA serve that function? How was the decision made? The FBI is in a state of shell shock after 9/11. They've become so risk-averse. They've been criticized so many times, for the right reasons, that they're terrified of doing their job anymore. So the White House felt they'd become rather leaky and creaky. Also, the FBI had to get approval from the attorney general for every tap it used. I've been told on fairly good authority that the reason the FBI's Carnivore telecommunications surveillance program was not used in the fashion that the NSA system has been after 9/11 was because it would require the written consent of the attorney general and the Civil Rights and Criminal Divisions of the Justice Department, any one of which could have scuttled the program. That's a prospect worse than the FISA court, as far as the White House is concerned. So the White House decided to abandon the FBI in favor of an agency that had not done any domestic work since 1975. As a result, the NSA had to spend billions of dollars constructing a system that it didn't have the capability to construct prior to 2001, which may explain why some NSA veterans I talked to say that some parts of the NSA are now short of money. Do you know how much the NSA has spent on its phone record data collection project? No. I don't even think the people who have been briefed on the program on Capitol Hill know how the money is being used. Each year the House and Senate intelligence committees pass, by oral vote, the money for the entire intelligence community. Then they pray like the dickens that these people are spending it wisely and properly. It will come as no surprise to anyone that Congress has basically abrogated its responsibility for overseeing the national security establishment of the NSA. And you can't blame one party over the other. It's my experience that many senior ranking Democrats on these committees are also not doing their job for one reason or another. -- By Kim Zetter From rforno at infowarrior.org Sun May 14 21:31:17 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 14 May 2006 21:31:17 -0400 Subject: [Infowarrior] - National Information Exchange Model (NIEM) Message-ID: U.S. Department of Homeland Security (DHS) and U.S. Department of Justice (DOJ) officials have announced a new partnership to provide leadership for the enhanced development of the Global Justice Information Sharing Initiative (Global) Justice Extensible Markup Language (XML) Data Model (Global JXDM) as a base for the deployment of the National Information Exchange Model (NIEM). Current Release (0.3) of the National Information Exchange Model April 12, 2006?The U.S. Department of Homeland Security (DHS), U.S. Department of Justice (DOJ) and their associated departments and domains are proud to announce a new release of the National Information Exchange Model or NIEM 0.3. Read More > > > > > http://niem.gov/ From rforno at infowarrior.org Mon May 15 11:25:31 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 15 May 2006 11:25:31 -0400 Subject: [Infowarrior] - Federal Source to ABC News: We Know Who You're Calling Message-ID: Federal Source to ABC News: We Know Who You're Calling May 15, 2006 10:33 AM Brian Ross and Richard Esposito Report: http://blogs.abcnews.com/theblotter/2006/05/federal_source_.html A senior federal law enforcement official tells us the government is tracking the phone numbers we call in an effort to root out confidential sources. "It's time for you to get some new cell phones, quick," the source told us in an in-person conversation. We do not know how the government determined who we are calling, or whether our phone records were provided to the government as part of the recently-disclosed NSA collection of domestic phone calls. Other sources have told us that phone calls and contacts by reporters for ABC News, along with the New York Times and the Washington Post, are being examined as part of a widespread CIA leak investigation. One former official was asked to sign a document stating he was not a confidential source for New York Times reporter James Risen. Our reports on the CIA's secret prisons in Romania and Poland were known to have upset CIA officials. People questioned by the FBI about leaks of intelligence information say the CIA was also disturbed by ABC News reports that revealed the use of CIA predator missiles inside Pakistan. Under Bush Administration guidelines, it is not considered illegal for the government to keep track of numbers dialed by phone customers. The official who warned ABC News said there was no indication our phones were being tapped so the content of the conversation could be recorded. A pattern of phone calls from a reporter, however, could provide valuable clues for leak investigators. From rforno at infowarrior.org Mon May 15 18:53:27 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 15 May 2006 18:53:27 -0400 Subject: [Infowarrior] - Research Software RFI Message-ID: Anyone have an opinion on EndNote 9 vs. Bookends for hard-core OSX-based academic bibliographic management? EndNote 8 was a buggy POS and I didn't use it -- but supposedly v9 is better. Still, Bookends has its advantages, too. And yes, I've Googled for answers already. Just widening my info stream here. -rf From rforno at infowarrior.org Mon May 15 18:55:46 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 15 May 2006 18:55:46 -0400 Subject: [Infowarrior] - List Admin Update Message-ID: The new RSS feed for infowarrior-l can be found at: http://www.mail-archive.com/infowarrior%40attrition.org/maillist.rdf The new mail archive for infowarrior-l can be found at: http://www.mail-archive.com/infowarrior%40attrition.org/ ...thx to M. for reminding me to update the website. :) -rf From rforno at infowarrior.org Mon May 15 21:35:46 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 15 May 2006 21:35:46 -0400 Subject: [Infowarrior] - =?iso-8859-1?q?Gmail_cripples_DRMed_PDF_files_=B9?= =?iso-8859-1?q?_=B3_View_as_HTML_=B2_functionality?= Message-ID: Gmail cripples DRMed PDF files? ?View as HTML? functionality Posted by Andreas on May 15th, 2006 at 03:15 http://akira.arts.kuleuven.ac.be/andreas/blog/archives/2006/05/gmail-cripple s-drmed-pdf-files-view-as-html-functionality.html Google has rolled out a couple of new Gmail features this week. And guess what: one of them is not mentioned on the ?What?s new on Gmail?? page. Readers of this blog probably know what I?m talking about? Indeed, Gmail has crippled its ?View as HTML? functionality so as to comply with Adobe?s PDF copy-control scheme. In case an email attachment is a DRMed PDF file (= a PDF with copying and/or printing restrictions), clicking on the ?View as HTML? link returns the message displayed in the screenshot. From rforno at infowarrior.org Mon May 15 22:42:47 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 15 May 2006 22:42:47 -0400 Subject: [Infowarrior] - Dumb and dumber: copyright law change Message-ID: ...geez, this makes the DMCA look nice by comparison.......rf Dumb and dumber: copyright law change http://blogs.smh.com.au/mashup/archives//004567.html Under the Australian Government's proposed new copyright laws it will no longer be technically illegal to tape TV shows or rip tracks from your CD onto your iPod. That's the good part - getting rid of something that almost everybody had honoured in the breach. But it replaces that stupid law with another stupider one - one that can never be properly policed and one which will continue to put almost everyone in breach of the copyright laws. Under these proposed new laws it will be illegal - for instance - to lend a video copy of a TV show you have made to your family or friends if you have already watched that copy. And those same proposed laws will required you to delete that program once you've watched it once. Yeah, sure everyone's going to observe that one. At first glance, these changes seem to fall short of genuine reform. They clear up a ridiculous, out of date law and replace it with another that is destined to flouted by anyone with a VCR, DVD or hard drive recorder. "It raises the question of whether it will require a new breed of DVD recorders that only let you play some things once," the Financial Review quoted the David Vaile, the executive director of the Baker & McKenzie cyberspace law and policy centre at the University of NSW, as saying. Here's the Q&A from the Attorney-General's site that explains a little more about the reforms: Does this mean I can record my favourite television or radio program to enjoy later? Yes. For the first time you will be able to record most television or radio program at home to enjoy at a later time. This will allow you to watch or listen to a program as it was made available to the public at the time of the original broadcast. How long can I keep the recording? The recording must be deleted after one use. It will not be possible to use the recording over and over again. Can I make a collection of copied television and radio programs? No. You will not be able to burn a collection (or library) of your favourite programs on DVD or CD to keep. (It will be permitted to record a program on DVD or CD but only temporarily until you watch or listen to it for the first time.) What can I do with recorded program? You can watch or listen to the recording with your family or friends. It will not be permitted to sell or hire a recording or to play it at school or work or in any kind of public audience. Can I give a recording I have made to a friend? No. A recording is for the personal use of the person who made it. You can invite a friend over to watch or listen to your recording but you can???t lend or give it to a friend to take home with them. Will I be able to copy my music collection? Yes. You can format-shift your music collection from CDs, audio tapes and vinyl records to devices such as an MP3 player, X-Box 360 or home entertainment PC, but only if the original is a legitimate copy that you own and you format-shift for your personal use in a different audio format. Can I make a compilation CD by copying tracks from CDs that I own to a blank CD? Yes, if you copy the tracks in a different format to the original, such as making a compilation CD in MP3 format. Can I copy a music download to a CD or MP3 player? Yes, if you have purchased a legitimate copy and it is permitted by the purchase agreement. Will I be able to share my music collection with a friend? No. You will not be able to sell, loan or give away any format-shift copy you make in a different format, but a friend can listen to your music with you. Can someone else make a copy in a different format for me? No. A format-shift copy must be made by the owner of the original copy. It will not be possible for a business to make copies for a customer. Can I make a 'back-up' copy of a CD in case the original is lost or damaged? No. A format-shift copy must be in a different audio format to the original. Can I sell or give away my MP3 music player? Yes, but you will need to delete any format-shift copy you have stored in the MP3 music player before it is sold or given away. Can I upload a copy of a song to the Internet? No, this would continue to be against the law. What if my CD has copy protection applied to it? The Government is still considering this issue of copy protection. Will I be able to format-shift other kinds of copyright material as well as sound recordings? Yes. You will also be able to format-shift copy some other copyright material such as books, newspapers, magazines, video tapes and photographs. Will conditions apply to copying these other kinds of material? Yes. In general, the same conditions will apply as for format-shifting music (see above). For example, the original will need to be a legitimate copy that you own and the copy made for your personal use in a different format. It also will not be permitted to loan, hire or sell any copy you make. Will I be able to copy a film from DVD to a portable player? No. The Government will monitor the implementation of the new exceptions and review its scope in two years. It will be possible to dub an old VHS tape to a digital player. SJ Hutcheon May 15, 2006 09:51 AM From rforno at infowarrior.org Mon May 15 22:51:51 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 15 May 2006 22:51:51 -0400 Subject: [Infowarrior] - Credit card security rules to get update Message-ID: Credit card security rules to get update By Joris Evers http://news.com.com/Credit+card+security+rules+to+get+update/2100-1029_3-607 2594.html Story last modified Mon May 15 18:45:15 PDT 2006 SAN FRANCISCO--Proposed new security rules for credit card-accepting businesses will put more scrutiny on software, but let them off the hook on encryption. The update to the Payment Card Industry (PCI) Data Security Standard, due this summer, responds to evolving attacks as well as to challenges some businesses have with the encryption of consumer data, Tom Maxwell, director of e-Business and Emerging Technologies at MasterCard International, said here Monday. The proposed update includes a requirement to, by mid-2008, scan payment software for vulnerabilities, Maxwell said in a presentation at a security conference hosted by vulnerability management specialist Qualys. Currently, merchants are required to validate only that there are no security holes in their network. "There is an increase in application level attacks," Maxwell said. While security stands to benefit from a broader vulnerability scan, another proposed change to the security rules may hurt security of consumer data, critics said. The new version of PCI will offer merchants more alternatives to encryption as a way to secure consumer data. "Today, the requirement is to make all information unreadable wherever it is stored," Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said. In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. "There will be more acceptable compensating and mitigating controls," he said. While PCI is good in principal, relaxing encryption requirements is not, said Paul Simmonds, a representative of the Jericho Forum, a group of companies that promote open security technologies. "It basically means that if you hack the system, you get the data," he said. "I can't think of a good alternative for encryption." The challenge with encryption is that older payment systems were not built to support the scrambling technology, said Qualys CEO Philippe Courtot. "Encryption is the ultimate measure of security, but the current applications have not been designed with encryption in mind," Courtot said The PCI security standard was developed by MasterCard and Visa and went into effect last year. It aims to reduce the risk of an attack by mandating the proper use of firewalls, message encryption, computer access controls and antivirus software. It also requires frequent security audits and network monitoring, and forbids the use of default passwords. Retailers that don't comply may face penalties, including fines. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Tue May 16 07:13:42 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 May 2006 07:13:42 -0400 Subject: [Infowarrior] - HOT: Congress may make ISPs snoop on you Message-ID: Congress may make ISPs snoop on you By Declan McCullagh http://news.com.com/Congress+may+make+ISPs+snoop+on+you/2100-1028_3-6072601. html Story last modified Tue May 16 04:00:08 PDT 2006 A prominent Republican on Capitol Hill has prepared legislation that would rewrite Internet privacy rules by requiring that logs of Americans' online activities be stored, CNET News.com has learned. The proposal comes just weeks after Attorney General Alberto Gonzales said Internet service providers should retain records of user activities for a "reasonable amount of time," a move that represented a dramatic shift in the Bush administration's views on privacy. Wisconsin Rep. F. James Sensenbrenner, the chairman of the House Judiciary Committee, is proposing that ISPs be required to record information about Americans' online activities so that police can more easily "conduct criminal investigations." Executives at companies that fail to comply would be fined and imprisoned for up to one year. In addition, Sensenbrenner's legislation--expected to be announced as early as this week--also would create a federal felony targeted at bloggers, search engines, e-mail service providers and many other Web sites. It's aimed at any site that might have "reason to believe" it facilitates access to child pornography--through hyperlinks or a discussion forum, for instance. Speaking to the National Center for Missing and Exploited Children last month, Gonzales warned of the dangers of pedophiles using the Internet anonymously and called for new laws from Congress. "At the most basic level, the Internet is used as a tool for sending and receiving large amounts of child pornography on a relatively anonymous basis," Gonzales said. Rep. F. James Sensenbrenner, R-Wisc. Rep. F. James Sensenbrenner, R-Wisc. Until Gonzales' speech, the Bush administration had explicitly opposed laws requiring data retention, saying it had "serious reservations" (click here for PDF) about them. But after the European Parliament last December approved such a requirement for Internet, telephone and voice over Internet Protocol (VoIP) providers, top administration officials began talking about it more favorably. The drafting of the data-retention proposal comes as Republicans are trying to do more to please their conservative supporters before the November election. One bill announced last week targets MySpace.com and other social networking sites. At a meeting last weekend, social conservatives called on the Bush administration to step up action against pornography, according to a New York Times report. Sensenbrenner's proposal is likely to be controversial. It would substantially alter U.S. laws dealing with privacy protection of Americans' Web surfing habits and is sure to alarm Internet businesses that could be at risk for linking to illicit Web sites. A spokesman for the House Judiciary Committee said the aide who drafted the legislation was not immediately available for an interview on Monday. U.S. Justice Department spokesman Drew Wade said the agency generally doesn't comment on legislation, though it may "issue a letter of opinion" at a later date. Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, called Sensenbrenner's measure an "open-ended obligation to collect information about all customers for all purposes. It opens the door to government fishing expeditions and unbounded data mining." The National Security Agency has engaged in extensive data-mining about Americans' phone calling habits, USA Today reported last week, a revelation that could complicate Republicans' efforts to enact laws relating to mandatory data retention and data mining. Sen. John Sununu, a New Hampshire Republican, for instance, took a swipe at the program on Monday, and Democrats have been calling for a formal investigation. Worries for Internet providers One unusual aspect of Sensenbrenner's legislation--called the Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act--or Internet Safety Act--is that it's relatively vague. Instead of describing exactly what information Internet providers would be required to retain about their users, the Internet Safety Act gives the attorney general broad discretion in drafting regulations. At minimum, the proposal says, user names, physical addresses, Internet Protocol addresses and subscribers' phone numbers must be retained. That generous wording could permit Gonzales to order Internet providers to retain records of e-mail correspondents, Web pages visited, and even the contents of communications. "In the absence of clear privacy safeguards, Congress would be wise to remove this provision," Rotenberg said. Sonia Arrison, director of technology studies at the free-market Pacific Research Institute in San Francisco, said the Internet Safety Act "follows in a long line of bad laws that are written in the name of protecting children." Complicating the outlook for the Internet Safety Act is the uncertain political terrain of Capitol Hill. Rep. Diana DeGette, a Colorado Democrat, announced legislation (click for PDF) last month--which could be appended to a telecommunications bill--that would require Internet providers to store records that would permit police to identify each user. The head of the Energy and Commerce Committee, Rep. Joe Barton of Texas, has expressed support for DeGette's plan. That could lead to a renewal of a turf battle between the two committees, one of which has jurisdiction over Internet providers, while the other is responsible for federal criminal law. "We're still evaluating things," said Terry Lane, a spokesman for the House Energy and Commerce Committee. "We haven't really laid out exactly yet what kind of proposals we would support and what kind of proposals would be necessary." New Internet felonies proposed Following are excerpts from Rep. Sensenbrenner's Internet Safety Act: "Whoever, being an Internet content hosting provider or email service provider, knowingly engages in any conduct the provider knows or has reason to believe facilitates access to, or the possession of, child pornography shall be fined under this title or imprisoned not more than 10 years, or both. "'Internet content hosting provider' means a service that (A) stores, through electromagnetic or other means, electronic data, including the content of web pages, electronic mail, documents, images, audio and video files, online discussion boards, and weblogs; and (B) makes such data available via the Internet" "Not later than 90 days after the date of the enactment of this section, the Attorney General shall issue regulations governing the retention of records by Internet Service Providers. Such regulations shall, at a minimum, require retention of records, such as the name and address of the subscriber or registered user (and what) user identification or telephone number was assigned..." Federal politicians also are being lobbied by state law enforcement agencies, which say strict data retention laws will help them investigate crimes that have taken place a while ago. Sgt. Frank Kardasz, head of Arizona's Internet Crimes Against Children Task Force, surveyed his colleagues in other states earlier this year asking them what new law would help them do their jobs. "The most frequent response involved data retention by Internet service providers," or ISPs, Kardasz told News.com last month. "Preservation" vs. "Retention" At the moment, ISPs typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation. A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity." Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.) In addition, ISPs are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency. When adopting its data retention rules, the European Parliament approved U.K.-backed requirements saying that communications providers in its 25 member countries--several of which had enacted their own data retention laws already--must retain customer data for a minimum of six months and a maximum of two years. The Europe-wide requirement applies to a wide variety of "traffic" and "location" data, including the identities of the customers' correspondents; the date, time and duration of phone calls, voice over Internet Protocol calls, or e-mail messages; and the location of the device used for the communications. But the "content" of the communications is not supposed to be retained. The rules are expected to take effect in 2008. According to a memo accompanying the proposed rules (click here for PDF), European politicians approved the rules because not all operators of Internet and communications services were storing information about citizens' activities to the extent necessary for law enforcement and national security. In addition to mandating data retention for ISPs and liability for Web site operators, Sensenbrenner's Internet Safety Act also would: ? Make it a crime for financial institutions to "facilitate access" to child pornography, for instance by processing credit card payments. ? Increase penalties for registered sex offenders who commit another felony involving a child. ? Create an Office on Sexual Violence and Crimes against Children inside the Justice Department. CNET News.com's Anne Broache contributed to this report. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Tue May 16 07:22:48 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 May 2006 07:22:48 -0400 Subject: [Infowarrior] - FBI Acknowledges: Journalists Phone Records are Fair Game Message-ID: FBI Acknowledges: Journalists Phone Records are Fair Game May 15, 2006 7:18 PM Brian Ross and Richard Esposito Report: http://blogs.abcnews.com/theblotter/2006/05/fbi_acknowledge.html The FBI acknowledged late Monday that it is increasingly seeking reporters' phone records in leak investigations. "It used to be very hard and complicated to do this, but it no longer is in the Bush administration," said a senior federal official. The acknowledgement followed our blotter item that ABC News reporters had been warned by a federal source that the government knew who we were calling. The official said our blotter item was wrong to suggest that ABC News phone calls were being "tracked." "Think of it more as backtracking," said a senior federal official. But FBI officials did not deny that phone records of ABC News, the New York Times and the Washington Post had been sought as part of a investigation of leaks at the CIA. In a statement, the FBI press office said its leak investigations begin with the examination of government phone records. "The FBI will take logical investigative steps to determine if a criminal act was committed by a government employee by the unauthorized release of classified information," the statement said. Officials say that means that phone records of reporters will be sought if government records are not sufficient. Officials say the FBI makes extensive use of a new provision of the Patriot Act which allows agents to seek information with what are called National Security Letters (NSL). The NSLs are a version of an administrative subpoena and are not signed by a judge. Under the law, a phone company receiving a NSL for phone records must provide them and may not divulge to the customer that the records have been given to the government. From rforno at infowarrior.org Tue May 16 07:33:10 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 May 2006 07:33:10 -0400 Subject: [Infowarrior] - Information Highway Robbers Message-ID: Information Highway Robbers >From In These Times, May 16, 2006 By Joel Bleifuss http://www.freepress.net/news/print.php?id=15499 What makes the Internet revolutionary is that it is democratic, open to anyone with a computer and an Internet connection. That could soon change. As In These Times went to press, the House was setting to vote on the ?Communications Opportunity Promotion and Enhancement (COPE) Act of 2006,? a bill written by the telephone and cable TV corporations. Among other provisions, the act formally guts what is known as the First Amendment of the Internet??network neutrality.? (The Senate will consider a similar bill in late May or early June.) ?Net neutrality ensures that the public can view the smallest blog just as easily as the largest corporate Web site and prevents companies like AT&T from rigging the playing field for only the highest-paying sites and services,? says Timothy Karr, the campaign director for Free Press, a media reform organization. Karr is coordinating SavetheInternet.com, a bipartisan coalition working to preserve network neutrality. By not including network neutrality protections, the COPE Act upholds a 2005 ruling from the Federal Communications Commission that allows Internet service providers?telephone companies like AT&T and Verizon and cable companies like Comcast?to charge Web content creators a fee to make their sites readily accessible. For example, take a filmmaker who wants to produce a documentary and distribute it to the public on his Web site. Under this new legislation, a service provider like AT&T would be able to charge the filmmaker for making his content available to their customers. Or, if AT&T did not approve of the documentary, it could refuse to let its customers access it all together?thereby allowing corporate censorship of a medium now characterized by the freewheeling exchange of ideas. In effect, the legislation allows the telecom industry to become the tollbooth operator on the information superhighway. The Internet will begin to look like cable TV, where viewers can only choose from available options. SavetheInternet.com puts it this way: ?The Internet has always been driven by innovation. Web sites and services succeeded or failed on their own merit. Without net neutrality, decisions now made collectively by millions of users will be made in corporate boardrooms.? To harness the power of those millions is the goal of Save the Internet.com, whose key players in addition to Free Press include MoveOn, Punk Voter, Gun Owners of America and Consumers Union, along with bloggers like Glenn Reynolds at InstaPundit and Matt Stoller at MyDD. But as netizens are heeding a call to arms, the telecom industry has responded with a counterattack. Karr observes, ?How can you tell when corporations are running scared? When they wind up their coin-operated frontmen in Washington to unleash a tide of untruths upon the public.? He is referring to the man leading the campaign against net neutrality, Mike ?Industry Sock Puppet? McCurry, the former press spokesman for President Bill Clinton. McCurry is now a partner at Public Strategies, a PR firm whose motto is ?managing campaigns for corporations around the clock, around the world.? In other words he is a 24-hour call boy for the telecom industry. Using a classic PR technique, McCurry obfuscates the issue, invoking the First Amendment and dismissing net neutrality as ?regulation.? Writing on the Huffington Post, he addressed his critics: ?The First Amendment of the Internet is under assault! ? The Internet has worked absent regulation, and now you want to introduce it for a solution to what?? At Verizon, McCurry has gotten Peter B. Davidson, the senior vice president for federal government relations, on message. In a mass e-mail to the constituents of Congress members, Davidson told the voters ?troubling ?net neutrality? provisions ? have the effect of regulating the Internet. ? Urge your representative, [insert name of representative], to support the swift passsage of a clean, unencumbered cable-choice bill that will give consumers real choice and bring lower prices to the cable market WITHOUT regulating the Internet.? McCurry is a masterful propagandist. Consider his 561-word Huffington Post screed against the slimy ?net neuts.? Of the 26 sentences in this ?essay,? 11 of them were rhetorical questions. Such questions allow a person to hide behind the guise of critical inquiry and make unsubstantiated allegations. For example, I might ask, ?Mike McCurry, when did you decide to become an industry whore?? (Well, sometimes unsubstantiated.) Another of McCurry?s facile ploys is to provide his readers with false choices. Consider this sentence: ?I?d rather have a robust Internet that can handle the volume of traffic that we will put on it in the near future rather than a public Internet where we all wait in line for the next porno-spammer to let his content go before we get to have arguments like this.? That?s our choice? Responding to McCurry?s nonsense, ITT Senior Editor David Sirota observed: ?Mike McCurry is in the middle of one of those tailspins of dishonesty and contradiction that is so wildly out of control you just have to sit back, grab some popcorn and watch with laugh.? While Stoller, at MyDD, added: ?Bashing Mike McCurry is not only fun, it?s important, as there must be a cost to his decision to sell us out.? Such costs must also be borne by those in Congress who have decided to help gut net neutrality. The most prominent Democratic sponsor of the COPE Act is Rep. Bobby Rush, a former Black Panther who represents Chicago?s South Side. How did this one-time militant morph into the Step ?n? Fetchit of the telecom industry? (Note the rhetorical question.) Perhaps the $1 million that AT&T (formerly SBC) gave to the Rebirth of Englewood Community Development Corporation has something to do with it. Rush and his wife founded and serve on the board of this company, which employs their son and which used AT&T money to build the Bobby L. Rush Center for Community Technology. Sheila Krumholz, the acting director of the Center for Responsive Politics, the nonprofit group that tracks the role of money in politics, noted, ?It is a clear conflict of interest for Rep. Rush to weigh in on this bill, much less take a leadership role championing the position of a company that paid $1 million to name a building after him.? While the $1 million might have completed the bill of sale, the bidding for Rush?s services began years ago. Since 1998, telecom companies have contributed $204,000 to Rush?s relection campaigns, with AT&T (and its predecessors) leading the pack at $49,000. In most mature democracies, this would be against the law, but until we enact meaningful campaign finance reform, such bribery is perfectly legal. There are some honorable people in Congress. In the House, Rep. Ed Markey (D-Mass.) has now introduced the Network Neutrality Act of 2006 that, in his words, ?is designed to save the Internet and thwart those who seek to fundamentally and detrimentally alter the Internet as we know it.? However, the GOP-controlled Rules Committee is unlikely to let it on to the floor. Meanwhile, in the Senate, Olympia Snowe (R-Maine) and Byron Dorgan (D.-N.D.) are currently drafting a net neutrality bill. Whether that bill has a future?along with the net as we know it?depends on the volume of public protest. As a start, sign a petition that demands Congress to pass enforceable net neutrality provisions. Visit http://www.SavetheInternet.com and make your voice heard. This article is from In These Times. If you found it informative and valuable, we strongly encourage you to visit their website and register an account to view all their articles on the web. Support quality journalism. From rforno at infowarrior.org Tue May 16 08:19:18 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 May 2006 08:19:18 -0400 Subject: [Infowarrior] - FCC chief calls for probe of phone cos. Message-ID: FCC chief calls for probe of phone cos. DOUGLASS K. DANIEL Associated Press http://www.mercurynews.com/mld/mercurynews/news/politics/14589716.htm WASHINGTON - The Federal Communications Commission, which regulates the telephone industry, should open an investigation into whether the nation's phone companies broke the law by turning over millions of calling records to the government, an FCC commissioner says. The National Security Agency has been collecting records of calls made in the U.S. by ordinary Americans as part of its anti-terrorism efforts, according to USA Today. The newspaper story followed reports that the NSA has been conducting eavesdropping on the electronic communications of suspected al-Qaida members and their contacts in the U.S. without warrants. "There is no doubt that protecting the security of the American people is our government's No. 1 responsibility," Commissioner Michael J. Copps, a Democrat, said in a statement Monday. "But in a digital age where collecting, distributing and manipulating consumers' personal information is as easy as a click of a button, the privacy of our citizens must still matter." AT&T Corp., Verizon Communications Inc. and BellSouth Corp. began turning over tens of millions of phone records to the NSA after the spy agency requested the records shortly after the terrorist attacks of Sept. 11, 2001, USA Today reported last week. The paper said the NSA is building a massive call databank to analyze calling patterns. The telecommunications company Qwest said it refused to cooperate with the NSA after deciding that doing so would violate privacy law. On Monday, Atlanta-based BellSouth issued a statement that an internal review had "confirmed no such contract exists and we have not provided bulk customer calling records to the NSA." Verizon has refused to confirm or deny whether it has participated in the program. The New York Times reported in December that the NSA was eavesdropping on electronic communications involving suspected al-Qaida members abroad and associates in the U.S. Critics of the program have questioned whether the NSA has stepped outside the law by not seeking court-ordered warrants. President Bush, while not discussing the details of any NSA programs directed at detecting terrorism plots, has repeatedly assured Americans that the initiatives he authorizes are within the law and the Constitution and are not violating the privacy of ordinary Americans. When the NSA developed the programs it was under the direction of Air Force Gen. Michael Hayden, now Bush's choice to replace Porter Goss as head of the CIA. The eavesdropping program and the phone call databank are likely to be the focus of questions Thursday when the Senate Intelligence Committee begins Hayden's confirmation hearings. Sen. Arlen Specter, the Pennsylvania Republican who chairs the Senate Judiciary Committee, has said he wants to gather testimony from phone company representatives about how they work with the NSA. An FCC investigation, if undertaken, would be the second attempt this year by the government to explore an aspect of an NSA program. The Justice Department sought to investigate the role of its lawyers in the warrantless eavesdropping program, but it ended the inquiry last week because its lawyers were denied security clearances. ON THE NET Federal Communications Commission: http://www.fcc.gov From rforno at infowarrior.org Tue May 16 12:30:21 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 May 2006 12:30:21 -0400 Subject: [Infowarrior] - DOD Releasing 9/11 video of Pentagon impact In-Reply-To: Message-ID: Anyone else think the timing of this "release" is more political than responsive to a FOIA request? Given the sagging poll numbers of this Administration, I'm sure it's looking for new ways to remind Americans about why domestic NSA surveillance is good for them. And yes, I live 1000' from the Pentagon, so I'm certainly curious what this video will show. But I do question the timing of this release while also acknowledging that politics may have nothing to do with it, either. *doffs conspiracy theory hat* -rf Judicial Watch to Obtain September 11 Pentagon Video at 1 p.m. Today Department of Defense Responds to Judicial Watch Freedom of Information Act Request and Related Lawsuit (Washington, DC) Judicial Watch, the public interest group that investigates and prosecutes government corruption, announced today that Department of Defense will release a videotape to Judicial Watch at 1:00 p.m. this afternoon that allegedly shows American Airlines Flight 77 striking the Pentagon on September 11, 2001. The Department of Defense is releasing the videotape in response to a Judicial Watch Freedom of Information Act request and related lawsuit. ?This is in response to your December 14, 2004 Freedom of Information Act Request, FOIA appeal of March 27, 2005, and complaint filed in the United States District Court for the District of Columbia,? wrote William Kammer, Chief of the Department of Defense, Office of Freedom of Information. ?Now that the trial of Zacarias Moussaoui is over, we are able to complete your request and provide the video?? < - > http://www.judicialwatch.org/5772.shtml ------ End of Forwarded Message From rforno at infowarrior.org Tue May 16 19:43:18 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 May 2006 19:43:18 -0400 Subject: [Infowarrior] - Fifth Workshop on the Economics of Information Security (WEIS 2006) Message-ID: The Fifth Workshop on the Economics of Information Security (WEIS 2006) University of Cambridge, England 26-28 June 2006 Monday June 26 Session 1 0900-1030 http://weis2006.econinfosec.org/prog.html Models and Measures for Correlation in Cyber-Insurance (paper) Rainer Boehme and Gaurav Kataria The Effect of Stock Spam on Financial Markets (paper) Rainer Boehme and Thorsten Holz The Economics of Digital Forensics (paper) Tyler Moore 1030-1100: Tea Session 2 1100-1230 Understanding and Influencing Attackers' Decisions: Implications for Security Investment Strategies (paper) Marco Cremonini and Dmitri Nizovtsev On the Gordon & Loeb Model for Information Security Investment (paper) Jan Willemson Economics of Information Security Investment in the Case of Simultaneous Attacks (paper) C. Derrick Huang, Qing Hu and Ravi S. Behara Session 3 1400-1530 Enterprise Information Security: Who should mange it and how? (paper) Vineet Kumar, Rahul Telang and Tridas Mukhopadhyay Hackers, Users, Information Security (paper) I.P.L. Png, Candy Q. Tang and Qiu-Hong Wang A Model for Opportunistic Network Exploits: The Case of P2P Worms (paper) Michael Collins, Carrie Gates and Gaurav Kataria 1530-1600 Coffee Session 4 1600-1730 Predictors of Home-Based Wireless Security (paper) Matthew Hottell, Drew Carter and Matthew Deniszczuk Proof of Work can Work (paper) Debin Liu and L Jean Camp The topology of covert conflict (paper) Shishir Nagaraja and Ross Anderson 1730-1930 Drinks reception Tuesday June 27 Session 1 0900-1030 Costs to the U.S. Economy of Information Infrastructure Failures: Estimates from Field Studies and Economic Data (paper) Scott Dynes, Eva Andrijicic and M Eric Johnson The Potential for Underinvestment in Internet Security: Implications for Regulatory Policy (paper) Alfredo Garcia and Barry Horowitz Bootstrapping the Adoption of Internet Security Protocols Andy Ozment Stuart E. Schechter 1030-1100: Tea Session 2 1100-1230 The Economic Impact of Regulatory Information Disclosure on Information Security Investments, Competition, and Social Welfare (paper) Anindya Ghose and Uday Rajan Opt In Versus Opt Out: A Free-Entry Analysis of Privacy Policies (paper) Jan Bouckaert and Hans Degryse Reliable Usable Signaling to Defeat Masquerade Attacks (paper) L Jean Camp Session 3 1400-1530 Economics of Security Patch Management (paper) Huseyin Cavusoglu, Hasan Cavusoglu and Jun Zhang Emerging Economic Models for Vulnerability Research (paper) Michael Sutton and Frank Nagle Competitive and strategic effects in the timing of patch release (paper) Ashish Arora, Christopher Forman, Anand Nandkumar1 and Rahul Telang 1530-1600 Coffee Session 4 1600-1730 Private Sector Cyber Security Investment: An Empirical Analysis Brent Rowe and Michael Gallaher An Empirical Analysis of Security Investment in Countermeasures Based on an Enterprise Survey in Japan (paper) Wei Liu, Hideyuki Tanaka and Kanta Matsuura Justifying Spam and E-mail Virus Security Investments: A Case Study (paper) Hemantha Herath and Tejaswini Herath 2000 Workshop banquet, St John's College Wednesday June 28 Session 1 0900-1030 The Economics of Mass Surveillance (paper) George Danezis and Bettina Wittneben Is There a Cost to Privacy Breaches? An Event Study (paper) Alessandro Acquisti, Allan Friedman and Rahul Telang Financial Privacy for Free? US Consumers' Response to FACTA (paper) Alessandro Acquisti and Bin Zhang 1030-1100: Tea Session 2 1100-1230 Anonymity Loves Company: Usability and the network effect (paper) Roger Dingledine and Nick Mathewson Collaborative Scheduling: Threats and Promises (paper) Rachel Greenstadt and Michael Smith Adverse Selection in Online 'Trust' Certifications (paper) Benjamin Edelman Close of workshop WEIS 2006 is sponsored by the Institute for Information Infrastructure Protection (I3P) and Microsoft Research. From rforno at infowarrior.org Tue May 16 19:44:49 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 May 2006 19:44:49 -0400 Subject: [Infowarrior] - Workshop on the Economics of Securing the Information Infrastructure Message-ID: The Workshop on the Economics of Securing the Information Infrastructure http://wesii.econinfosec.org/ October 23-24, 2006 Washington, DC SECOND CALL FOR PAPERS Our information infrastructure suffers from decades-old vulnerabilities, from the low-level algorithms that select communications routes to the application-level services on which we are becoming increasingly dependent. Are we investing enough to protect our infrastructure? How can we best overcome the inevitable bootstrapping problems that impede efforts to add security to this infrastructure? Who stands to benefit and who stands to lose as security features are integrated into these basic services? How can technology investment decisions best be presented to policymakers? We invite infrastructure providers, developers, social scientists, computer scientists, legal scholars, security engineers, and especially policymakers to help address these and other related questions. Authors of accepted papers will have the opportunity to present their work to government and corporate policymakers. We encourage collaborative research from authors in multiple fields and multiple institutions. Submissions Due: August 6, 2006 (11:59PM PST) ======================================================================== Suggested topics (not intended to be comprehensive) ======================================================================== The economics of deploying security into: The Domain Name System (DNS) BGP & routing infrastructure Email & spam prevention Programming languages Legacy code bases User interfaces Operating systems Code origin authentication Measuring the cost of adding security Liability and legal issues Models of deployment penetration Measuring/estimating damages Empirical studies of deployment Establishing roots of trust Identity management infrastructure Internet politics Securing open source code libraries Antitrust Issues Adding security to/over existing APIs Privacy Issues Data archival & warehousing infrastructure ======================================================================== Program Committee ======================================================================== Alessandro Acquisti Carnegie Mellon University Heinz School of Public Policy & Management Ross Anderson University of Cambridge Jean Camp Indiana University Huseyin Cavusoglu Tulane University Richard Clayton University of Cambridge Steve Crocker Shinkuro / DNSSEC Deployment Working Group Ben Edelman Harvard University Department of Economics Allan Friedman Harvard University Kennedy School of Government Adam M. Golodner Cisco Systems Larry Gordon University of Maryland Smith School of Business Yacov Haimes University of Virginia Cathy Handley U.S. Department of Commerce, National Telecommunications & Information Administration Barry Horowitz University of Virginia Richard Hovey U.S. Federal Communications Commission (FCC) Jeff Hunker Carnegie Mellon University Heinz School of Public Policy & Management M. Eric Johnson The Tuck School of Business at Dartmouth College Jeffrey M. Kopchik U.S. Federal Deposit Insurance Corporation (FDIC) Technology Supervision Branch Steve Lipner Microsoft Marty Loeb University of Maryland Smith School of Business Doug Maughan U.S. Department of Homeland Security (DHS) Science and Technology Directorate Doug Montgomery U.S. National Institute of Standards & Technology Internetworking Technologies Group Milton Mueller Syracuse University School of Information Studies Andrew Odlyzko University of Minnesota Andy Ozment MIT Lincoln Laboratory / University of Cambridge Shari Lawrence Pfleeger RAND Corporation Stuart Schechter MIT Lincoln Laboratory Bruce Schneier Counterpane Internet Security Rahul Telang Carnegie Mellon University Heinz School of Public Policy & Management Andrew Wyckoff Organisation for Economic Cooperation and Development (OECD) Bill Yurcik National Center for Supercomputing Applications (NCSA) ======================================================================== Workshop Sponsors ======================================================================== The Institute for Information Infrastructure Protection (I3P) The Workshop on the Economics of Information Security (WEIS) ======================================================================== Paper Formats and Submission Instructions ======================================================================== See the workshop web site at: http://wesii.econinfosec.org/ From rforno at infowarrior.org Tue May 16 22:28:13 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 May 2006 22:28:13 -0400 Subject: [Infowarrior] - Telcos careful with words on NSA spy program Message-ID: http://today.reuters.com/investing/financeArticle.aspx?type=governmentFiling sNews&storyID=2006-05-17T012648Z_01_N16130674_RTRIDST_0_SECURITY-TELECOMS-WR APUP-1.XML WRAPUP 1-Telcos careful with words on NSA spy program Tue May 16, 2006 9:27 PM ET By Jeremy Pelofsky WASHINGTON, May 16 (Reuters) - Verizon Communications Inc. and BellSouth Corp., facing consumer lawsuits seeking massive damages, have issued carefully worded denials of a report that they turned over millions of customers' calling records to a U.S. spy agency. USA Today reported last week that the National Security Agency has had access to records of billions of domestic calls and collected tens of millions of telephone records from data provided by BellSouth , Verizon and AT&T Inc. . BellSouth and Verizon denied the part of the USA Today report that said the companies had received a contract from the NSA and that they turned over records. However, Verizon declined to comment on whether it provided access to the NSA. "One of the most glaring and repeated falsehoods in the media reporting is the assertion that, in the aftermath of the 9/11 attacks, Verizon was approached by NSA and entered into an arrangement to provide the NSA with data from its customers' domestic calls," Verizon said in a statement on Tuesday. However, "Verizon cannot and will not confirm or deny whether it has a relationship to the classified NSA program," the company said. BellSouth said on Monday that "based on our review to date, we have confirmed no such contract exists and we have not provided bulk customer calling records to the NSA." A BellSouth spokesman was not immediately available for further comment. AT&T has been more circumspect, saying it has an obligation to assist law enforcement and other government agencies but has refused to comment specifically on national security matters. A company spokesman on Tuesday declined to comment about whether it provided the NSA access. Electronic Privacy Information Center Executive Director Marc Rotenberg said the statements by government officials and phone carriers were "legal hair splitting." "There's a tremendous amount of parsing going on," Rotenberg said. Earlier on Tuesday, BellSouth and AT&T were added to a $200 billion lawsuit against Verizon which accuses the three large telephone carriers of violating privacy rights by turning over customer phone records for use in the NSA program. The lawsuit, filed on behalf of 26 plaintiffs in 18 states, seeks damages for the estimated 200 million customers of all three companies. "We're outraged at the actions of the NSA, the administration and the phone companies," Bruce Afran, a public interest lawyer from New Jersey, said at a news conference. He added that he wanted the companies to understand the massive financial exposure they had on this issue. USA Today said it has read the statements by Verizon and BellSouth and would investigate the story further. "We're confident in our coverage of the phone database story," said USA Today spokesman Steven Anderson. "We will look closely into the issues raised by BellSouth's and Verizon's statements." U.S. President George W. Bush last year confirmed that the NSA was eavesdropping without warrants on the international phone calls and e-mails of U.S. citizens while in the pursuit of al Qaeda. After the USA Today report, Bush defended U.S. intelligence programs, arguing that the administration is obliged to "connect dots" to protect Americans after the Sept. 11, 2001 attacks, but he has refused to confirm or deny the report. "What I have told the American people is, we'll protect them against an al Qaeda attack and we'll do so within the law," Bush said. Late on Tuesday, the administration agreed to give let the full Senate and House of Representatives intelligence committees review the domestic spying program. (Reporting by Sinead Carew, Anna Driver, Philipp Gollner, Peter Kaplan; writing by Jeremy Pelofsky, editing by Richard Chang; Washington Newsroom, 202-898-8300, fax 202-898-8383)) From rforno at infowarrior.org Tue May 16 22:35:49 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 May 2006 22:35:49 -0400 Subject: [Infowarrior] - RIAA freaks out over XM device (again, I think) Message-ID: Record Labels Sue XM Satellite Over Device http://tinyurl.com/ofxjc By TED BRIDIS, Associated Press WriterTue May 16, 7:02 PM ET The recording industry sued XM Satellite Radio on Tuesday over its new iPod-like device that can store up to 50 hours of music, sending to the courts a roiling dispute over how consumers can legally record songs using next-generation radio services. The federal lawsuit, filed in New York by the largest labels, accuses XM Satellite of "massive wholesale infringement" because its $400 handheld "Inno" device can record hours of music and automatically parse recordings by song and artist. The device is sold under the slogan, "Hear it, click it, save it." The lawsuit seeks $150,000 in damages for every song copied by XM Satellite customers using the devices, which went on sale weeks ago. The company said it plays 160,000 different songs every month. The lawsuit does not seek directly any payments from or sanctions against XM Satellite customers who record songs. But if the lawsuit were successful, it could raise the company's costs, which could be passed on to subscribers as higher monthly fees. XM Satellite said Tuesday it will fight the lawsuit and accused the labels of using the courts as leverage during business negotiations. "These are legal devices that allow consumers to listen to and record radio just as the law has allowed for decades," the company said in a statement. "The music labels are trying to stifle innovation, limit consumer choice and roll back consumers' rights to record content for their personal use." XM Satellite has balked at the industry's efforts to collect expensive distribution licenses similar to those required for Internet downloading services, such as Apple Inc.'s iTunes. Its chief rival, Sirius Satellite Radio Inc., has already agreed to pay for such licenses to cover similar gadgets for its service. XM Satellite's chairman, Gary Parsons, previously said requiring such licenses ? in addition to broader performance licenses the company already pays ? would represent "a new tax being imposed on our subscribers." XM Satellite has compared its new device to a high-tech videocassette recorder, which consumers can legally use to record programs for their personal use. It also noted that songs stored on the device from its broadcasts can't be copied and can only be played for as long as a customer subscribes to its service. The head of the music industry's trade group said the XM Satellite device is legally indistinguishable from iPods and other portable music players that work with downloading services. "Yahoo!, Rhapsody, iTunes and Napster all have licenses," said Mitch Bainwol, chief executive for the Recording Industry Association of America. "There's no reason XM shouldn't as well." XM subscribers pay $12.95 per month to listen to more than 170 channels of entertainment, sports and news programs, including 69 channels of different music genres without commercials. A Washington-based consumers group, Public Knowledge, said the lawsuit threatens the rights of listeners to record music for their own use. "The shame of the legal action, however, is that this is really a dispute between XM and the recording industry over licensing fees," the group's president, Gigi Sohn, said in a statement. "The companies should be left to figure out a solution without interference from the courts or from Congress." ___ On the Net: XM Satellite: http://www.xmradio.com Recording Industry Association of America: http://www.riaa.com From rforno at infowarrior.org Tue May 16 22:40:38 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 May 2006 22:40:38 -0400 Subject: [Infowarrior] - Under Attack, Spam Fighter Folds Message-ID: Under Attack, Spam Fighter Folds By Ryan Singel| 19:30 PM May, 16, 2006 http://www.wired.com/news/technology/1,70913-0.html A startup whose aggressive antispam measures drew a blistering counterattack from spammers two weeks ago that brought down the company's servers along with a wide swath of the internet is shuttering its program that targets junk e-mailers. In an interview with Wired News, Blue Security CEO Eran Reshef said the Israel-based company was closing its service Wednesday since he did not want to be responsible for an ever-escalating war that could bring down internet service providers and websites around the world and subject its users to denial-of-service attacks from a well-organized group in control of a massive army of computer drones. "Our community would very much like us to continue on the fight against spam, and our community has grown over the last week," Reshef said. "But at the end of the day if we continue doing so, within a few days, major websites will go down. I don't feel that this is something I can be responsible for. I cannot go ahead and rip up the internet to make Blue Security work. This is not the decision a commercial entity can make." The abrupt decision ends a high-profile standoff between spammers and a tiny startup whose unorthodox methods had seemingly stymied some of the most prolific purveyors of junk e-mail in the world, if only temporarily. For a few intense days, the fight showed with shocking clarity the lengths to which some spammers will go to protect their businesses, and the devastating arsenals at their command. The lesson to be learned, Reshef said, is that large ISPs and governments need to recognize that spammers are connected to criminal syndicates and that they, not a small startup, are the only ones who can shut down these networks. Blue Security's 500,000 users had been successful in convincing six of the top 10 spam operations in the world to use its open-source mailing-list scrubber, which Reshef said proved that Blue Security's technology and approach was effective. But other spammers responded differently. Starting May 2, a spammer known as PharmaMaster used a massive network of zombie computers to flood Blue Security's database servers with fake traffic and hijacked a little-known Cisco Systems router feature known as "blackhole filtering" to block anyone outside Israel from accessing Blue Security's homepage. The spammer also unleashed a torrent of spam targeted to a subset of Blue Security users, which the spammer had likely gotten by scrubbing an e-mail list and then comparing the old list with the new list. Any addresses removed from the old list could be identified as Blue Security users. The distributed-denial-of-service attack brought down the databases, and the collateral damage included hundreds of thousands of websites and mail servers hosted by Tucows, according to Elliot Noss, president and CEO of Tucows, the internet's largest domain registrar. "Just in terms of pure scale, it's pretty safe to call it massive," Noss said. "I think that really the most interesting observation was how distributed it was. We sampled IP addresses and over 70 percent were unique." Blogging software provider Movable Type's hosted service, TypePad, also fell victim to PharmaMaster's bot network, after Blue Security realized that no one could reach its homepage and posted a message to its users on its old blog. Thirty minutes later, PharmaMaster started an attack that brought down thousands of blogs. Blue Security's Blue Frog antispam tool worked by having customers install a small piece of software in their browsers that they used to report spam. After aggregating the reports, Blue Security would try to contact the spammers, the websites of companies being advertised and their ISPs to try to convince the spammers to clean their lists of e-mail accounts on the company's Do Not Intrude list. If that did not work, Blue Security would write a custom script that spam recipients could use to send an opt-out request to the advertised website. In practice, that meant that hundreds of thousands of Blue Frog users could attempt to opt out at once. In addition, the software would fill in online order forms with the opt-out request if there was no other way to communicate with a spammer-advertised website. This tactic, which Blue Security says is legal under the Can-Spam Act, was controversial with spammers and some antispammers alike. Spammers complained in internet forums that the opt-out requests were simply a denial-of-service attack. Anne P. Mitchell, president and CEO of the Institute for Spam and Internet Public Policy, is also a vocal critic of Blue Security's tactics who thinks the company was breaking computer crime laws by having its members fill in order forms with opt-out requests. "Do you think Blue Frog cares if they are knowingly causing customers to break the law of their own home country?" Mitchell asked. "They don't care because they are sitting in Israel." But Peter Swire, a law professor and former head privacy official for the Clinton administration, looked into the company's operations, found them legitimate and innovative, and signed onto the company's advisory board earlier this year. "I get one spam e-mail and my computer sends one opt-out request," Swire said. "That is exactly what Can-Spam gives me the right to do." Swire says he understands why Reshef has decided to shutter the service, because these levels of attacks are too much for a small company to withstand. But he says the company showed that this tactic can work. "If little Blue Security can affect 25 percent of spam, then this approach shows great promise if the big boys get involved," Swire said. "If there is a concerted effort by the big ISPs or by the government, the Can-Spam Act provably is the basis for reducing spam." Eric Benhamou, chairman and CEO of Benhamou Global Ventures and one of Blue Security's lead investors, said he knew going in that Blue Security's task was difficult. Benhamou is not writing off Blue Security, whose technology he says has other uses, but he supports the company's decision to shut down in order to avoid more collateral damage. "We knew it would get really serious when the adversary was wounded," he said. "There were no surprises on my part. When I first did my due diligence, Eran and Amir (Hirsch) told me clearly that they knew how to build the technology to accomplish this but weren't sure of the overall business proposition. I said that's fine, because I want to explore something that hasn't been done before and before there were only clever filters. This was totally innovative." From rforno at infowarrior.org Wed May 17 07:44:24 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 May 2006 07:44:24 -0400 Subject: [Infowarrior] - AT&T Whistle-Blower's Evidence Message-ID: AT&T Whistle-Blower's Evidence 02:00 AM May, 17, 2006 http://www.wired.com/news/technology/1,70908-0.html Former AT&T technician Mark Klein is the key witness in the Electronic Frontier Foundation's class-action lawsuit against the company, which alleges that AT&T illegally cooperated in an illegal National Security Agency domestic-surveillance program. In this recently surfaced statement, Klein details his discovery of an alleged surveillance operation in an AT&T office in San Francisco, and offers his interpretation of company documents that he believes support his case. For its part, AT&T is asking a federal judge to keep those documents out of court, and to order the EFF to return them to the company. Here Wired News presents Klein's statement in its entirety, along with select pages from the AT&T documents. AT&T's Implementation of NSA Spying on American Citizens 31 December 2005 I wrote the following document in 2004 when it became clear to me that AT&T, at the behest of the National Security Agency, had illegally installed secret computer gear designed to spy on internet traffic. At the time I thought this was an outgrowth of the notorious Total Information Awareness program which was attacked by defenders of civil liberties. But now it's been revealed by The New York Times that the spying program is vastly bigger and was directly authorized by President Bush, as he himself has now admitted, in flagrant violation of specific statutes and constitutional protections for civil liberties. I am presenting this information to facilitate the dismantling of this dangerous Orwellian project. AT&T Deploys Government Spy Gear on WorldNet Network -- 16 January, 2004 In 2003 AT&T built "secret rooms" hidden deep in the bowels of its central offices in various cities, housing computer gear for a government spy operation which taps into the company's popular WorldNet service and the entire internet. These installations enable the government to look at every individual message on the internet and analyze exactly what people are doing. Documents showing the hardwire installation in San Francisco suggest that there are similar locations being installed in numerous other cities. The physical arrangement, the timing of its construction, the government-imposed secrecy surrounding it, and other factors all strongly suggest that its origins are rooted in the Defense Department's Total Information Awareness (TIA) program which brought forth vigorous protests from defenders of constitutionally protected civil liberties last year: "As the director of the effort, Vice Adm. John M. Poindexter, has described the system in Pentagon documents and in speeches, it will provide intelligence analysts and law enforcement officials with instant access to information from internet mail and calling records to credit card and banking transactions and travel documents, without a search warrant." The New York Times, 9 November 2002 To mollify critics, the Defense Advanced Research Projects Agency (Darpa) spokesmen have repeatedly asserted that they are only conducting "research" using "artificial synthetic data" or information from "normal DOD intelligence channels" and hence there are "no U.S. citizen privacy implications" (Department of Defense, Office of the Inspector General report on TIA, December 12, 2003). They also changed the name of the program to "Terrorism Information Awareness" to make it more politically palatable. But feeling the heat, Congress made a big show of allegedly cutting off funding for TIA in late 2003, and the political fallout resulted in Adm. Poindexter's abrupt resignation last August. However, the fine print reveals that Congress eliminated funding only for "the majority of the TIA components," allowing several "components" to continue (DOD, ibid). The essential hardware elements of a TIA-type spy program are being surreptitiously slipped into "real world" telecommunications offices. In San Francisco the "secret room" is Room 641A at 611 Folsom Street, the site of a large SBC phone building, three floors of which are occupied by AT&T. High-speed fiber-optic circuits come in on the 8th floor and run down to the 7th floor where they connect to routers for AT&T's WorldNet service, part of the latter's vital "Common Backbone." In order to snoop on these circuits, a special cabinet was installed and cabled to the "secret room" on the 6th floor to monitor the information going through the circuits. (The location code of the cabinet is 070177.04, which denotes the 7th floor, aisle 177 and bay 04.) The "secret room" itself is roughly 24-by-48 feet, containing perhaps a dozen cabinets including such equipment as Sun servers and two Juniper routers, plus an industrial-size air conditioner. The normal work force of unionized technicians in the office are forbidden to enter the "secret room," which has a special combination lock on the main door. The telltale sign of an illicit government spy operation is the fact that only people with security clearance from the National Security Agency can enter this room. In practice this has meant that only one management-level technician works in there. Ironically, the one who set up the room was laid off in late 2003 in one of the company's endless "downsizings," but he was quickly replaced by another. Plans for the "secret room" were fully drawn up by December 2002, curiously only four months after Darpa started awarding contracts for TIA. One 60-page document, identified as coming from "AT&T Labs Connectivity & Net Services" and authored by the labs' consultant Mathew F. Casamassima, is titled Study Group 3, LGX/Splitter Wiring, San Francisco and dated 12/10/02. (See sample PDF 1-4.) This document addresses the special problem of trying to spy on fiber-optic circuits. Unlike copper wire circuits which emit electromagnetic fields that can be tapped into without disturbing the circuits, fiber-optic circuits do not "leak" their light signals. In order to monitor such communications, one has to physically cut into the fiber somehow and divert a portion of the light signal to see the information. This problem is solved with "splitters" which literally split off a percentage of the light signal so it can be examined. This is the purpose of the special cabinet referred to above: Circuits are connected into it, the light signal is split into two signals, one of which is diverted to the "secret room." The cabinet is totally unnecessary for the circuit to perform -- in fact it introduces problems since the signal level is reduced by the splitter -- its only purpose is to enable a third party to examine the data flowing between sender and recipient on the internet. The above-referenced document includes a diagram (PDF 3) showing the splitting of the light signal, a portion of which is diverted to "SG3 Secure Room," i.e., the so-called "Study Group" spy room. Another page headlined "Cabinet Naming" (PDF 2) lists not only the "splitter" cabinet but also the equipment installed in the "SG3" room, including various Sun devices, and Juniper M40e and M160 "backbone" routers. PDF file 4 shows one of many tables detailing the connections between the "splitter" cabinet on the 7th floor (location 070177.04) and a cabinet in the "secret room" on the 6th floor (location 060903.01). Since the San Francisco "secret room" is numbered 3, the implication is that there are at least several more in other cities (Seattle, San Jose, Los Angeles and San Diego are some of the rumored locations), which likely are spread across the United States. One of the devices in the "Cabinet Naming" list is particularly revealing as to the purpose of the "secret room": a Narus STA 6400. Narus is a 7-year-old company which, because of its particular niche, appeals not only to businessmen (it is backed by AT&T, JP Morgan and Intel, among others) but also to police, military and intelligence officials. Last November 13-14, for instance, Narus was the "Lead Sponsor" for a technical conference held in McLean, Virginia, titled "Intelligence Support Systems for Lawful Interception and Internet Surveillance." Police officials, FBI and DEA agents, and major telecommunications companies eager to cash in on the "war on terror" had gathered in the hometown of the CIA to discuss their special problems. Among the attendees were AT&T, BellSouth, MCI, Sprint and Verizon. Narus founder, Dr. Ori Cohen, gave a keynote speech. So what does the Narus STA 6400 do? "The (Narus) STA Platform consists of stand-alone traffic analyzers that collect network and customer usage information in real time directly from the message.... These analyzers sit on the message pipe into the ISP (internet service provider) cloud rather than tap into each router or ISP device" (Telecommunications magazine, April 2000). A Narus press release (1 Dec., 1999) also boasts that its Semantic Traffic Analysis (STA) technology "captures comprehensive customer usage data ... and transforms it into actionable information.... (It) is the only technology that provides complete visibility for all internet applications." To implement this scheme, WorldNet's high-speed data circuits already in service had to be rerouted to go through the special "splitter" cabinet. This was addressed in another document of 44 pages from AT&T Labs, titled "SIMS, Splitter Cut-In and Test Procedure," dated 01/13/03 (PDF 5-6). "SIMS" is an unexplained reference to the secret room. Part of this reads as follows: "A WMS (work) Ticket will be issued by the AT&T Bridgeton Network Operation Center (NOC) to charge time for performing the work described in this procedure document.... "This procedure covers the steps required to insert optical splitters into select live Common Backbone (CBB) OC3, OC12 and OC48 optical circuits." The NOC referred to is in Bridgeton, Missouri, and controls WorldNet operations. (As a sign that government spying goes hand-in-hand with union-busting, the entire (Communication Workers of America) Local 6377 which had jurisdiction over the Bridgeton NOC was wiped out in early 2002 when AT&T fired the union work force and later rehired them as nonunion "management" employees.) The cut-in work was performed in 2003, and since then new circuits are connected through the "splitter" cabinet. Another "Cut-In and Test Procedure" document dated January 24, 2003, provides diagrams of how AT&T Core Network circuits were to be run through the "splitter" cabinet (PDF 7). One page lists the circuit IDs of key Peering Links which were "cut-in" in February 2003 (PDF 8), including ConXion, Verio, XO, Genuity, Qwest, PAIX, Allegiance, AboveNet, Global Crossing, C&W, UUNET, Level 3, Sprint, Telia, PSINet and Mae West. By the way, Mae West is one of two key internet nodal points in the United States (the other, Mae East, is in Vienna, Virginia). It's not just WorldNet customers who are being spied on -- it's the entire internet. The next logical question is, what central command is collecting the data sent by the various "secret rooms"? One can only make educated guesses, but perhaps the answer was inadvertently given in the DOD Inspector General's report (cited above): "For testing TIA capabilities, Darpa and the U.S. Army Intelligence and Security Command (INSCOM) created an operational research and development environment that uses real-time feedback. The main node of TIA is located at INSCOM (in Fort Belvoir, Virginia)?." Among the agencies participating or planning to participate in the INSCOM "testing" are the "National Security Agency, the Defense Intelligence Agency, the Central Intelligence Agency, the DOD Counterintelligence Field Activity, the U.S. Strategic Command, the Special Operations Command, the Joint Forces Command and the Joint Warfare Analysis Center." There are also "discussions" going on to bring in "non-DOD federal agencies" such as the FBI. This is the infrastructure for an Orwellian police state. It must be shut down! From rforno at infowarrior.org Wed May 17 07:48:19 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 May 2006 07:48:19 -0400 Subject: [Infowarrior] - USG study guide for citizenship test omits freedom of press Message-ID: Study guide for U.S. citizenship test omits freedom of press http://www.usatoday.com/news/washington/2006-05-16-citizenship-test-press_x. htm Posted 5/16/2006 10:31 PM ET E-mail | Save | Print | By Bill Nichols, USA TODAY WASHINGTON ? A set of flashcards designed to help applicants for U.S. citizenship learn basic civics has become one of the most popular items sold by the Government Printing Office. But the $8.50 flashcards ? which contain questions and answers from the actual citizenship exam ? won't help immigrants learn much about the role of the press in American democracy. Question 80 asks, "Name one right or freedom guaranteed by the First Amendment." The answer lists freedom of speech, religion, assembly and the right to petition the government ? but omits freedom of the press. "What I find ironic is that a device designed to help immigrants understand what our democracy is all about would intentionally or unintentionally fail to mention what the framers of our constitution considered the 'bulwark of liberty,' which was the press," says Paul McMasters, ombudsman for the First Amendment Center. Alfonso Aguilar, director of the office of citizenship at U.S. Citizenship and Immigration Services, acknowledges that the answer is incomplete. Aguilar says the 20-year-old citizenship test the flashcard is based on is "flawed" and is in the process of a $6 million redesign. The next test, set to be given to prospective citizens no later than January 2009, "will be based on the components of a basic civics curriculum and will be an exam that can serve as a tool to encourage civic learning and patriotism," Aguilar says. He says the current test, unveiled in 1986 as the first standardized exam ever given to citizenship applicants, is imprecise in several areas. Before 1986, applicants were questioned orally in interviews. "The person who developed the test was not necessarily a civics or constitutional scholar," Aguilar says. "The content is not very good. It's very trivia-based." The flashcards were introduced last year. They can be downloaded free on the website of the office of U.S. Citizenship and Immigration Services, www.uscis.gov, or purchased from the printing office. Until the new test is in place, examiners have been instructed that anyone answering question 80 by citing freedom of the press will get credit for the right answer. The question and answer about the First Amendment appeared in USA TODAY on Tuesday as an illustration with an article about legal immigrants. Aguilar promises the next test will do a better job honoring press freedoms. "Absolutely," he says. From rforno at infowarrior.org Wed May 17 07:50:03 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 May 2006 07:50:03 -0400 Subject: [Infowarrior] - Technology's Future: A Look at the Dark Side Message-ID: Technology's Future: A Look at the Dark Side By BARNABY J. FEDER http://www.nytimes.com/2006/05/17/business/businessspecial2/17tech.html?ei=5 090&en=39fd7c89e66d9184&ex=1305518400&partner=rssuserland&emc=rss&pagewanted =print AS far as anyone knows, the plight of civilization is nowhere near as dire as in the opening pages of Douglas Adams's "The Hitchhiker's Guide to the Galaxy," where alien spaceships are poised to destroy Earth to make way for an interstellar highway. Still, with resource consumption and environmental destruction rising at unsustainable rates, plenty of people view the future with alarm. That spotlights technologies like nuclear power, genetic engineering and nanotechnology, which are often cited as crucial to heading off economic and environmental disaster. The catch is that any technology powerful enough to improve life radically is also capable of abuse and prone to serious, unanticipated side effects. It's a great time to be a Hollywood screenwriter, but rough on policy makers and business strategists. Mix new technologies with the wide variations in how organizations and individuals behave, and you often have "a recipe for explosion," said Edward Tenner, author of "Why Things Bite Back: Technology and the Revenge of Unintended Consequences." The table setter for fears about potentially useful technology was nuclear power, which emerged as an energy source while images of the waste laid to Hiroshima and Nagasaki by atomic bombs in 1945 were still fresh. "It's not the probability of a nuclear accident that matters in people's attitudes," said Charles B. Perrow, a risk analysis expert whose newest book, "Disaster Evermore? U.S. Vulnerability to Natural, Industrial and Terrorist Disasters," will be published this summer. "It's the possibility, which is very much there." Despite several close calls, the deadly explosion at Chernobyl in 1986 is the utility industry's sole catastrophic failure. But the costs imposed on power companies to manage risks had already halted expansion of the nuclear power industry in the United States and elsewhere in the 70's. Now, even though the risks of accidents are presumed to be growing as the first generation of plants age, orders are picking up for new plants in Asia. And some American utilities like Exelon, Entergy and Dominion are saying they want to build nuclear plants in the United States alongside existing ones. Those plants currently supply just over 20 percent of the nation's electricity with operating costs far below fossil fuel plants. Advocates for renewed investment in nuclear power say that new plant designs could reduce or eliminate many of the meltdown and contamination risks associated with current plants. Critics say the industry is still too riddled with bad management and lax regulation to allow new plants to be built. "The driver of a car has a much bigger impact on safety than whether it's a Volvo or a Yugo," said David Lochbaum, director of the nuclear safety project for the Union of Concerned Scientists. But some nuclear critics are reconsidering their positions based on the conclusion that of all the proven power-generating technologies, only nuclear power is ready to deliver large amounts of electricity without creating greenhouse gases that contribute to climate change. "I see climate change as being so disastrous that increased nuclear energy may be the way to go," Mr. Perrow said. The new designs still do not address concerns about the accumulation of nuclear waste that will be radioactive for centuries unless a new way of dealing with it is devised. And nuclear plants ? and the technology to support them ? strike some critics as inviting targets for terrorists. Still, many energy experts see nuclear power as the best bridge to an energy future based on renewable sources like solar power. The ambivalence in green policy debates about nuclear energy also runs through talk about biotechnology, especially when it comes to genetic engineering. Arguments that humankind is foolishly "playing God" have been common ever since research breakthroughs in the late 1970's laid the groundwork for innovations like transferring to crops the genes that tell bacteria how to make insect-killing proteins. Pioneering biotechnology researchers sought to prevent accidents and minimize regulation by voluntarily adopting good practice codes for experiments that produced genetically engineered animals and plants. But if confidence has grown as the years pass without any biological Chernobyls, doubts have persisted about the long-term health effects from engineered plants and animals. Some critics also say the technology makes farmers too beholden to giant agribusinesses. More recently, security experts have begun to fret that terrorists could engineer and release novel viruses, bacteria or fungi. Still, the potential environmental benefits of greater use of genetic engineering have excited researchers from the technology's earliest days. The Supreme Court's 1980 decision in Diamond v. Chakrabarty, which upheld the right of businesses to patent engineered organisms, involved a bacterium that General Electric hoped would become a green "product" to clean up oil spills. In the end, G.E.'s oil-consuming microbe proved ineffective when transferred from a flask to slicks on the seas. But bioremediation ? using naturally occurring microbes to clean up a wide variety of air, water and soil pollutants ? is growing. Backers of the technology argue that accelerated use of genetic engineering offers the only hope of feeding, clothing and housing the growing global population. Skeptics say the financial incentives driving agribusiness leaders like Monsanto, DuPont, Bayer and Cargill ? and the political incentives for governments to keep food costs low ? continually push all types of biotechnology toward an industrial model of agriculture that is too energy intensive, wasteful of water and dependent on chemicals. The scientific questions underlying debates about biotechnology's risks can be bewildering for nonscientists, but nanotechnology may be even harder to comprehend. The term is derived from the nanometer, or a billionth of a meter. Nanotechnology is often described as dealing in dimensions tens of thousands of times smaller than the width of a single hair. But what really matters is that by operating at the nanoscale, researchers can create new materials and extract novel behaviors from familiar ones because they are working with small numbers of molecules, the building blocks of all biology and chemistry. After watching how alarmed activists stopped the nuclear industry in its tracks and slowed the introduction of biotechnology, many nanotechnology advocates propose engaging the public and investing heavily in toxicology research. It is already documented in animal research that some man-made nanoparticles can move easily into the brain and deep into the lungs. "But we don't know how to find these things in the body or how to measure them in the air," said John M. Balbus, a nanotechnology expert at Environmental Defense, an advocacy group that has argued that investment in safety research should be more than doubled and restrictions be imposed on the use of some nanoproducts. "There's a lot of basic gaps in information." Surveys show that most people pay little attention to nanotechnology, which is used in products that make sunscreens invisible, skis lighter and pants stain resistant. Advocates and critics alike thought that might change when Kleinmann, a German subsidiary of Illinois Tool Works, recalled a bathroom cleanser, Magic Nano, on March 28 after nearly 100 customers had trouble breathing. But the brouhaha surrounding the first health-related recall of a "nanotechnology product" subsided rapidly, partly because the later investigation raised doubts whether there were indeed any nanoscale ingredients in the product. If the biotechnology experience is a guide, getting governments more involved in nanotechnology risk management and educating consumers may generate profits in the long term. "Companies need to embrace government oversight that makes consumers comfortable, and they need to offer people choices," said Rebecca J. Goldburg, a senior scientist at Environmental Defense. "Once people are empowered to make choices, they will often take what appears to be riskier options." From rforno at infowarrior.org Wed May 17 09:16:50 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 May 2006 09:16:50 -0400 Subject: [Infowarrior] - Labels sue XM over music-storing 'mothership' Message-ID: Wouldn't it be great if we could sue the RIAA for first-degree arseclownedness and blatant greed? (And conspiracy....) -rf http://news.com.com/2102-1027_3-6073133.html?tag=st.util.print A representative of the Recording Industry Association of America, comprised of major labels such as Vivendi Universal's Universal Music Group, Warner Music Group, EMI Group and Sony BMG, said the suit was filed on Tuesday in New York federal court. XM Inno The suit accuses XM Satellite of "massive wholesale infringement" and seeks $150,000 in damages for every song copied by XM customers using the devices, which went on sale earlier this month. XM, with more than 6.5 million subscribers, said it plays 160,000 different songs every month. "Because XM makes available vast catalogues of music in every genre, XM subscribers will have little need ever again to buy legitimate copies of plaintiffs' sound recordings," the lawsuit says, referring to the handheld "Inno" device. < - > "XM Radio is the largest single payer of digital music broadcast royalties, and royalties paid by XM go to the music industry and benefit artists directly," the satellite radio company said. "The music labels are trying to stifle innovation, limit consumer choice and roll back consumers' rights to record content for their personal use," XM added. "It's a question of economic impact. Will these devices substitute for the purchase of a record? Everything is changing, and the industry is petrified," said Jay Cooper, an entertainment lawyer. From rforno at infowarrior.org Wed May 17 11:16:09 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 May 2006 11:16:09 -0400 Subject: [Infowarrior] - Apple closes down OS X Message-ID: Apple closes down OS X Client kernel has gone proprietary, but it?s not too late to set things right http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/05/17/ 78300_21OPcurve_1.html By Tom Yager May 17, 2006 Thanks to pirates, or rather the fear of them, the Intel edition of Apple?s OS X is now a proprietary operating system. Mac developers and power users no longer have the freedom to alter, rebuild, and replace the OS X kernel from source code. Stripped of openness, it no longer possesses the quality that elevated Linux to its status as the second most popular commercial OS. The Darwin open source Mach/Unix core shared by OS X Tiger client and OS X Tiger Server remains completely open for PowerPC Macs. If you have a G3, G4, or G5 Mac, you can hack your own Darwin kernel and use it to boot OS X. But if you have an Intel-based Mac desktop or notebook, your kernel and device drivers are inviolable. Apple still publishes the source code for OS X?s commands and utilities and laudably goes several extra miles by open sourcing internally developed technologies such as QuickTime Streaming Server and Bonjour zero-config networking. The source code required to build a customized OS X kernel, however, is gone. Apple says that the state of an OS X-compatible open source x86 Darwin kernel is ?in flux.? Apple has only shipped client systems, the users of which care least about openness. Soon, though, Apple will break out Intel variants of the kinds of machines that InfoWorld readers buy and on which I depend; namely, servers and workstations. I hope that Apple?s flux settles into a strategy that favors demanding users and developers. Apple?s retreat to a proprietary kernel means that all users must accept a fixed level of performance. The default OS X kernels are built for broad compatibility rather than breakneck speed and throughput. That doesn?t matter at present, because all Intel Macs are built on the same Core Duo/Core Solo 32-bit architecture. But Apple?s workstation and server will be built using next-generation 64-bit x86 CPUs. The chipset, the bus, the memory, almost everything about the high-end machines will be much advanced over iMac and MacBook Pro. Intel?s road map plots a rapid course to ever higher performance. Macs will inherit the benefits of Core Microarchitecture?s evolution, but OS X is limited in the degree to which it can exploit specific new features without creating branch after branch of OS code to handle each tweak to the architecture. Users in demanding fields such as biosciences or meteorology do hack OS kernels to slim them down, alter the balance between throughput and computing, and to open them to the resources of a massive grid. The availability of Intel?s top-shelf compilers, debuggers, libraries, and profilers create unprecedented opportunities to optimize OS X for specific applications. Even if I don?t need to hack the kernel, knowing that I can affords me a level of self-sufficiency and insulation from vendors? whims that fixed system software, such as Windows?, does not. Apple is in the unique position of losing hardware sales to software pirates. It faces the risk of cloned Macs being distributed in foreign markets where intellectual property protection is weak. I empathize. But there are ways to address the piracy issue without stripping the critical and defining quality of openness from OS X. That?s a subject addressed in my Enterprise Mac blog. I hope it?s discussed at Apple so that OS X?s openness can be pulled from its state of flux and restored to the state that OS X?s most demanding users expect and deserve. From rforno at infowarrior.org Wed May 17 20:14:29 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 May 2006 20:14:29 -0400 Subject: [Infowarrior] - Judge denies AT&T request for closed hearing Message-ID: Judge denies AT&T request for closed hearing By Declan McCullagh http://news.com.com/Judge+denies+AT38T+request+for+closed+hearing/2100-7348_ 3-6073480.html Story last modified Wed May 17 17:12:03 PDT 2006 SAN FRANCISCO--A federal judge rejected a request from AT&T on Wednesday to kick the public out of a hearing in a lawsuit alleging the telecommunications company illegally cooperated with the National Security Agency. AT&T had asked U.S. District Judge Vaughn Walker to bar everyone but attorneys from the courtroom, arguing that trade secrets about the inner workings of its network could be divulged. "We have intellectual property rights in that information," said David Anderson, an attorney at Pillsbury Winthrop who is representing AT&T. "We submit that the hearing itself be held 'in camera,'" a legal term meaning in private. But Walker rejected the request, saying that carefully dealing with questions about trade secrets in an open courtroom "is not unprecedented." The Electronic Frontier Foundation, a digital rights group in San Francisco, filed the class action lawsuit in January that claims AT&T illegally cooperated with the Bush administration's secret eavesdropping program. EFF has obtained documents from a former AT&T employee that it believes buttresses its case, but which the telecommunications company says contain trade secrets and proprietary business information. Both sides have been quarreling over what to do with the documents provided by former AT&T technician Mark Klein and filed under seal with the court, with EFF saying they should be made entirely public and AT&T arguing they should be returned because they contain confidential information. Walker on Wednesday effectively split the difference, saying that he would maintain the current state of affairs for now. He also ordered EFF's attorneys not to "disclose these documents to any party," and rejected AT&T's request that Klein be muzzled, saying the company could sue him directly if it chose. Based on the information that's been made public so far, the 100 pages or so of information in Klein's documents appear to describe a secret room established in AT&T's main switching centers through which a tremendous amount of Internet and voice traffic flows. Those secret rooms, according to Klein's attorney, give the NSA full access to the company's networks and can be found in switching centers in San Francisco, Los Angeles, Seattle and San Jose, Calif. CNET Networks (publisher of CNET News.com), Wired News and the California First Amendment Coalition sent an attorney to the hearing on Wednesday to argue that the public should not be prevented from attending the proceedings. A letter (click for PDF) written by Roger Myers at Holme, Roberts & Owen submitted early in the day said the hearing should remain open because "the surveillance at the heart of the case presents issues of enormous public interest and importance." A second set of media organizations including the San Jose Mercury News, the Los Angeles Times, the San Francisco Chronicle, and the Associated Press also sent an attorney--Karl Olson of Levy, Ram & Olson--to the hearing, which lasted nearly two hours. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Thu May 18 08:01:44 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 May 2006 08:01:44 -0400 Subject: [Infowarrior] - Legal loophole emerges in NSA spy program Message-ID: Legal loophole emerges in NSA spy program By Declan McCullagh http://news.com.com/Legal+loophole+emerges+in+NSA+spy+program/2100-1028_3-60 73600.html Story last modified Wed May 17 20:08:38 PDT 2006 SAN FRANCISCO--An AT&T attorney indicated in federal court on Wednesday that the Bush administration may have provided legal authorization for the telecommunications company to open its network to the National Security Agency. Federal law may "authorize and in some cases require telecommunications companies to furnish information" to the executive branch, said Bradford Berenson, who was associate White House counsel when President Bush authorized the NSA surveillance program in late 2001 and is now a partner at the Sidley Austin law firm in Washington, D.C. Bradford Berenson Bradford Berenson Far from being complicit in an illegal spying scheme, Berenson said, "AT&T is essentially an innocent bystander." AT&T may be referring to an obscure section of federal law, 18 U.S.C. 2511, which permits a telecommunications company to provide "information" and "facilities" to the federal government as long as the attorney general authorizes it. The authorization must come in the form of "certification in writing by...the Attorney General of the United States that no warrant or court order is required by law." Information that is not yet public "would be exculpatory and would show AT&T's conduct in the best possible light," Berenson said. But he did not acknowledge any details about the company's alleged participation in the NSA's surveillance program, which has ignited an ongoing debate on Capitol Hill and led to this class-action lawsuit being filed in January by the Electronic Frontier Foundation. Some legal experts say that AT&T may be off the hook if former Attorney General John Ashcroft, who was in office at the time the NSA program began, provided a letter of certification. (Other officials, including the deputy attorney general and state attorneys general, also are authorized to write these letters.) "If the certification exists, AT&T is in pretty good shape," said Marc Rotenberg, executive director of the Electronic Privacy Information Center and co-author of a book on information privacy law. EFF's lawsuit alleges that the telecommunications company let the NSA engage in wholesale monitoring of Americans' communications in violation of privacy laws. Confidential documents that EFF unearthed during the course of the suit--kept under seal and still not public--allege that AT&T gave the government full access to its networks in a way that let millions of e-mail messages, Web browsing sessions and phone calls be intercepted. AT&T's ace in the hole? If a letter of certification exists, AT&T could have an ace in the hole. A second section of federal law says that a "good faith" reliance on a letter of certification "is a complete defense to any civil or criminal" lawsuit. During the hearing Wednesday before U.S. District Judge Vaughn Walker, Deputy Assistant Attorney General Carl Nichols also hinted that such a letter exists. Nichols said that there are undisclosed "facts that AT&T might want to present in its defense." AT&T's legal defense? An obscure section of federal law says that AT&T may have legally participated in the NSA surveillance program -- if, that is, it received a "certification" from the attorney general. That section says: "Notwithstanding any other law, providers of wire or electronic communication service... are authorized to provide information, facilities, or technical assistance to persons authorized by law to intercept wire, oral, or electronic communications... if such provider... has been provided with... a certification in writing by... the Attorney General of the United States that no warrant or court order is required by law, that all statutory requirements have been met, and that the specified assistance is required, setting forth the period of time during which the provision... is authorized... No provider of wire or electronic communication... shall disclose the existence of any interception or surveillance or the device used to accomplish the interception or surveillance..." But, Nichols added, those facts relate to classified information that are "state secrets" and would jeopardize national security if they were disclosed. A hearing on the Bush administration's request to dismiss the case on national security grounds has been scheduled for June 23. For its part, AT&T has remained silent about the extent of its alleged participation in the NSA surveillance scheme, which initially was thought to apply only to international calls but now may encompass records of domestic phone calls and more. Verizon and BellSouth, for instance, took steps to distance themselves from a USA Today report that said their call databases were opened to the NSA. But AT&T wouldn't comment. Marc Bien, a spokesman for AT&T, told CNET News.com on Wednesday: "Without commenting on or confirming the existence of the program, we can say that when the government asks for our help in protecting national security, and the request is within the law, we will provide that assistance." The next tussle in this lawsuit is likely to center on how far the "state secrets" concept can extend. Is AT&T able to divulge the text of any certification letter, without saying exactly what information it turned over as a result? Must the mere existence of a certification letter remain secret? Injecting additional complexity is 18 U.S.C. 2511's prohibition on disclosure. It says that telecommunication companies may not "disclose the existence of any interception or surveillance or the device used to accomplish the interception or surveillance"--except if required by law. Unlawful disclosures are subject to fines. EFF claims that the existence of a letter of certification should not be classified. Cindy Cohn, an EFF attorney, told the judge on Wednesday that it is "not a state secret because the statute has a whole process" governing it. "If you have a certification, let's see it," EFF attorney Lee Tien said in an interview after the hearing. For his part, Berenson, the former attorney for President Bush who's now representing AT&T, complained about allegations that his client is violating the law. It's unfortunate that EFF "chose to use words like 'criminal tendency' and 'crimes,'" Berenson said. AT&T "is one of the great companies of the United States. To attach those kinds of labels is reckless at best." Berenson's biography says he worked for Bush on the "war on terrorism" and the USA Patriot Act. Since leaving the White House, Berenson has written letters to Congress (click here for PDF) calling for renewal of the Patriot Act and has co-founded a group called Citizens for the Common Defence that advocates a "robust" view of presidential authority. It filed, for instance, an amicus brief (click here for PDF) before the Supreme Court in the Hamdi case arguing that a U.S. citizen could be detained indefinitely without trial because of the war on terror. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Thu May 18 08:07:59 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 May 2006 08:07:59 -0400 Subject: [Infowarrior] - HRRC: Recording Industry lied to Congress, Courts, and Consumers Message-ID: FOR RELEASE Contact: Jeff Joseph tel: (703) 907-7664 e-mail: info at hrrc.org or Megan Pollock tel: (703) 907-7668 e-mail: mpollock at ce.org RECORD LABELS BREAK COMPACTS WITH CONSUMERS, CONGRESS AND COURTS Suit Against XM Trashes Labels' AHRA and Grokster Assurances Washington, May 17, 2006 - The industry that advised consumers, the Congress and the courts that it would not abuse the legal tools it sought from them has done just that, charged the Home Recording Rights Coalition (HRRC) today. In a suit aimed directly at consumer practices it has long led the public to believe it had no intention to challenge, the recording industry has now, via lawsuit, labeled its best customers as pirates and sought unprecedented tools to use against them. Today HRRC Chairman Gary Shapiro said: ""I have a long enough memory to be astonished at the suit filed yesterday. We worked in good faith with the music industry to help pass the Audio Home Recording Act (AHRA), based on personal assurances that I received that it would put an end to this sort of harassing lawsuit against private, noncommercial consumer conduct. Yesterday the major labels filed such a suit, against the use of devices clearly covered by the AHRA, without so much as a mention of the law that provides for royalties on these devices, and which was clearly written to remove even the threat of this sort of bogus lawsuit." Shapiro also accused the labels, and the entertainment industry as a whole, of abusing the assurances given to the courts, the Congress and the public at large when the industry pursued its Grokster lawsuit. Then, entertainment industry representatives insisted that they did not by any means intend to threaten the sort of in-home, private, noncommercial recording that yesterday, they alleged violates the copyright law. Shapiro observed: "The lawyer that signed the complaint against XM is the same lawyer who told the Supreme Court that ripping a CD to a PC and then to a handheld device (without paying any royalty) is lawful. He represents the same industry that, in seeking 'inducement' legislation, promised that it would never be applied against devices such as a TiVo personal video recorder. But yesterday the complaint against XM claimed that consumers who use their devices in such ways are violating the copyright laws, and that XM is therefore guilty of inducement. "The HRRC is proud of our history of working with the entertainment industry when the industry's goals and promises have appeared reasonable," continued Shapiro. "The action taken yesterday indicates that representations to the Congress, the courts and the public are not enough to assure that the music industry will keep its promises, to us or to the public and its elected and judicial representatives." For updates on Congressional, regulatory and judicial proceedings, please visit the HRRC website at www.HRRC.org. About HRRC The Home Recording Rights Coalition, founded in 1981, is a leading advocacy group for consumers' rights to use home electronics products for private, non-commercial purposes. The members of HRRC include consumers, retailers, manufacturers and professional servicers of consumer electronics products. Further information on this and related issues can be found on the HRRC website, www.hrrc.org. From rforno at infowarrior.org Thu May 18 08:09:14 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 May 2006 08:09:14 -0400 Subject: [Infowarrior] - Kazaa sues p2pnet for libel Message-ID: p2pnet.net Sued for Libel May 15, 2006 Thomas Mennecke http://www.slyck.com/news.php?story=1186 After its launch in July of 2002, p2pnet.net quickly became an important source of information for many members of the file-sharing and P2P community. Jon Newton, Editor, owner and lead writer of p2pnet.net, created a niche in the file-sharing world known for its considerably pro-P2P stance and condemnation of the entertainment industry. By November 2004, p2pnet.net was a highly ranked alternative file-sharing news site. Second only to then news prolific P2Pforums.com, p2pnet.net was considered a must visit site by tens of thousands of visitors per day. Jon Newton distinguished himself as a hard worker, often producing on the upwards of eight articles per day. Today however marks a turning point in p2pnet.net?s history, as Jon Newton announced he is being sued for libel. ?I'm being sued for libel and consequently, there'll be no postings for a few days while I try to get the situation sorted out. ?As I've posted a number of times, p2pnet is a non-entrepreneurial, not-for-profit site based in Vancouver Island, British Columbia, Canada. It started out as a personal page and although the ads now pay my way and support the site, they do so only with the barest of margins and I'm not living in the lap of luxury, or even able to put anything in the bank. I say this not because I want anyone to feel sorry for me. p2pnet is a commitment and I'm tremendously proud to have been able to stand up strongly for principles I, and others, believe in.? Canadian libel law is more similar to English law, which gives more leverage to plaintiffs than defendants in such cases. While in the United States three very difficult standards need to be met in order to successfully prosecute someone for libel, the Canadian law states, ?Defamatory words in a newspaper or in a broadcast shall be deemed to be published and to constitute libel.? In other words, if an individual publishes a narrative that damages the reputation of an individual or entity, he or she could potentially be sued. The exact details of this case are currently unknown. According to p2pnet.net?s staff, Editor Jon Newton is under a self-imposed gag order and has provided no additional information. Update: Jon Newton has stated he is being sued not for something he wrote, rather for being a publisher. Update: The British Columbia Court of Appeals has additional information on p2pnet.net's libel suit. By clicking "Court Services", choosing a "Civil Search", and entering "Jon Newton" as a search string, the parties of this case are revealed. The plaintiffs are none other than Sharman Networks and Nikki Hemming; while Jon Newton, two "Jon Does", Jane and John Roe, and Interserver, Inc. are the defendants. Although few details exist, it is worthy to note that both p2pnet articles that deal with Nikki Hemming have been deleted. From rforno at infowarrior.org Thu May 18 08:23:12 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 May 2006 08:23:12 -0400 Subject: [Infowarrior] - Schneier - The Eternal Value of Privacy Message-ID: The Eternal Value of Privacy http://www.wired.com/news/columns/1,70886-0.html By Bruce Schneier 02:00 AM May, 18, 2006 The most common retort against privacy advocates -- by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures -- is this line: "If you aren't doing anything wrong, what do you have to hide?" Some clever answers: "If I'm not doing anything wrong, then you have no cause to watch me." "Because the government gets to define what's wrong, and they keep changing the definition." "Because you might do something wrong with my information." My problem with quips like these -- as right as they are -- is that they accept the premise that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect. Two proverbs say it best: Quis custodiet custodes ipsos? ("Who watches the watchers?") and "Absolute power corrupts absolutely." Cardinal Richelieu understood the value of surveillance when he famously said, "If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged." Watch someone long enough, and you'll find something to arrest -- or just blackmail -- with. Privacy is important because without it, surveillance information will be abused: to peep, to sell to marketers and to spy on political enemies -- whoever they happen to be at the time. Privacy protects us from abuses by those in power, even if we're doing nothing wrong at the time of surveillance. We do nothing wrong when we make love or go to the bathroom. We are not deliberately hiding anything when we seek out private places for reflection or conversation. We keep private journals, sing in the privacy of the shower, and write letters to secret lovers and then burn them. Privacy is a basic human need. A future in which privacy would face constant assault was so alien to the framers of the Constitution that it never occurred to them to call out privacy as an explicit right. Privacy was inherent to the nobility of their being and their cause. Of course being watched in your own home was unreasonable. Watching at all was an act so unseemly as to be inconceivable among gentlemen in their day. You watched convicted criminals, not free citizens. You ruled your own home. It's intrinsic to the concept of liberty. For if we are observed in all matters, we are constantly under threat of correction, judgment, criticism, even plagiarism of our own uniqueness. We become children, fettered under watchful eyes, constantly fearful that -- either now or in the uncertain future -- patterns we leave behind will be brought back to implicate us, by whatever authority has now become focused upon our once-private and innocent acts. We lose our individuality, because everything we do is observable and recordable. How many of us have paused during conversation in the past four-and-a-half years, suddenly aware that we might be eavesdropped on? Probably it was a phone conversation, although maybe it was an e-mail or instant-message exchange or a conversation in a public place. Maybe the topic was terrorism, or politics, or Islam. We stop suddenly, momentarily afraid that our words might be taken out of context, then we laugh at our paranoia and go on. But our demeanor has changed, and our words are subtly altered. This is the loss of freedom we face when our privacy is taken from us. This is life in former East Germany, or life in Saddam Hussein's Iraq. And it's our future as we allow an ever-intrusive eye into our personal, private lives. Too many wrongly characterize the debate as "security versus privacy." The real choice is liberty versus control. Tyranny, whether it arises under threat of foreign physical attack or under constant domestic authoritative scrutiny, is still tyranny. Liberty requires security without intrusion, security plus privacy. Widespread police surveillance is the very definition of a police state. And that's why we should champion privacy even when we have nothing to hide. - - - Bruce Schneier is the CTO of Counterpane Internet Security and the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. From rforno at infowarrior.org Thu May 18 15:15:55 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 May 2006 15:15:55 -0400 Subject: [Infowarrior] - NSA rejected system that sifted phone data legally Message-ID: NSA rejected system that sifted phone data legally Dropping of privacy safeguards after 9/11, turf battles blamed By Siobhan Gorman Sun reporter Originally published May 18, 2006 http://www.baltimoresun.com/news/custom/attack/bal-te.nsa18may18,0,4406058.s tory?coll=bal-home-headlines WASHINGTON // The National Security Agency developed a pilot program in the late 1990s that would have enabled it to gather and analyze huge amounts of communications data without running afoul of privacy laws. But after the Sept. 11 attacks, it shelved the project - not because it failed to work but because of bureaucratic infighting and a sudden White House expansion of the agency's surveillance powers, according to several intelligence officials. The agency opted instead to adopt only one component of the program, which produced a far less capable and rigorous program. It remains the backbone of the NSA's warrantless surveillance efforts, tracking domestic and overseas communications from a vast databank of information, and monitoring selected calls. Four intelligence officials knowledgeable about the program agreed to discuss it with The Sun only if granted anonymity because of the sensitive nature of the subject. The program the NSA rejected, called ThinThread, was developed to handle greater volumes of information, partly in expectation of threats surrounding the millennium celebrations. Sources say it bundled four cutting-edge surveillance tools. ThinThread would have: ? Used more-sophisticated methods of sorting through massive phone and e-mail data to identify suspect communications. ? Identified U.S. phone numbers and other communications data and encrypted them to ensure caller privacy. ? Employed an automated auditing system to monitor how analysts handled the information, in order to prevent misuse and improve efficiency. ? Analyzed the data to identify relationships between callers and chronicle their contacts. Only when evidence of a potential threat had been developed would analysts be able to request decryption of the records. An agency spokesman declined to discuss NSA operations. "Given the nature of the work we do, it would be irresponsible to discuss actual or alleged operational issues as it would give those wishing to do harm to the U.S. insight and potentially place Americans in danger," said NSA spokesman Don Weber in a statement to The Sun. "However, it is important to note that NSA takes its legal responsibilities very seriously and operates within the law." In what intelligence experts describe as rigorous testing of ThinThread in 1998, the project succeeded at each task with high marks. For example, its ability to sort through huge amounts of data to find threat-related communications far surpassed the existing system, sources said. It also was able to rapidly separate and encrypt U.S.-related communications to ensure privacy. But the NSA, then headed by Air Force Gen. Michael V. Hayden, rejected both of those tools, as well as the feature that monitored potential abuse of the records. Only the data analysis facet of the program survived and became the basis for the warrantless surveillance program. The decision, which one official attributed to "turf protection and empire building," has undermined the agency's ability to zero in on potential threats, sources say. In the aftermath of revelations about the agency's wide gathering of U.S. phone records, they add, ThinThread could have provided a simple solution to privacy concerns. A better system A number of independent studies, including a classified 2004 report from the Pentagon's inspector-general, in addition to the successful pilot tests, found that the program provided "superior processing, filtering and protection of U.S. citizens, and discovery of important and previously unknown targets," said an intelligence official familiar with the program who described the reports to The Sun. The Pentagon report concluded that ThinThread's ability to sort through data in 2001 was far superior to that of another NSA system in place in 2004, and that the program should be launched and enhanced. Hayden, the president's nominee to lead the CIA, is to appear today before the Senate Select Committee on Intelligence and is expected to face tough questioning about the warrantless surveillance program, the collection of domestic phone records and other NSA programs. While the furor over warrantless surveillance, particularly the collection of domestic phone records, has raised questions about the legality of the program, there has been little or no discussion about how it might be altered to eliminate such concerns. ThinThread was designed to address two key challenges: The NSA had more information than it could digest, and, increasingly, its targets were in contact with people in the United States whose calls the agency was prohibited from monitoring. With the explosion of digital communications, especially phone calls over the Internet and the use of devices such as BlackBerries, the NSA was struggling to sort key nuggets of information from the huge volume of data it took in. By 1999, as some NSA officials grew increasingly concerned about millennium-related security, ThinThread seemed in position to become an important tool with which the NSA could prevent terrorist attacks. But it was never launched. Neither was it put into effect after the attacks in 2001. Despite its success in tests, ThinThread's information-sorting system was viewed by some in the agency as a competitor to Trailblazer, a $1.2 billion program that was being developed with similar goals. The NSA was committed to Trailblazer, which later ran into trouble and has been essentially abandoned. Both programs aimed to better sort through the sea of data to find key tips to the next terrorist attack, but Trailblazer had more political support internally because it was initiated by Hayden when he first arrived at the NSA, sources said. NSA managers did not want to adopt the data-sifting component of ThinThread out of fear that the Trailblazer program would be outperformed and "humiliated," an intelligence official said. Without ThinThread's data-sifting assets, the warrantless surveillance program was left with a sub-par tool for sniffing out information, and that has diminished the quality of its analysis, according to intelligence officials. Sources say the NSA's existing system for data-sorting has produced a database clogged with corrupted and useless information. The mass collection of relatively unsorted data, combined with system flaws that sources say erroneously flag people as suspect, has produced numerous false leads, draining analyst resources, according to two intelligence officials. FBI agents have complained in published reports in The New York Times that NSA leads have resulted in numerous dead ends. Privacy safeguards The privacy protections offered by ThinThread were also abandoned in the post-Sept. 11 push by the president for a faster response to terrorism. Once President Bush gave the go-ahead for the NSA to secretly gather and analyze domestic phone records - an authorization that carried no stipulations about identity protection - agency officials regarded the encryption as an unnecessary step and rejected it, according to two intelligence officials knowledgeable about ThinThread and the warrantless surveillance programs. "They basically just disabled the [privacy] safeguards," said one intelligence official. A former top intelligence official said that without a privacy requirement, "there was no reason to go back to something that was perhaps more difficult to implement." However two officials familiar with the program said the encryption feature would have been simple to implement. One said the time required would have involved minutes, not hours. Encryption would have required analysts to be more disciplined in their investigations, however, by forcing them to gather what a court would consider sufficient information to indicate possible terrorist activity before decryption could be authorized. While it is unclear why the agency dropped the component that monitored for abuse of records, one intelligence official noted that the feature was not popular with analysts. It not only tracked the use of the database, but hunted for the most effective analysis techniques, and some analysts thought it would be used to judge their performance. Within the NSA, the primary advocate for the ThinThread program was Richard Taylor, who headed the agency's operations division. Taylor who has retired from the NSA, did not return calls seeking comment. Officials say that after the successful tests of ThinThread in 1998, Taylor argued that the NSA should implement the full program. He later told the 9/11 Commission that ThinThread could have identified the hijackers had it been in place before the attacks, according to an intelligence expert close to the commission. But at the time, NSA lawyers viewed the program as too aggressive. At that point, the NSA's authority was limited strictly to overseas communications, with the FBI responsible for analyzing domestic calls. The lawyers feared that expanding NSA data collection to include communications in the United States could violate civil liberties, even with the encryption function. Taylor had an intense meeting with Hayden and NSA lawyers. "It was a very emotional debate," recalled a former intelligence official. "Eventually it was rejected by [NSA] lawyers." After the 2001 attacks, the NSA lawyers who had blocked the program reversed their position and approved the use of the program without the enhanced technology to sift out terrorist communications and without the encryption protections. The NSA's new legal analysis was based on the commander in chief's powers during war, said former officials familiar with the program. The Bush administration's defense has rested largely on that argument since the warrantless surveillance program became public in December. The strength of ThinThread's approach is that by encrypting information on Americans, it is legal regardless of whether the country is at war, according to one intelligence official. Officials familiar with Thin Thread say some within NSA were stunned by the legal flip-flop. ThinThread "was designed very carefully from a legal point of view, so that even in non-wartime, you could have done it legitimately," the official said. In a speech in January, Hayden said the warrantless surveillance program was not only limited to al-Qaida communications, but carefully implemented with an eye toward preserving the Constitution and rights of Americans. "As the director, I was the one responsible to ensure that this program was limited in its scope and disciplined in its application," he said. siobhan.gorman at baltsun.com From rforno at infowarrior.org Thu May 18 15:34:45 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 May 2006 15:34:45 -0400 Subject: [Infowarrior] - NIST 800-92: Guide to Computer Security Log Management Message-ID: NIST on Security Logs The National Institute of Standards and Technology has released a document detailing how federal agencies should manage security logs: NIST Special Publication 800-92: Guide to Computer Security Log Management. http://csrc.nist.gov/publications/drafts/DRAFT-SP800-92.pdf From rforno at infowarrior.org Thu May 18 15:38:18 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 May 2006 15:38:18 -0400 Subject: [Infowarrior] - Great op-ed on books v. online reading Message-ID: Books and crooks http://www.globalpov.com/archives/2006/05/books_and_crooks.html Books. I was thinking about them this morning as i continue to edit mine. Several articles have been flying around the press lately making much of Google's deep indexing of books, both those in the public domain and those that are not. This never bothered me and I think that I know why. Reading a book is an experience. Those of us who truly enjoy reading find it to be one of the most pleasant parts of the day. We all have our little habits, our routines on how we read a book. Some people curl up in an armchair, I like lo lie back on a couch. Book reading is so tactile. The feel of the cover and the creak of the binding on a new book, the way virginal pages act when first touched. Reading is immersive. It's like subtitled films. People that don't make a habit of watching them are usually surprised at how quickly they slip into a trance whereby the reading is just another form of sensory input blending into the visual and auditory stimulus. Now what about non-physical books? I hate reading books on a computer. EVERYONE hates reading books on a computer. The usual reason given is the lack of a tactile experience as described above. But I think that it's more than that. Computers are about finding information quickly. Our brain works in concert with our mouse-clicking hand and our darting eye to quickly find the fact that we need. This is rotten frame of mind to be in when you're reading something for enjoyment. The idea of indexing the world's books doesn't bother me at all. It will be used for research, for reference, maybe to win a bar bet. The idea that someone will download a book, say hacked from Google, for instance, then print the book on a laser printer, bind it somehow, sit down and read it, and then that they'll enjoy it as much as they would reading a fine leather-bound book is simply ludicrious. For one thing, it'll cost $5-$10 bucks anyway to print it. For another, you won't get look and feel of the original book or even the fonting, you'll get flat, boring text. For another, people who read, read. They wouldn't want to do this. The people who will steal and read a book and be satisfied with the laser printout will be the once-a-year book reader and they will undoubtedly be stealing the Da Vinci code anyway. The experience of reading is special, pleasant and comforting for many of us. Substituting a digital equivalent is like drinking cognac from a jelly jar. Sure you can do it and it will intellectually taste the same as being drunk from a fine heaviy leaded-crystal snifter, but it leaves something lacking. From rforno at infowarrior.org Thu May 18 19:27:48 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 May 2006 19:27:48 -0400 Subject: [Infowarrior] - State Department pulls China-made PCs from secure networks Message-ID: US State Department pulls China-made PCs from secure networks The US State Department has backed down on a controversial decision to install computers made by Chinese company Lenovo on its classified networks, officials said. But the department's purchase of about 16,000 personal computers (PCs) from Lenovo raises serious questions given accusations that China is aggressively spying on the United States, Republican lawmaker Frank Wolf said. Word of the State Department order for the desktop PCs was made public in March, 10 months after Lenovo completed its 1.75-billion-dollar acquisition of IBM's PC division. The department chose to install about 900 of the PCs on its secure network at home and at embassies around the world, according to documents released by Wolf. But after a flurry of objections from the US-China Economic and Security Review Commission, a bipartisan panel appointed by Congress, the department opted this week to pull the computers from the network. "This decision would have had dire consequences for our national security, potentially jeopardizing our investment in a secure IT infrastructure," said Wolf, whose House appropriations subcommittee funds the State Department. "It is no secret that the United States is a principal target of Chinese intelligence services," he said. While welcoming the department's reversal, he said the purchase of the 16,000 computers from the Chinese state-backed company was still troubling. Launching an impassioned attack on China's foreign policies and human-rights record, Wolf said that "of course you would take them (Lenovo) off the list" of companies approved to provide technology to the US government. "No American government agency should want to purchase from them," he said. Last year's acquisition vaulted Lenovo to third place among global PC makers, behind only Dell and Hewlett-Packard. The Chinese firm kept the right to use the IBM name on its PCs and the "ThinkPad" brand on laptop computers. The takeover was cleared by the US government, despite objections from members of Congress who noted that Lenovo is controlled by Legend Holdings, which in turn is majority-owned by the state Chinese Academy of Sciences. Members of the US-China commission said even the use of Lenovo PCs on unclassified State Department networks was troubling. "It's fair to say that unclassified computer communications could be infiltrated and pose a threat," Democratic commissioner Michael Wessel said. The Lenovo row was highlighted on the same day that China denied as "groundless" allegations that it was trying to steal military and scientific intelligence from the United States. A Taiwanese man, Ko-Suen Moo, has pleaded guilty in the United States to spying for Beijing. He was accused by the US District Attorney's office in Miami of seeking illegally to export missiles and aircraft parts to China. From rforno at infowarrior.org Thu May 18 19:33:48 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 May 2006 19:33:48 -0400 Subject: [Infowarrior] - US ISP snooping plans take backseat Message-ID: ISP snooping plans take backseat By Declan McCullagh http://news.com.com/ISP+snooping+plans+take+backseat/2100-1028_3-6074070.htm l Story last modified Thu May 18 15:09:35 PDT 2006 A prominent Republican in the U.S. Congress has backed away from plans to rewrite Internet privacy rules by requiring that logs of Americans' online activities be stored. Wisconsin Rep. F. James Sensenbrenner, the chairman of the House Judiciary Committee, said through a representative this week that he will not be introducing that legislation after all. The statement came after CNET News.com reported on Tuesday that Sensenbrenner wanted to require Internet service providers to track what their users were doing so police might more easily "conduct criminal investigations," including inquiries into cases involving child exploitation and pornography. The concept is generally called data retention. Rep. F. James Sensenbrenner, R-Wisc. Rep. F. James Sensenbrenner, R-Wisc. Jeff Lungren, communications director for the House Judiciary Committee, said an aide had drafted the proposed bill without Sensenbrenner's direct involvement. "Staff sometimes starts working on issues--throwing around ideas, doing oversight--and (they) get ahead of where the members are and what they want to tackle," Lungren said in an e-mail message. Sensenbrenner also canceled a May 23 hearing that was scheduled to include a discussion of data retention. Technology companies and Internet providers had quietly expressed strong objections to Sensenbrenner after the CNET News.com article appeared, according to two people with knowledge of the communications. They also criticized a second portion of the proposal that would make it a felony for Web sites to facilitate access to child pornography--through hyperlinks or by offering a discussion forum, for instance. New Internet felonies proposed Following are excerpts from Rep. Sensenbrenner's Internet SAFETY Act: "Whoever, being an Internet content hosting provider or e-mail service provider, knowingly engages in any conduct the provider knows or has reason to believe facilitates access to, or the possession of, child pornography shall be fined under this title or imprisoned not more than 10 years, or both. "'Internet content hosting provider' means a service that (A) stores, through electromagnetic or other means, electronic data, including the content of Web pages, electronic mail, documents, images, audio and video files, online discussion boards, and Web logs; and (B) makes such data available via the Internet." "Not later than 90 days after the date of the enactment of this section, the Attorney General shall issue regulations governing the retention of records by Internet service providers. Such regulations shall, at a minimum, require retention of records, such as the name and address of the subscriber or registered user (and what) user identification or telephone number was assigned..." Sensenbrenner is a close ally of President Bush, and his office began drafting the proposal soon after Attorney General Alberto Gonzales gave a speech last month saying Internet providers should retain records of user activities for a "reasonable" amount of time. "Legislation on this issue will not be introduced by Chairman Sensenbrenner, and he is not interested in considering any legislation like it," Lungren said in e-mail. "Our committee's agenda is tremendously overcrowded already." Until Gonzales' speech, the Bush administration had explicitly opposed laws requiring data retention, saying it had "serious reservations" (click here for PDF) about them. But after the European Parliament last December approved such a requirement for Internet, telephone and voice over Internet Protocol (VoIP) providers, top administration officials began talking about it more favorably. "It would be burdensome--it would be excessive" if enacted into law, said Will Rodger, director of public policy at the Computer & Communications Industry Association, which represents companies including Microsoft, Sun Microsystems, Nortel, Verizon and Yahoo. "This says let's start snooping on people just in case we find they've been up to something no good later on." Peter Swire, a fellow at the liberal Center for American Progress and a law professor at Ohio State University, said he was concerned about the security implications of Sensenbrenner's proposal. "Data retention becomes a single point of failure for revealing government and other legitimate activities" if the Internet activities of police are recorded, Swire said. Mandatory data retention legislation could still advance through a different House committee, however. Rep. Diana DeGette, a Colorado Democrat, announced legislation (click here for PDF) last month--which could be appended to a telecommunications bill--that also would require Internet providers to store records that would permit police to identify each user. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Fri May 19 07:26:33 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 19 May 2006 07:26:33 -0400 Subject: [Infowarrior] - US military is blocking Slashdot and SourceForge.net Message-ID: NewsForge The Online Newspaper for Linux and Open Source http://trends.newsforge.com/ Title US military is blocking Slashdot and SourceForge.net Date 2006.05.18 13:00 Author Joe Barr Topic http://trends.newsforge.com/article.pl?sid=06/05/17/2040239 I was told recently that Air Force bases in the San Antonio, Texas, area are blocking one or more of our sister OSTG sites, like SourceForge.net, Slashdot.org, or Freshmeat.net. After finding reports via Google of commercial mail services and liberal news sites being blocked by various components of the Department of Defense, I decided to go straight to the horse's mouth for the story. Here's what I learned. The bottom line, courtesy of Air Force spokesperson Captain David W. Small, is that the Air Force does "block Web sites to restrict use of the Web to official business and in accordance with specific guidance in AFIs." An AFI is an Air Force Instruction, basically policy or guideline from the Air Force that must be followed. Small went on to write that the Air Force is using a filtering Web proxy to block sites: The AF uses a standard Web proxy tool called Blue Coat. It's installed at every base in the network control center and at the major command level in the Network Operations and Security Center. We block many different categories of unofficial Web sites (see the attached spreadsheet for categories blocked by Air Combat Command). Some are specifically prohibited by AFI 33-129 or AFI 33-119. [Blue Coat's partner] Secure Computing maintains the list of Web sites that fit into each category and they update the lists as part of a subscription service. Base network control centers can add/delete specific Web sites to a local access/block list to enable them to quickly block known problem sites (like phishing sites) or to open Web sites for access if someone justifies it for official use. We have plans to deploy the capability to move this local access/block list to the enterprise level across the AF within the next two years as part of our infrastructure upgrade program. Air Combat Command has already moved this local access/block list capability up to the enterprise level. They do the ad hoc access/block actions from their level for all of their bases. It enables them to block problem sites very quickly. I asked Blue Coat if any of our OSTG sites were being blocked by default by their filters. Spokesperson Nikolett Basco replied: Secure Computing Corp. provides SmartFilter Web filtering software to organizations worldwide. SmartFilter allows organizations to customize their Internet experience based on their specific needs. We classify Internet content into over 73 different categories so that customers can chose, by category, what types of Web content they want available to their organization. However, just because a site is categorized, does not mean it is automatically blocked. Any SmartFilter customer can reclassify any site they wish. Each organization defines its own policy. Secure Computing has no control over, or visibility into, how an organization implements their filtering policy. I used the Blue Coat Site Review Tool to check several OSTG sites. SourceForge.net and freshmeat.net are both categorized as Computers/Internet, Slashdot.org is miscategorized as Newsgroups, but is also included as Computers/Internet. NewsForge.com is in the News/Media category. While none of those categories is especially heinous (except News/Media, of course), it appears that some of those sites are being blocked by at least some military commands around the world. I spoke to an Army National Guard officer, for example, who recently returned from Afghanistan. He told me that Slashdot.org was banned by his command when he first arrived for duty there, but that he was able to get it un-blacklisted during his tour of duty. As to OSTG sites being blocked here in Central Texas, the Lackland AFB Public Affairs office declined to answer my email or return my phone calls asking for information on whether specific OSTG sites are being blocked, and if so, why they are. But the AFIs cited by Captain Small in his reply indicate that they should be blocked in any case. AFI 33-129, dated February 3, 2005, covers "Web Management and Internet Use." Among other things, it specifically prohibits the downloading of "freeware/shareware or any other software product without Designated Approving Authority (DAA) approval." Since providing access to free/open source software is the primary function of sites like SourceForge.net and freshmeat.net, blocking access to them is understandable. Chat rooms, IRC channels, and other public forums are also directly forbidden. The AFI stipulates that "Participating in non-DOD or nongovernment 'chat lines,' 'chat groups,' or open forum discussion to or through a public site, unless it is for official purposes and approved through the Global Information Grid (GIG) Waiver Board" is prohibited. AFI 33-119, dated January 24, 2005, which covers "Air Force Messaging," explains the reports of commercial Web mail sites being blocked. It specifically prohibits "Accessing commercial Web mail accounts and instant messaging services (i.e., Yahoo, AOL, or MSN mail accounts)." Note that the regulations govern "official use," so Air Force personnel may be able to browse blocked sites if they're able to connect to another network using personal computers. Catching more than intended? The categories of sites blocked by the Air Combat Command, which Captain Small indicated will probably become the Air Force standard by next year, contains some ironic entries. Cited as an example of sites blocked for "Game/Cartoon Violence" is none other than America's Army -- a game commissioned by the Army itself. Remote Access is another no-no according to the block list. Why? Because "sites in this category provide information about gaining remote access to a program, online service or an entire computer system. While often used legitimately by people who want to use their computer from a remote location, it also creates a potential security risk. Backdoor access is often written by the original programmer." Cited as an example of these nefarious villains is none other than the TightVNC site. Of course, TightVNC is double-bad, since it is also free, and sites that provide shareware and freeware are banned. The example given for this category in the spreadsheet of blocked categories is Tucows.com. And, finally, Internet newsgroup sites are banned as well. That ban, coupled with Slashdot's miscategorization by Blue Coat as a NewsGroup site, helps explain why that site cannot be accessed by our armed forces in many places at home and abroad. Censorship is tricky business, no matter how well-intentioned it may be. Links 1. "attached spreadsheet" - http://www.newsforge.com/blob.pl?id=2d976ca00f329e5596b746c0ecc5d6a7 2. "AFI 33-129" - http://www.e-publishing.af.mil/pubfiles/af/33/afi33-129/afi33-129.pdf 3. "AFI 33-119" - http://www.e-publishing.af.mil/pubfiles/af/33/afi33-119/afi33-119.pdf 4. "Site Review Tool" - http://sitereview.bluecoat.com/sitereview.jsp 5. "America's Army" - http://www.americasarmy.com/ 6. "commissioned" - http://businessweek.com/technology/content/may2002/tc20020523_2266.htm 7. "TightVNC site" - http://www.tightvnc.com/ 8. "Tucows.com" - http://tucows.com/ From rforno at infowarrior.org Fri May 19 07:28:40 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 19 May 2006 07:28:40 -0400 Subject: [Infowarrior] - VeriSign launches free OpenID server Message-ID: VeriSign launches free OpenID server http://arstechnica.com/news.ars/post/20060518-6867.html 5/18/2006 1:11:49 PM, by Nate Anderson Most Internet users do not eat, sleep, and breathe authentication. Many don't know what "authentication" means. Some can't even spell the word. But everyone who has used the Internet for more than five minutes understands the feeling of overwhelming suckitude that descends when confronted by yet another web site that requires you to create an account in order to perform some trivial action (note to vendors: I don't have to supply a username, password, my address, an e-mail account, and my birthdate to buy a toaster at Target; why do you insist on making me do it online?). Unfortunately, although we can put a man on the moon, we can't seem to develop any sort of single sign-on mechanism that will make online identity a less frightening concept. VeriSign is the latest company to take a crack at the problem, but they are doing so in a very limited way. VeriSign's new Personal Identity Provider (PIP) attempts to capitalize on the growing support for OpenID by hosting a server of their own, but it's not a replacement solution for sign-ons at e-commerce sites and financial institutions. Instead, the goal is to start with sites that have less at stake?blogs, photo-sharing sites, and wikis. Rather than create a new account at each blog you visit, for instance, OpenID allows you to generate a unique URL that functions as your identity. You simply enter the URL, and the site communicates behind the scenes with your OpenID server to authenticate that you do, in fact, own that URL. The program is thus quite limited, but the limits may actually be a strength. Past efforts at creating a robust single sign-on (such as Microsoft's Passport) have largely failed to live up to the hype, in part because few people want to entrust senstive information like credit card numbers to third parties like Microsoft. VeriSign's endorsement of OpenID suggests that companies now want to start with smaller, more manageable tasks first, things with less at stake. OpenID is also a completely decentralized system with many different registrars, a move designed to alleviate fears about one company collecting too much personal information. So what's in it for VeriSign? Rolling out a free OpenID server doesn't make the company any money, but they are hoping to grow the entire market for authentication products and to increase the robustness of the OpenID system. "So what's in it for us? We believe that providing free, quality infrastructure for the OpenID-enabled community?identity services that are friendly, secure and user-empowering?will help create an environment in which a rich variety of applications and services will appear and prosper. As this ecosystem evolves and matures, the free, basic services offered by the VeriSign PIP and other OpenID servers will be able to enable more complex trust relationships and higher value transactions. There's a need now for basic functions that will improve the quality of the blogosphere: authenticated blog comments, open reputation systems, personalized tagging, social media filtering, etc. Over time, as the installed base of enabled users grows and the application set available for OpenID-equipped users broadens and deepens, the VeriSign PIP will be able to validate credentials and claims for it users that facilitate 'heavy duty' transactions: blog based auctions and payments, age-based verification for dating and social websites, verified residency for surveys, polls and voting, etc. In some cases, the credentials and claims VeriSign provides for its users will be a fee to the user. In other cases, the subscribing applications will pay us a fee for qualifying and enabling users to participate and transact in a trusted, reliable context." The move comes after the major market players have all announced recent plans to beef up their own authentication offerings. IBM, for instance, is throwing its weight behind Project Higgins, while Microsoft is promising robust InfoCard support in Vista. Even Google is rumored to be working on a system of its own. VeriSign's support of OpenID is yet another signal that the authentication market is heating up. Dominating the authentication space may one day be nearly as important as dominating the search space is today, and all of these companies want to make sure that when that day arrives, they have a piece of the action. From rforno at infowarrior.org Fri May 19 07:31:28 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 19 May 2006 07:31:28 -0400 Subject: [Infowarrior] - UK Government to force handover of encryption keys Message-ID: This story was printed from ZDNet UK, located at http://news.zdnet.co.uk/ Story URL: http://news.zdnet.co.uk/internet/security/0,39020375,39269746,00.htm Government to force handover of encryption keys Tom Espiner ZDNet UK May 18, 2006, 12:10 BST The UK Government is preparing to give the police the authority to force organisations and individuals to disclose encryption keys, a move which has outraged some security and civil rights experts. The powers are contained within Part 3 of the Regulation of Investigatory Powers Act (RIPA). RIPA was introduced in 2000, but the government has held back from bringing Part 3 into effect. Now, more than five years after the original act was passed, the Home Office is seeking to exercise the powers within Part Three of RIPA. Some security experts are concerned that the plan could criminalise innocent people and drive businesses out of the UK. But the Home Office, which has just launched a consultation process, says the powers contained in Part 3 are needed to combat an increased use of encryption by criminals, paedophiles, and terrorists. "The use of encryption is... proliferating," Liam Byrne, Home Office minister of state told Parliament last week. "Encryption products are more widely available and are integrated as security features in standard operating systems, so the Government has concluded that it is now right to implement the provisions of Part 3 of RIPA... which is not presently in force." Part 3 of RIPA gives the police powers to order the disclosure of encryption keys, or force suspects to decrypt encrypted data. Anyone who refuses to hand over a key to the police would face up to two years' imprisonment. Under current anti-terrorism legislation, terrorist suspects now face up to five years for withholding keys. If Part 3 is passed, financial institutions could be compelled to give up the encryption keys they use for banking transactions, experts have warned. "The controversy here [lies in] seizing keys, not in forcing people to decrypt. The power to seize encryption keys is spooking big business," Cambridge University security expert Richard Clayton told ZDNet UK on Wednesday. "The notion that international bankers would be wary of bringing master keys into UK if they could be seized as part of legitimate police operations, or by a corrupt chief constable, has quite a lot of traction," Clayton added. "With the appropriate paperwork, keys can be seized. If you're an international banker you'll plonk your headquarters in Zurich." Opponents of the RIP Act have argued that the police could struggle to enforce Part 3, as people can argue that they don't possess the key to unlock encrypted data in their possession. "It is, as ever, almost impossible to prove 'beyond a reasonable doubt' that some random-looking data is in fact ciphertext, and then prove that the accused actually has the key for it, and that he has refused a proper order to divulge it," pointed out encryption expert Peter Fairbrother on ukcrypto, a public email discussion list. Clayton backed up this point. "The police can say 'We think he's a terrorist' or 'We think he's trading in kiddie porn', and the suspect can say, 'No, they're love letters, sorry, I've lost the key'. How much evidence do you need [to convict]? If you can't decrypt [the data], then by definition you don't know what it is," said Clayton. The Home Office on Wednesday told ZDNet UK that it would not reach a decision about whether Part 3 will be amended until the consultation process has been completed. "We are in consultation, and [are] looking into proposals on amendments to RIPA," said a Home Office spokeswoman. "The Home Office is waiting for the results of the consultation" before making any decisions, she said. The Home Office said last week that the focus on key disclosure and forced decryption was necessary due to "the threat to public safety posed by terrorist use of encryption technology". Clayton, on the other hand, argues that terrorist cells do not use master keys in the same way as governments and businesses. "Terrorist cells use master keys on a one-to-one basis, rather than using them to generate pass keys for a series of communications. With a one-to-one key, you may as well just force the terrorist suspect to decrypt that communication, or use other methods of decryption," said Clayton. "My suggestion is to turn on all of Part 3, except the part about trying to seize keys. That won't create such a furore in financial circles," he said. Copyright ? 2006 CNET Networks, Inc. All Rights Reserved. ZDNET is a registered service mark of CNET Networks, Inc. ZDNET Logo is a service mark of CNET NETWORKS, Inc. From rforno at infowarrior.org Fri May 19 09:04:55 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 19 May 2006 09:04:55 -0400 Subject: [Infowarrior] - OT: Iran eyes badges for Jews Message-ID: While offtopic for the list, I felt it necessary to post because this item is disturbing on SO many levels. -rf Iran eyes badges for Jews Law would require non-Muslim insignia http://www.canada.com/components/print.aspx?id=11fbf4a8-282a-4d18-954f-5467 09b1240f&k=32073 Chris Wattie National Post Friday, May 19, 2006 Human rights groups are raising alarms over a new law passed by the Iranian parliament that would require the country's Jews and Christians to wear coloured badges to identify them and other religious minorities as non-Muslims. "This is reminiscent of the Holocaust," said Rabbi Marvin Hier, the dean of the Simon Wiesenthal Center in Los Angeles. "Iran is moving closer and closer to the ideology of the Nazis." Iranian expatriates living in Canada yesterday confirmed reports that the Iranian parliament, called the Islamic Majlis, passed a law this week setting a dress code for all Iranians, requiring them to wear almost identical "standard Islamic garments." The law, which must still be approved by Iran's "Supreme Guide" Ali Khamenehi before being put into effect, also establishes special insignia to be worn by non-Muslims. Iran's roughly 25,000 Jews would have to sew a yellow strip of cloth on the front of their clothes, while Christians would wear red badges and Zoroastrians would be forced to wear blue cloth. "There's no reason to believe they won't pass this," said Rabbi Hier. "It will certainly pass unless there's some sort of international outcry over this." Bernie Farber, the chief executive of the Canadian Jewish Congress, said he was "stunned" by the measure. "We thought this had gone the way of the dodo bird, but clearly in Iran everything old and bad is new again," he said. "It's state-sponsored religious discrimination." Ali Behroozian, an Iranian exile living in Toronto, said the law could come into force as early as next year. It would make religious minorities immediately identifiable and allow Muslims to avoid contact with non-Muslims. Mr. Behroozian said it will make life even more difficult for Iran's small pockets of Jewish, Christian and other religious minorities -- the country is overwhelmingly Shi'ite Muslim. "They have all been persecuted for a while, but these new dress rules are going to make things worse for them," he said. The new law was drafted two years ago, but was stuck in the Iranian parliament until recently when it was revived at the behest of President Mahmoud Ahmadinejad. A spokesman for the Iranian Embassy in Ottawa refused to comment on the measures. "This is nothing to do with anything here," said a press secretary who identified himself as Mr. Gharmani. "We are not here to answer such questions." The Simon Wiesenthal Centre has written to Kofi Annan, the Secretary-General of the United Nations, protesting the Iranian law and calling on the international community to bring pressure on Iran to drop the measure. "The world should not ignore this," said Rabbi Hier. "The world ignored Hitler for many years -- he was dismissed as a demagogue, they said he'd never come to power -- and we were all wrong." Mr. Farber said Canada and other nations should take action to isolate Mr. Ahmadinejad in light of the new law, which he called "chilling," and his previous string of anti-Semitic statements. "There are some very frightening parallels here," he said. "It's time to start considering how we're going to deal with this person." Mr. Ahmadinejad has repeatedly described the Holocaust as a myth and earlier this year announced Iran would host a conference to re-examine the history of the Nazis' "Final Solution." He has caused international outrage by publicly calling for Israel to be "wiped off the map." Iran does not yet have nuclear weapons, but Tehran believed by Western nations to be developing its own nuclear military capability, in defiance of international protocols and peace treaties. The United States, France and Israel accuse Iran of using a civilian nuclear program to secretly build a weapon. Iran denies this, saying its program is confined to generating electricity. cwattie at nationalpost.com ? National Post 2006 From rforno at infowarrior.org Mon May 22 00:35:33 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 May 2006 00:35:33 -0400 Subject: [Infowarrior] - Attorney Gen.: Reporters Can Be Prosecuted Message-ID: Attorney Gen.: Reporters Can Be Prosecuted http://news.yahoo.com/s/ap/20060521/ap_on_go_ca_st_pe/prosecuting_reporters& printer=1;_ylt=AsMdIyGCvU_c8azQRFE9WGaWwvIE;_ylu=X3oDMTA3MXN1bHE0BHNlYwN0bWE - Sun May 21, 3:31 PM ET Attorney General Alberto Gonzales said Sunday he believes journalists can be prosecuted for publishing classified information, citing an obligation to national security. The nation's top law enforcer also said the government will not hesitate to track telephone calls made by reporters as part of a criminal leak investigation, but officials would not do so routinely and randomly. "There are some statutes on the book which, if you read the language carefully, would seem to indicate that that is a possibility," Gonzales said, referring to prosecutions. "We have an obligation to enforce those laws. We have an obligation to ensure that our national security is protected." In recent months, journalists have been called into court to testify as part of investigations into leaks, including the unauthorized disclosure of a CIA operative's name as well as the National Security Agency's warrantless eavesdropping program. Lucy Dalglish, executive director of the Reporters Committee for Freedom of the Press, said she presumed that Gonzales was referring to the 1917 Espionage Act, which she said has never been interpreted to prosecute journalists who were providing information to the public. "I can't imagine a bigger chill on free speech and the public's right to know what it's government is up to ? both hallmarks of a democracy ? than prosecuting reporters," Dalglish said. Gonzales said he would not comment specifically on whether The New York Times should be prosecuted for disclosing the NSA program last year based on classified information. He also denied that authorities would randomly check journalists' records on domestic-to-domestic phone calls in an effort to find journalists' confidential sources. "We don't engage in domestic-to-domestic surveillance without a court order," Gonzales said, under a "probable cause" legal standard. But he added that the First Amendment right of a free press should not be absolute when it comes to national security. If the government's probe into the NSA leak turns up criminal activity, prosecutors have an "obligation to enforce the law." "It can't be the case that that right trumps over the right that Americans would like to see, the ability of the federal government to go after criminal activity," Gonzales told ABC's "This Week." From rforno at infowarrior.org Mon May 22 01:38:49 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 May 2006 01:38:49 -0400 Subject: [Infowarrior] - Voice Encryption May Draw U.S. Scrutiny Message-ID: Voice Encryption May Draw U.S. Scrutiny http://www.nytimes.com/2006/05/22/technology/22privacy.html?_r=1&oref=slogin &pagewanted=print By JOHN MARKOFF SAN FRANCISCO, May 21 ? Philip R. Zimmermann wants to protect online privacy. Who could object to that? He has found out once already. Trained as a computer scientist, he developed a program in 1991 called Pretty Good Privacy, or PGP, for scrambling and unscrambling e-mail messages. It won a following among privacy rights advocates and human rights groups working overseas ? and a three-year federal criminal investigation into whether he had violated export restrictions on cryptographic software. The case was dropped in 1996, and Mr. Zimmermann, who lives in Menlo Park, Calif., started PGP Inc. to sell his software commercially. Now he is again inviting government scrutiny. On Sunday, he released a free Windows software program, Zfone, that encrypts a computer-to-computer voice conversation so both parties can be confident that no one is listening in. It became available earlier this year to Macintosh and Linux users of the system known as voice-over-Internet protocol, or VoIP. What sets Zfone apart from comparable systems is that it does not require a web of computers to hold the keys, or long numbers, used in most encryption schemes. Instead, it performs the key exchange inside the digital voice channel while the call is being set up, so no third party has the keys. Zfone's introduction comes as reports continue to emerge about the government's electronic surveillance efforts. A lawsuit by the Electronic Frontier Foundation, a privacy rights group, contends that AT&T has given the National Security Agency real-time access to Internet communications. In the wake of 9/11, there were calls for the government to institute new barriers to cryptography, to avoid its use in communications by enemies of the United States. Easily accessible cryptography for Internet calling may intensify that debate. "I'm afraid it will put front and center an issue that had been resolved in the individual's favor in the 1990's," said James X. Dempsey, policy director for the Center for Democracy and Technology, a Washington-based public policy group. The Federal Communications Commission has begun adopting regulations that would force Internet service providers and VoIP companies to adopt the technology that permits law enforcement officials to monitor conventional telephone calls. But for now, at least, F.C.C. regulation exempts programs that operate directly between computers, not through a hub. "From the F.C.C.'s perspective you can't regulate point-to-point communications, which I think will let Phil off the hook," said Marc Rotenberg, director of the Electronic Privacy Information Center, an advocacy group in Washington. Zfone may face more of a challenge in Europe, where the British government is preparing to give the police the legal authority to compel both organizations and individuals to disclose encryption keys. But Mr. Zimmermann, 52, does not see those fearing government surveillance ? or trying to evade it ? as the primary market. The next phase of the Internet's spyware epidemic, he contends, will be software designed to eavesdrop on Internet telephone calls made by corporate users. "They will have entire digital jukeboxes of covertly acquired telephone conversations, and suddenly someone in Eastern Europe is going to be very wealthy," he said. While Mr. Zimmerman is giving away his software so far, his goal is to attract VoIP software and hardware developers to license his technology and embed it in their products. Zfone can automatically encrypt any call between users of freely available VoIP software programs like X-Lite, Gizmo or SJphone. It can be downloaded at www.philzimmermann.com. The system does not work with Skype, the VoIP system acquired by eBay, which uses its own encryption scheme. But at a conference last week in Cyprus, German officials said they had technology for intercepting and decrypting Skype phone calls, according to Anthony M. Rutkowski, vice president for regulatory affairs and standards for VeriSign, a company that offers security for Internet and phone operations. Mr. Zimmermann said he had not yet tested Zfone's compatibility with Vonage, another popular VoIP service. Mr. Zimmermann contends that the nation is better off with strong cryptography. Indeed, Zfone can be considered an asset, he said, because it allows people to have secret conversations without hiding their Internet protocol addresses, which could be traceable geographically. Those observed having a secured conversation could come under suspicion, of course. But for that reason, he argued, sophisticated criminals or terrorists are unlikely to use the technology. "I'm sympathetic to the needs of the intelligence community to catch the bad guys," he said. "I specifically protect the content the criminals want, while simultaneously not interfering with the traffic analysis that the N.S.A. is trying to do. You could make the case that I'm being socially responsible." From rforno at infowarrior.org Mon May 22 06:28:32 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 May 2006 06:28:32 -0400 Subject: [Infowarrior] - FW: openSIMS v0.9 LiveCD available for download In-Reply-To: <89efd5a30605211957q1d29b908m90387fc92f44f0bd@mail.gmail.com> Message-ID: Worth checking out if you're a securitygeek.......rf ------ Forwarded Message Date: Sun, 21 May 2006 21:57:16 -0500 To: Subject: openSIMS v0.9 LiveCD available for download Hey, Just a quick note to let you know that the openSIMS 0.9 final candidate v1 has been released and is now available on SourceForge: https://sourceforge.net/project/showfiles.php?group_id=115820 The release notes are located here: http://opensims.sourceforge.net/2006/05/21/check-it-release-notes-opensims_0 9-livecd-fc1/ From rforno at infowarrior.org Tue May 23 06:45:19 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 23 May 2006 06:45:19 -0400 Subject: [Infowarrior] - Social Implications of Keysigning In-Reply-To: Message-ID: http://attrition.org/security/rant/z/keysigning.html Social Implications of Keysigning Raven & Jericho Tue May 23 01:41:20 EDT 2006 Intro The use of strong public encryption has always been popular among geeks. Perhaps the most commonly used and most beloved encryption for e-mail is Pretty Good Privacy (PGP); started as a free method for protecting emails or other sensitive information, later turned into a cornerstone for a large company. As PGP became more corporate, costly and used patented algorithms, another project, GnuPG, sprung up to continue to offer strong encryption to the masses. One foundation of reliable encryption is trust. The use of encryption between two or more people relies on you being sure that the message you sent is properly encrypted to and able to be decrypted solely by the intended recipient. When using a friend's GPG key, you must be sure that the key was created by and belongs solely to your friend. Otherwise, you may send mail that your friend cannot read (if they don't have the key you encrypted to), or worse, mail that some other party can read (if that party does have the key you encrypted to). [..] http://attrition.org/security/rant/z/keysigning.html From rforno at infowarrior.org Wed May 24 06:27:07 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 May 2006 06:27:07 -0400 Subject: [Infowarrior] - Monocultures and Document formats: Dan's Bomb Goes Off Message-ID: Monocultures and Document formats: Dan's Bomb Goes Off Tuesday, May 23 2006 @ 06:17 PM EDT http://www.consortiuminfo.org/standardsblog/article.php?story=20060523181724 678 Dan Geer is an extremely well respected security expert. When he worries about something, people listen. One of the things he has worried - and warned - about is the danger represented by IT "monocultures" - the situation that arises when everyone uses the same software, for example, and therefore everyone shares the same vulnerability to a computer virus or other security threat. Just as the word "virus" has been borrowed from biology and provides an apt and vivid descriptor for its IT analogue, so also does the word monoculture function: think of the consequences of Irish potato blight, or of the wiping out of the American Chestnut tree, which once numbered in the billions in the forests of the American East and is almost extinct as a mature species. Well, last November, Dan wrote a perspective piece for CNETnews.com, called Massachusetts Assaults Monoculture. In that article, he wrote: As a matter of logic alone: If you care about the security of the commonwealth, then you care about the risk of a computing monoculture. If you care about the risk of a computing monoculture, then you care about barriers to diversification. If you care about barriers to diversification, then you care about user-level lock-in. And if you care about user-level lock-in, then you must break the proprietary format stranglehold on the commonwealth. Until that is done, the user-level lock-in will preclude diversification and the monoculture bomb keeps ticking. As it happens, Dan's bomb went off a few days ago, with the breakout of the "Backdoor.Ginwui" virus, a malicious bit of code that Symantec introduced in an alert as follows: It has been reported that Backdoor.Ginwui may be dropped by a malicious Word document exploiting an undocumented vulnerability in Microsoft Word. This malicious Word document is currently detected as Trojan.Mdropper.H. The fact that Dan's expectation came true can hardly be a source of surprise. Indeed, the only curious aspect of the fulfilment of his prediction is that it took as long as it did to occur. The reason, of course, is that hackers like targets that offer the most visible and dramatic results - and the bigger the better. If that target is unpopular (such as Microsoft), then again, so much the better. Thus it is that the more successful the software product, the more attractive it becomes. That's no criticism of Microsoft, or of any other vendor, but one of the regrettable costs of success. Still, from the end-user point of view, it is an added burden on the value of the product in question. After all, it's one thing to have a target painted on your back and reap huge profits as a cost of doing business, and quite another to pay a premium price for a dominant product, and share the same risk without offsetting compensation. It's also not a surprise that something as prosaic as a Word document should become the innocent carrier of a bit of malicious code. After all, stringent security policies (such as those my firm employs) already block jpegs, zip files and other vehicles known for problem code. But no one's policies automatically block all Word and Excell files, since those are what - for now at least - most people create, send and read (they do, of course, scan them for known viruses). This therefore elevates such files not only to the level of ideal vectors, but grants them the status of attractive challenges as well, capable of showcasing the chops of whatever hacker can succeed in employing them to pull off a high-profile assault. All of which, as regular readers of this blog might assume, leads me to a conclusion that has something to do with ODF - a standard that is already supported by four major products, two of the proprietary persuasion (Sun's StarOffice and IBM's Workplace Managed Client) and two of the open source (OpenOffice and K Office) variety. The risk profile between a monoculture and a diverse IT culture such as this is mathematically clear. By definition, even if ODF compliant products as a group were someday to trade marketplace shares with Microsoft Office, no individual user of any ODF compliant product would share the same degree of risk that every Office user has today, by reason of the fact that she would inhabit an IT culture with a much richer genetic pool. And no virus is likely to operate at the level of standardization at which these disparate products exist. As a result, just as a species with a diverse gene pool is likely to be able to withstand the assault of a new disease in far better form than a species of clones, so also would an IT environment based on multiple instantiations of ODF be more resilient than a monoculture of Office users, only more so. Why more so? Because in nature, a virus isn't personal. No malign intelligence creates a natural virus to attack a specific target. But in the world of hackers, the opposite is the case. The moral of the Dan's story, as well as the current reality of the Word Backdoor Ginwui virus is therefore clear: in IT diversity there is safety. From rforno at infowarrior.org Wed May 24 06:33:16 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 May 2006 06:33:16 -0400 Subject: [Infowarrior] - Agency Delayed Reporting Theft of Veterans' Data Message-ID: Agency Delayed Reporting Theft of Veterans' Data By DAVID STOUT and TOM ZELLER Jr. http://www.nytimes.com/2006/05/24/washington/24identity.html?_r=1&oref=slogi n&pagewanted=print WASHINGTON, May 23 ? The Veterans Affairs Department learned about the theft of electronic data on 26.5 million veterans shortly after it occurred, on May 3, but waited two weeks before telling law enforcement agencies, officials said Tuesday. The officials said investigators in the Justice Department and the Federal Bureau of Investigation were furious with the leaders of the veterans agency for initially trying to handle the loss of the data as an internal problem through the agency's inspector general before coming forward. Officials said the investigators in the Justice Department and F.B.I. had complained that the delay might have cost them clues to the whereabouts of the data, stored on computer disks that were stolen in a burglary on May 3 at the home of an agency employee in Maryland. A spokesman for the agency, Matt Burns, declined to comment on the timing of the announcement. The disks carried names and accompanying Social Security numbers and dates of birth, practically keys to identity in the computer age. It was not clear, in the absence of an explanation from the agency, why its officials waited for days to disclose the theft to law enforcement people and still more days to announce it to the public or what internal discussions might have prompted them to change their minds. As the department sought to reassure veterans not privy to the bureaucratic machinations here and to deal with a security lapse that was becoming a public relations disaster, some veterans were uneasy and suspicious. "Why did the V.A. wait 19 days to notify veterans?" John Rowan, president of the Vietnam Veterans of America, asked. Perhaps, Mr. Rowan suggested, the department learned that the news was about to be leaked. The wife of a disabled veteran of the gulf war, Penny Larrisey of Doylestown, Pa., expressed what countless crime victims have said. "Just right about now, the only way you can feel is you've been violated," Mrs. Larrisey said in a telephone interview. The department has emphasized that there was as yet no indication that the data, taken home without authorization by the employee, had been put to ill use. But Mrs. Larrisey, whose husband, Bob, was an Air Force sergeant, was not soothed. "This puts us in a position of one paycheck away from disaster," she said, worrying that a computer-savvy thief with access to specifics about her husband's disability payments could tap into their bank account. The authorities continued to investigate the activities of the employee, who is on administrative leave. Officials familiar with the case said that while investigators had no reason to dispute the employee's account, they were nonetheless puzzled why little else of value besides the data-laden disks were stolen. In an added twist, the officials said investigators were having trouble finding the employee but did not think that he was necessarily trying to be evasive. Several aspects remained murky, including how much communication, if any, there was between the Montgomery County police in Maryland and federal investigators about the disks. Mr. Rowan of the Vietnam veterans' group said the Veterans Affairs Department should do more than just post information on its Web site advising veterans to scrutinize their financial records and telling them what to do if they find something wrong. "The V.A. has put veterans at risk for identity theft," he said. "If this were the private sector, they would be required to provide each veteran with free credit-reporting services." A spokesman for Senator Larry E. Craig, the Idaho Republican who is chairman of the Veterans Affairs Committee, said the panel would consider just such measures when it holds a hearing on the case on Thursday morning. The spokesman, Jeff Schrade, said government agencies should treat personal data as "top secret information." Christopher Walsh, a lawyer here who specializes in security cases, said the theft conveyed a disturbing message, that "the government has paid far less attention to the issue of data security than the people think ? and far less than business." Recent federal laws entitle every consumer the right to one free credit report from each major consumer credit-reporting agency ? Experian, Equifax and TransUnion ? every year. But for closer monitoring of credit status, the kind that some consumers turn to when they fear that their records have been compromised, the companies charge a fee. Ten dollars a month after a free 30-day trial is typical. If veterans feel threatened enough to enter such arrangements, "the government ought to pay for it, in my view," Mr. Walsh said. At least two companies offering identity-theft protection, LifeLock and MyPublicInfo, said they had discount packages for veterans affected by the theft. Senator Craig's spokesman, Mr. Schrade, declined to predict what would happen at the hearing on Thursday or how the security breach would be repaired. "But," he said, "I don't think we're going to get out of this on the cheap." Maureen Balleza contributed reporting from Houston for this article. From rforno at infowarrior.org Wed May 24 06:37:56 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 May 2006 06:37:56 -0400 Subject: [Infowarrior] - FCC Won't Investigate N.S.A. on Records Message-ID: ...as if anyone expected NSA to grant anyone clearances to investigatate them right now anyway? --rf Agency Won't Investigate N.S.A. on Records By REUTERS http://www.nytimes.com/2006/05/24/washington/24brfs-brief-008.html?_r=1&oref =slogin&pagewanted=print WASHINGTON, May 23 ? The Federal Communications Commission will not pursue complaints about the National Security Agency's access to millions of telephone records because it cannot obtain classified material, the commission's chairman said in a letter released on Tuesday. Representative Edward J. Markey, Democrat of Massachusetts, had asked regulators to investigate a report in USA Today that AT&T, Verizon and BellSouth turned over records of phone calls to the security agency as part of efforts to compile a database to track terrorist activities. "The classified nature of the N.S.A.'s activities makes us unable to investigate the alleged violations," said the commission's chairman, Kevin Martin, a Republican, in the May 22 letter released by Mr. Markey. Verizon and BellSouth have denied turning over the records. BellSouth has demanded that USA Today retract the assertions. From rforno at infowarrior.org Wed May 24 17:10:22 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 May 2006 17:10:22 -0400 Subject: [Infowarrior] - Portland mayor says FBI tried to recruit informant at City Hall Message-ID: Portland mayor says FBI tried to recruit informant at City Hall http://159.54.227.3/apps/pbcs.dll/article?AID=/20060524/NEWS06/60524054 PORTLAND, Ore. - Portland Mayor Tom Potter said Wednesday that an FBI agent had attempted to recruit an informant inside the offices of City Hall. According to an open letter to the community released by the mayor's office, federal authorities have since told Potter that they know of no public corruption in Portland and are not conducting an investigation of the city. FBI spokeswoman Beth Anne Steele released a statement saying that the FBI "strongly disagrees on the significance of the incident described," and that the agency intends to continue discussions with city officials "concerning a variety of public safety issues." Steele also said it was, "entirely proper for an FBI agent to ask willing citizens to provide information when those citizens feel it is appropriate to do so regarding potential criminal conduct." Potter has clashed with the federal government before. City Council members, including Potter, voted in April 2005 to remove Portland police from a Joint Terrorism Task Force led by the FBI, a task force that has expanded to about 100 cities across the nation. In the open letter to the community, posted on the city's Web site Wednesday, Potter said the agency's actions smacked of "big brother," especially in light of recent news reports about several of the nation's biggest phone companies sharing millions of customer records with the National Security Agency. According to Potter's letter, a city employee was stopped by a special agent from the Portland FBI on May 11, who asked whether she knew any of Portland's five city council members. Potter's letter said the employee was asked, "if she would be willing to pass information to him relating to people who work for the city of Portland. He said that while he had duties in other areas, the agency was always interested in information relating to white collar crime and other things." Potter concluded by chiding the agency, writing, "when there is no information to indicate any public corruption on the part of City Council members or employees, the FBI has no legitimate role in surreptitiously monitoring elected officials and city employees." From rforno at infowarrior.org Wed May 24 17:11:50 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 May 2006 17:11:50 -0400 Subject: [Infowarrior] - Intelligence Czar Can Waive SEC Rules Message-ID: http://www.businessweek.com/bwdaily/dnflash/may2006/nf20060523_2210.htm?camp aign_id=rss_daily MAY 23, 2006 By Dawn Kopecki Intelligence Czar Can Waive SEC Rules Now, the White House's top spymaster can cite national security to exempt businesses from reporting requirements President George W. Bush has bestowed on his intelligence czar, John Negroponte, broad authority, in the name of national security, to excuse publicly traded companies from their usual accounting and securities-disclosure obligations. Notice of the development came in a brief entry in the Federal Register, dated May 5, 2006, that was opaque to the untrained eye. Advertisement Unbeknownst to almost all of Washington and the financial world, Bush and every other President since Jimmy Carter have had the authority to exempt companies working on certain top-secret defense projects from portions of the 1934 Securities Exchange Act. Administration officials told BusinessWeek that they believe this is the first time a President has ever delegated the authority to someone outside the Oval Office. It couldn't be immediately determined whether any company has received a waiver under this provision. The timing of Bush's move is intriguing. On the same day the President signed the memo, Porter Goss resigned as director of the Central Intelligence Agency amid criticism of ineffectiveness and poor morale at the agency. Only six days later, on May 11, USA Today reported that the National Security Agency had obtained millions of calling records of ordinary citizens provided by three major U.S. phone companies. Negroponte oversees both the CIA and NSA in his role as the administration's top intelligence official. FEW ANSWERS. White House spokeswoman Dana M. Perino said the timing of the May 5 Presidential memo had no significance. "There was nothing specific that prompted this memo," Perino said. In addition to refusing to explain why Bush decided to delegate this authority to Negroponte, the White House declined to say whether Bush or any other President has ever exercised the authority and allowed a company to avoid standard securities disclosure and accounting requirements. The White House wouldn't comment on whether Negroponte has granted such a waiver, and BusinessWeek so far hasn't identified any companies affected by the provision. Negroponte's office did not respond to requests for comment. Securities-law experts said they were unfamiliar with the May 5 memo and the underlying Presidential authority at issue. John C. Coffee, a securities-law professor at Columbia University, speculated that defense contractors might want to use such an exemption to mask secret assignments for the Pentagon or CIA. "What you might hide is investments: You've spent umpteen million dollars that comes out of your working capital to build a plant in Iraq," which the government wants to keep secret. "That's the kind of scenario that would be plausible," Coffee said. AUTHORITY GRANTED. William McLucas, the Securities & Exchange Commission's former enforcement chief, suggested that the ability to conceal financial information in the name of national security could lead some companies "to play fast and loose with their numbers." McLucas, a partner at the law firm Wilmer Cutler Pickering Hale & Dorr in Washington, added: "It could be that you have a bunch of books and records out there that no one knows about." The memo Bush signed on May 5, which was published seven days later in the Federal Register, had the unrevealing title "Assignment of Function Relating to Granting of Authority for Issuance of Certain Directives: Memorandum for the Director of National Intelligence." In the document, Bush addressed Negroponte, saying: "I hereby assign to you the function of the President under section 13(b)(3)(A) of the Securities Exchange Act of 1934, as amended." A trip to the statute books showed that the amended version of the 1934 act states that "with respect to matters concerning the national security of the United States," the President or the head of an Executive Branch agency may exempt companies from certain critical legal obligations. These obligations include keeping accurate "books, records, and accounts" and maintaining "a system of internal accounting controls sufficient" to ensure the propriety of financial transactions and the preparation of financial statements in compliance with "generally accepted accounting principles." From rforno at infowarrior.org Thu May 25 22:28:54 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 May 2006 22:28:54 -0400 Subject: [Infowarrior] - Justice Department Probe Foiled Message-ID: ISSUES & IDEAS Justice Department Probe Foiled By Shane Harris and Murray Waas, National Journal ? National Journal Group Inc. Thursday, May 25, 2006 http://news.nationaljournal.com/articles/0525nj2.htm An internal Justice Department inquiry into whether department officials -- including Attorney General Alberto Gonzales and then-Attorney General John Ashcroft -- acted properly in approving and overseeing the Bush administration's domestic eavesdropping program was stymied because investigators were denied security clearances to do their work. The investigators, however, were only seeking information and documents relating to the National Security Agency's surveillance program that were already in the Justice Department's possession, two senior government officials said in interviews. The investigation was launched in January by the Justice Department's Office of Professional Responsibility -- a small ethics watchdog set up in 1975 after department officials were implicated in the Watergate scandal. The OPR investigates allegations of official misconduct by department attorneys, not crimes per se, but it does issue reports and recommend disciplinary action. The current Justice Department inspector general has determined that OPR is the office responsible for investigating the professional actions of the attorney general involving the NSA program. The only classified information that OPR investigators were seeking about the NSA's eavesdropping program was what had already been given to Ashcroft, Gonzales and other department attorneys in their original approval and advice on the program, the two senior government officials said. And, by nature, OPR's request was limited to documents such as internal Justice Department communications and legal opinions, and didn't extend to secrets that are the sole domain of other agencies, the two officials said. It is not clear who denied the OPR investigators the necessary security clearances, but Gonzales has reiterated in recent days that sharing too many details about the surveillance program could diminish its usefulness in locating terrorists, and he indicated that giving OPR investigators access to the program could jeopardize it. Gonzales said that Justice attorneys examined and approved the surveillance, and that decisions on whether to share information about it are weighed in light of national security needs. "We don't want to be talking so much about the program that we compromise [its] effectiveness," the attorney general said at a public appearance last week. Gonzales asserted to other senior officials that only people who have been "read into the [NSA] program," meaning they know its details and have pledged not to divulge them, should be allowed access, one of the two senior officials said in an interview. Traditionally, the decision on whether to grant access to a highly classified program is made by the agency that runs it, in this case the NSA. Rep. Maurice Hinchey, D-N.Y., and three other Democrats -- John Lewis of Georgia, Henry Waxman of California, and Lynn Woolsey of California -- requested the OPR investigation after the surveillance program was revealed in late 2005, and asked the agency to determine whether it complied with existing law. OPR investigates "allegations of misconduct involving department attorneys that relate to the exercise of their authority to investigate, litigate, or provide legal advice," according to the office's policies and procedures. Justice attorneys approved the NSA's warrantless eavesdropping in 2001, and Gonzales has vehemently defended President Bush's powers to order it ever since. OPR's lead counsel, H. Marshall Jarrett, wrote to Hinchey in early February saying he had launched the investigation. "I am writing to acknowledge receipt of your January 9, 2006, letter, in which you asked this office to investigate the Department of Justice's role in authorizing, approving, and auditing certain surveillance activities of the National Security Agency, and whether such activities are permissible under existing law. For your information, we have initiated an investigation. Thank you for bringing your concerns to our attention." But earlier this month, Jarrett again wrote [PDF] to Hinchey: "We have been unable to make any meaningful progress in our investigation because OPR has been denied security clearances for access to information about the NSA program. Beginning in January 2006, this office made a series of requests for the necessary clearances. On May 9, 2006, we were informed that our requests had been denied. Without these clearances, we cannot investigate this matter and therefore have closed our investigation." Jarrett didn't say which official or agency denied the requests for clearances. Asked whether the NSA had done so, agency spokesman Donny Weber pointed to Gonzales's public comments last week. Ross Feinstein, a spokesman for the Office of the Director of National Intelligence, when asked which agency or person denied the security clearances to OPR investigators, also said Gonzales's comments of last week addressed that question. After the clearances were denied, a reporter asked Gonzales, "Did Mr. Jarrett come to you and ask you to assist him in getting those clearances?" Gonzales replied, "It would not be appropriate, and I would not get into internal discussions or the give and take that happened between the attorney general and other folks within the Department of Justice." "You were aware of this personally?" the reporter asked. "Again, I'm not going to comment on anything," Gonzales replied. Asked which agency or official decided not to grant the OPR investigators security clearances, Justice spokesman Brian Roehrkasse said, "We aren't commenting on internal decisions." He noted that the attorney general had addressed the topic in his public comments. If the decision to deny the clearances was in fact an "internal decision" of the Justice Department, that raises the prospect that Gonzales himself or another senior Justice official denied the clearances, and hence quashed the OPR investigation. Michael Shaheen, who headed the OPR from its inception until 1997, said that his staff "never, ever was denied a clearance," and that OPR had conducted numerous investigations involving the activities of attorneys general. "No attorney general has ever said no to me," Shaheen said. He added that, over the past several years, the OPR's muscle has degraded, in part because it was stripped of its authority to pursue criminal investigations. But under the Bush administration, the weakening has been especially pronounced, Shaheen said. "I just think that the White House has so frightened everybody.... If I were still at OPR and was told I couldn't have security clearances, the first word out of my mouth ... would have been, 'Balderdash!' " In an interview, Hinchey argued that Gonzales and other Bush administration officials have an obligation to cooperate in every manner possible with any OPR investigation: "The Justice Department has an Office of Professional Responsibility to assure that the highest ethical standards are met by those who enforce our laws. That's why we have Jarrett.... The idea that they are not going to give him the necessary security clearances to do his job and the proper oversight is absurd." Regarding Gonzales, Hinchey said: "The attorney general has said that he does not have to allow an investigation to go forward because he has talked about the legal underpinnings of the NSA program. He has not done that because it does not have any. It is devoid of any legal underpinnings." Hinchey has drafted a resolution of inquiry requesting that Bush, Gonzales, and Defense Secretary Donald Rumsfeld turn over documents relating to the OPR investigation's closure and the denial of security clearances. The resolution asks for "telephone and electronic-mail records, logs and calendars, personnel records, and records of internal discussions." Hinchey said he planned to get other members of Congress to sign on to the resolution this week. The OPR investigation also set out to determine whether the NSA's surveillance activities were legal and complied with the Foreign Intelligence Surveillance Act, the sole law on intelligence-gathering inside the United States. Gonzales has averred that the legal underpinnings have already been laid out in public testimony and in detailed department analyses of the president's authority to order warrantless eavesdropping. He has also asserted that Justice's inspector general, not the OPR, has the authority to investigate whether department officials' conduct is lawful. But in January, the Justice Department's inspector general deferred to the OPR on questions about authorization of the NSA program. In declining a request by Rep. Zoe Lofgren, D-Calif., to investigate Gonzales's role, Inspector General Glenn Fine wrote, "The actions of the attorney general or other department attorneys in providing legal advice regarding the legality of warrantless surveillance by NSA ... falls within the jurisdiction of the [OPR]." Fine then sent Lofgren's request to that office. From rforno at infowarrior.org Thu May 25 22:38:33 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 May 2006 22:38:33 -0400 Subject: [Infowarrior] - Are the Police Digging into Your Phone Records? Message-ID: Sunday, May. 25, 2008 Are the Police Digging into Your Phone Records? A congressional inquiry into online data brokers has raised concerns that federal and local law enforcement may be skirting privacy laws to obtain calling records By KRISTINA DELL http://www.time.com/time/nation/printout/0,8816,1197918,00.html The National Security Agency may not be the only one looking at your phone records. As the agency?s controversial program of collecting Americans? calling data continues to draw heat, new questions have emerged about whether federal and local law enforcement officials are possibly skirting privacy laws by obtaining phone records from companies that get the information in a questionable manner and then hawk it over the Internet. Since February, Congress has been investigating such so-called data brokers for the ways in which they gather their information. Some of them use people inside the phone company who are willing to divulge the data. But more commonly, these businesses obtain phone records through an illegal practice known as "pretexting," in which someone calls up the phone company and impersonates a subscriber to con the service representative into releasing copies of the records. The possible connection with law enforcement came to light when the data brokers were asked as part of the Congressional inquiry to submit letters revealing their client lists. One data broker listed as clients the FBI and unspecified "foreign governments," while another claimed to have done work for the Department of Homeland Security. Neither company will reveal the extent of the data they gave out. Both the FBI and the Department of Homeland Security deny any wrongdoing. It remains an open question whether law enforcement obtaining the private phone records of Americans in this fashion is actually illegal. While most data brokers claim there is no specific law against the sale of phone records, as there is with banking records, and therefore it should not be illegal, the Federal Trade Commission and numerous state attorneys general disagree. Collectively, they have brought more than a dozen cases against data brokers based on state and federal statutes governing unfair and deceptive trade practices. Information brokers insist they provide a valuable service to creditors, attorneys and private investigators "to catch bad people" ? among them stalkers, fugitives from the law and deadbeat dads. Although data acquired through pretexting is not admissible in court, such information can be useful as an investigative shortcut, without having to wait for a warrant or subpoena. "Fifty years from now you?re going to need a subpoena to talk to your neighbor," says one frustrated data broker, Noah Weider, president of IEI, which runs BestPeopleSearch.com. Investigating Data Brokers The House Energy and Commerce Committee's probe into data brokers has been dogged by controversy. Robert Douglas, an information security consultant who runs PrivacyToday.com and was hired to do research for the committee, resigned in April because he felt allegations that the FBI and Department of Homeland Security were purchasing phone records were not being investigated thoroughly enough. And a bipartisan committee bill to protect phone records by outlawing pretexting was suddenly withdrawn just before a full House vote in early May. Some Democrats suspect there may be a connection between the pulling of the bill and the recent revelations of the NSA's collecting of citizens' phone records. Democratic committee members sent a letter to Chairman Joe Barton, asking if the bill was withdrawn so that the Intelligence Committee could add an exemption allowing phone records to be sought for intelligence gathering purposes. In a separate letter to Barton and Speaker Dennis Hastert, Rep. Edward Markey wondered whether there was a plan to add an exemption "to clarify the legality of such a program because they are currently gathering such records today without clear authority." An Intelligence Committee spokesman told TIME that the bill was pulled because more time was needed to determine how it might impact national security issues. Who Is Using the Information? In its letter to the House committee, made public earlier this month, Advanced Research, Inc. (ARI), the operator of ADVSearch.com, said the company has "done work for municipalities, banks, mortgage and insurance companies, private companies, foreign governments, law enforcement, even the FBI." Michael Kortan, FBI spokesman, says it is possible the bureau has used companies like Advanced Research, but notes that these companies provide many services other than accessing phone records. "They offer a wide variety of compressing publicly available data that saves a lot of legwork and saves a lot of time," Kortan told TIME. While saying it did not sound plausible that the FBI has bought phone records from Advanced Research, Kortan said he hasn't looked into the matter closely. "We have very established ways of collecting information. The FBI can only collect and retain data available from commercial databases in strict compliance with applicable federal law." Bruce Martin, vice president of Advanced Research, said he did not think the FBI had purchased services since 1999, when he joined the company, but he understood that information was sold to the bureau before then. ?We do not sell telecommunications information any more,? he said. Martin's firm, however, is being sued by the Illinois Attorney General for obtaining and selling phone records without the consumer's consent. With regard to these charges, Martin contends that ARI is simply a middleman: "We have certification from all our researchers that everything they do is legal and they don?t tell me how they do it." How Is the Data Used? Most purchasers of cellphone records online tend to be those checking up on a spouse or trying to collect debts. Other users include lawyers, private investigators and the police. While the evidence is not admissible in court, knowing whom a suspect is talking to can prove useful in solving crimes and inducing confessions. "Just because evidence is not used at trial doesn?t mean it has no effect on the case or that there?s no harm," says Sherwin Siy, staff counsel at the Electronic Privacy Information Center. Texas-based PDJ Investigations, which runs several online information gathering sites, along with another data broker who wished to remain anonymous, told TIME that they willingly give information to the police, often for free, if it is requested. Many websites in fact advertise helping law enforcement. Patrick Baird, vice president of PDJ investigations, says that in its six years the company has supplied information for between 200 and 300 law enforcement cases. He said the FBI and the Department of Homeland Security were among the company's past clients. But Baird said most of the time these agencies (and most of PDJ's other customers) ask simply for the name and address attached to a specific phone number, not for complete call records. Yet Douglas, the former researcher for the Congressional committee, points out that even that information most likely is obtained through pretexting. The anonymous data broker confirmed for TIME that pretexting is the most common way to get name and address information for phone numbers. Jarrod Agen, a spokesman for the Department of Homeland Security, said the agency has "no records of contracts" with PDJ. Though the agency does work with "some contractors that do buy information," he added, it is "not private data. We don't go out and buy private information." What Is Legal? The shady business of pretexting to get personal information has been thriving for years. But online sellers are relatively new. Typically, these brokers claim they can obtain anyone?s phone records for around $100. There have been few lawsuits, mostly because the majority of victims never learn that their phone records were accessed. "States and governments use the information all the time, so it's possible to do it legally," says Martin of ARI. ?Absent a law it seems unfair to go after someone when they just decided it was illegal.? But the Federal Trade Commission and cellphone companies claim impersonation like this is fraud, violating federal and local statutes. Civil liberties lawyers argue that regardless of the technical legality, it?s an ethically questionable practice for police to use fraudulently obtained information in their investigations. "As a policy matter there are set procedures [police] should use instead of side-stepping them for convenience sake,? says Siy from the Electronic Privacy Information Center. Under the Telecommunications Act of 1996, phone records are customers? private property and phone companies can disclose them only with the consent of the subscriber or with a subpoena from law enforcement. The act applies only to telecom companies, however, saying nothing about third parties selling records. "I can give a pass to the average American being confused as to the legality of [buying phone records]," says Douglas. "But Law Enforcement 101 is the need to get a subpoena or warrant to obtain the private records of Americans." What You Can Do To protect your own phone records, the most secure way is to call your cellphone carrier and ask to have call details removed from your bill. The drawback is that if you have a discrepancy over minutes used, it will be more difficult to dispute, since there will be no record of your individual calls . Another way to protect your account is with a password that only you know and doesn?t contain biographical information. You should also avoid giving out your cellphone number, Social Security number and other personal data online, when at all possible. And don't throw phone bills in the trash without shredding them first. With Reporting by Brian Bennett/Washington Copyright ? 2006 Time Inc. All rights reserved. Reproduction in whole or in part without permission is prohibited. From rforno at infowarrior.org Thu May 25 22:49:04 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 May 2006 22:49:04 -0400 Subject: [Infowarrior] - Treasury to Refund $13 Billion Collected on Long-Distance Message-ID: 'Antique' Phone Tax Dropped Treasury to Refund $13 Billion Collected on Long-Distance http://www.washingtonpost.com/wp-dyn/content/article/2006/05/25/AR2006052500 720_pf.html By Albert B. Crenshaw Washington Post Staff Writer Friday, May 26, 2006; D02 The Treasury Department, conceding that it has no right to continue collecting a 108-year-old tax on long-distance telephone calls, announced yesterday that it will drop its legal battle for the tax and instead refund some $13 billion to callers who have paid the tax in the past three years. The 3 percent tax, enacted in 1898 to help pay for the Spanish-American War and revised in 1965, has been declared illegal by five federal courts of appeal during the past year as the result of challenges brought by companies forced to pay it. Long-distance carriers have been required to bill customers for the tax and remit it to the government. Treasury Secretary John W. Snow yesterday called it "an outdated, antiquated tax that has survived a century beyond its original purpose, and by now should have been ancient history." The tax, which was originally considered a luxury tax because only wealthy people had telephones at the time, will go out of existence on July 31. "It's a great day for consumers," said Gene Kimmelman, director of the Washington office of Consumers Union. "The last residue of the Spanish-American War is finally complete." The Treasury Department had no figures on how much of a refund an individual might expect, but Kimmelman said, "People with the biggest phone bills will be the biggest winners." Those are principally businesses and high-income consumers who tend to make heavier use of phone services than do lower-income individuals, he said. However, he cautioned that many, perhaps most, households will see only a modest refund -- possibly $10 or so. Over the past several years, traditional long-distance usage has fallen as cellphones and the Internet have gained popularity. Snow said the taxpayers will be able to claim three years' worth of the telephone tax, the legal limit on claiming tax overpayments, on their 2006 tax returns. The Internal Revenue Service, he said, is working on a simplified method by which taxpayers can claim their refunds. It is expected that, as with sales-tax deductions, taxpayers will be allowed to claim either a standard amount or an exact amount based on their phone bills. Individuals who are not required to file tax returns will be offered a special form for the rebate. "It was an antiquated tax that made no sense whatever," Kimmelman added. With advances in telephone technology, cellphones and the Internet, he said, it has become increasingly difficult to determine which party in a call the tax should be assigned to. "You can't track it," he said. "That made the levy unsustainable." The $13 billion in rebates will cost the government more than the estimated $10 billion that would have been handed out under Senate Majority Leader Bill Frist's (R-Tenn.) short-lived proposal to give taxpayers $100 apiece to offset high gasoline prices. Snow noted that a similar levy on local calling remains in effect, and he called upon Congress "to terminate the remainder of this antique tax by repealing the excise tax on local service as well." From rforno at infowarrior.org Fri May 26 18:35:58 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 26 May 2006 18:35:58 -0400 Subject: [Infowarrior] - AT&T leaks sensitive info in NSA suit Message-ID: AT&T leaks sensitive info in NSA suit By Declan McCullagh http://news.com.com/AT38T+leaks+sensitive+info+in+NSA+suit/2100-1028_3-60773 53.html Story last modified Fri May 26 11:56:32 PDT 2006 advertisement Lawyers for AT&T accidentally released sensitive information while defending a lawsuit that accuses the company of facilitating a government wiretapping program, CNET News.com has learned. AT&T's attorneys this week filed a 25-page legal brief striped with thick black lines that were intended to obscure portions of three pages and render them unreadable. But the obscured text nevertheless can be copied and pasted inside some PDF readers, including Preview under Apple Computer's OS X and the xpdf utility used with X11. The deleted portions of the legal brief seek to offer benign reasons why AT&T would allegedly have a secret room at its downtown San Francisco switching center that would be designed to monitor Internet and telephone traffic. The Electronic Frontier Foundation, which filed the class-action lawsuit in January, alleges that the room is used by an unlawful National Security Agency surveillance program. "AT&T notes that the facts recited by plaintiffs are entirely consistent with any number of legitimate Internet monitoring systems, such as those used to detect viruses and stop hackers," the redacted pages say. Another section says: "Although the plaintiffs ominously refer to the equipment as the 'Surveillance Configuration,' the same physical equipment could be utilized exclusively for other surveillance in full compliance with" the Foreign Intelligence Surveillance Act. The redacted portions of AT&T's court filing are not classified, and no information relating to actual operations of an NSA surveillance program was disclosed. Also, AT&T's attorneys at the law firms of Pillsbury Winthrop Shaw Pittman and Sidley Austin were careful not to explicitly acknowledge that such a secret room actually exists. A representative for AT&T was not immediately available to comment. Although EFF's lawsuit was filed before allegations about the room surfaced, reports of its existence have become central to the nonprofit group's attempts to prove AT&T opened its network to the NSA. A former AT&T employee, Mark Klein, has released documents alleging the company spliced its fiber optic cables and ran a duplicate set of cables to Room 641A at its 611 Folsom Street building. This is hardly the first time that PDF files have leaked embarrassing or sensitive information. In an ironic twist, the NSA published a 13-page paper in January describing how redactions could be done securely. A similar problem has arisen with metadata associated with Microsoft Office files. In March 2004, a gaffe by the SCO Group revealed which companies it had considered targeting in its legal campaign against Linux users. Microsoft Office 2003/XP even offers a way to "permanently remove hidden data and collaboration data" from Word, Excel and PowerPoint files. Documents that EFF filed, including a redacted version (click here for PDF) of a sworn statement by Klein released this week, were properly redacted. Instead of including the underlying text and layering a black rectangle on top, the San Francisco-based civil liberties group saved those pages as image files. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Fri May 26 18:39:26 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 26 May 2006 18:39:26 -0400 Subject: [Infowarrior] - Senate Confirms Hayden as CIA Director Message-ID: Senate Confirms Hayden as CIA Director By William Branigin Washington Post Staff Writer Friday, May 26, 2006; 1:57 PM http://www.washingtonpost.com/wp-dyn/content/article/2006/05/26/AR2006052600 270_pf.html The U.S. Senate today confirmed Gen. Michael V. Hayden as the new director of the CIA by a large bipartisan majority, sending a career intelligence professional to take over an agency roiled by internal turmoil and the departures of top managers. The Senate voted 78-15 to confirm Hayden as President Bush's choice to replace Porter J. Goss, who announced May 5 that he was stepping down after 20 months on the job. Hayden, 61, an Air Force general, headed the National Security Agency from 1999 to 2005 before being tapped to serve as the top deputy to the new director of national intelligence, John D. Negroponte. At the NSA, he presided over the launching of secret, warrantless eavesdropping and phone call-tracking programs that stirred intense controversy when they were disclosed in newspaper reports. Hayden and other Bush administration officials have defended the programs as vital for efforts to detect and defeat terrorist plots, but critics have charged that they violate Americans' civil liberties and fly in the face of U.S. law governing domestic monitoring of communications. Hayden was questioned sharply about the programs at his confirmation hearing last week before the Senate Intelligence Committee. But he largely won over skeptical Democrats by demonstrating his strong qualifications and pledging to provide unvarnished, nonpartisan intelligence estimates to decision-makers. The committee voted 12-3 to recommend confirmation by the full Senate. The only "no" votes were cast by Democrats Ron Wyden of Oregon, Russell D. Feingold of Wisconsin and Evan Bayh of Indiana. Today, the lone Republican vote against Hayden came from Sen. Arlen Specter of Pennsylvania, the chairman of the Senate Judiciary Committee. He said he voted no "as a protest" after having clashed with the administration over the NSA surveillance program. Specter has introduced a bill that would require some judicial review of the monitoring. Bush commended the Senate for confirming Hayden and cited the "bipartisan majority" supporting him. "Winning the war on terror requires that America have the best intelligence possible, and his strong leadership will ensure that we do," Bush said in a written statement. "General Hayden is a patriot and a dedicated public servant whose broad experience, dedication and expertise make him the right person to lead the CIA at this critical time. I look forward to working with Ambassador Negroponte, General Hayden and the other leaders of our intelligence community as we continue to address the challenges and threats we face in the 21st century." Senate Majority Leader Bill Frist (R-Tenn.) said Hayden would "provide steady guidance" at a "critical time for the CIA." In a statement, he said, "With 20 years of experience in the intelligence community, [Hayden] is the right man for the job. He's committed to strengthening and reforming our intelligence community. He's made clear his interest in an open and honest relationship with Congress and his respect for our oversight role." The Senate minority leader, Harry M. Reid (D-Nev.), also praised Hayden, even as he blasted the Bush's administration's "incompetence," which he said has left the intelligence community in "disarray." Reid said in a lengthy statement that he hopes Hayden "will provide the CIA the kind of nonpartisan leadership it has sorely lacked for the past several years." He said he also hopes the nomination "signifies that the Bush administration has recognized, finally, that professionals, not partisans, should be put in charge of national security." The comment was an indirect swipe at Goss, 67, who served as a Republican congressman from Florida for nearly 16 years before Bush nominated him as CIA director in 2004. Goss, who chaired the House Intelligence Committee for seven years until his nomination, came under criticism for installing aides at the CIA who were regarded as politically partisan. Citing Hayden's "impeccable credentials" as an intelligence professional, Reid said in his statement that the general had convinced him that he "understands and respects the role of Congress in national security matters." The Senate's top Democrat said Hayden faces three major challenges: ending the "politicization" of intelligence, being open to congressional oversight and "fixing our strategy" in the war on terrorism. "After more than four years of the war on terror, Osama bin Laden remains at large and al-Qaeda and other radical fundamentalist terrorist organizations pose a grave threat to our security," Reid said. "Terrorist attacks have increased, not decreased, on this administration's watch." Referring to Iran and North Korea, Reid said that "two of the three so-called Axes of Evil are more dangerous today than they were when President Bush first uttered that memorable phrase." He added that the third, Iraq, "is on the verge of becoming what it was not before the war -- a haven and launching pad for international terrorists. And America's standing in the world has reached record lows in critical regions of the world." Saying it was a "travesty" that bin Laden is still on the loose nearly five years after the Sept. 11, 2001, attacks, Reid called on Hayden to redouble efforts to go after top terrorist targets and build a "global human intelligence capability" that will help the United States "win the battle of ideas going on within the Islamic world." ? 2006 The Washington Post Company From rforno at infowarrior.org Fri May 26 19:01:39 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 26 May 2006 19:01:39 -0400 Subject: [Infowarrior] - Judge Orders Review of US-VISIT Virus Papers Message-ID: Friday, 26 May 2006 Judge Orders Review of US-VISIT Virus Papers http://blog.wired.com/27BStroke6/index.blog?entry_id=1489286 I was in federal court this morning, where Judge Susan Illston gave Wired News a partial victory in our ongoing Freedom of Information Act litigation against the DHS's bureau of Customs and Border Protection (CBP). Faithful readers will recall that we're suing CBP for refusing to respond to our FOIA request for information on an August computer failure that crippled the US-VISIT system -- a nationwide network of Windows-based PCs used to perform national security screening on incoming visitors to the US. DHS has offered the public two conflicting explanations for the failure: first, that it was the result of a computer virus infiltrating a single server in Virginia; second, that it was a random computer glitch with no security implications. When I issued a FOIA request for documents about the incident, CBP didn't respond for several months. After some prodding and a resend, the agency finally issued a blanket denial of the request. When they ignored an administrative appeal, we sued, and the government turned over six heavily-redacted pages, while withholding another 666. The six pages showed that, contrary to agency denials, the "Zotob" computer virus infected US-VISIT workstations at airports around the country, after CBP deliberately held off on installing a security patch against a known Windows 2000 vulnerability. (Here's me in a radio interview on the story). As for the other 666 pages, the government claimed that they were exempt from disclosure in their entirety, or so packed with exempt material that producing redacted versions would be pointless. Today, Judge Illston ordered an in camera review of those documents -- meaning she's going to go through them herself in chambers. We'd asked for such a review, so this is good news. That said, the judge expressed skepticism over our claim that scope of CBP's document search was inadequate (among other things, the government didn't search for e-mail between CBP and other agencies, such as the DHS office that oversees US-VISIT.) But she reserved her strongest incredulity for the government's tall tale about why my request wasn't processed the first time around. In a sworn affidavit, DHS attorney Sharon Suzuki claimed that the organization was the victim of an inter-agency mail snafu. The FOIA office received my letter and forwarded it to the IT department, and somehow it was lost in the mail. My lawyer diplomatically pointed out that this scenario "does not accord with other facts." Specifically, on September 23rd agency spokeswoman Erlinda Byrd phoned me to ask that I voluntarily withdraw the request, because CBP believed all the material I was asking for was exempt. (I declined.) That phone call came over two weeks after my letter was, according to Suzuki, lost in the mail on September 8th. Judge Illston seemed curious about that. "By the way," she asked the government attorney, "who was it that phoned up and said, 'Why don't you just drop this request,' and why did they do that?" The government had an answer. When the request was mailed, it was accidentally misrouted to the Department of Public Affairs (DPA), where Ms. Byrd opened it and mistook it for a general media inquiry. Mind you, this is a letter that begins, "Dear FOIA/Privacy Act Officer," below a bold, page-centered, underlined heading reading "RE: Freedom of Information Act Request ?" "You don?t think that a person in DPA would immediately recognizes that as a FOIA request, since it calls itself that?," Judge Illston followed-up, wearing the patient half-smile of a parent who's caught their toddler in a silly little lie about ice cream or a missing cookie or something. The most likely scenario went unstated. The IT folks, reluctant to produce documents that illustrated their Zotob gaffe, forwarded my request to the spokeswoman and asked her to get me to withdraw it. When I refused, CBP simply discarded the request anyway, breaking the law. The government's handling of this is in some ways orthogonal to the central issue: what it's obliged to tell the public, and what it can reasonably withhold. But it sheds some light on how the mechanisms of bureaucracy can be wielded to frustrate legitimate inquiry. From rforno at infowarrior.org Fri May 26 19:05:03 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 26 May 2006 19:05:03 -0400 Subject: [Infowarrior] - Oracle CSO: Pot, Kettle, Black Message-ID: (this, coming from a company with a reportedly-horrendous track record at issuing patches in a timely manner -- and for releasing some patches that don't even work......rf) Oracle exec hits out at 'patch' mentality By Jonathan Bennett http://news.com.com/Oracle+exec+hits+out+at+patch+mentality/2100-7355_3-6077 349.html Story last modified Fri May 26 11:18:08 PDT 2006 Oracle's security chief says the software industry is so riddled with buggy product makers that "you wouldn't get on a plane built by software developers." Chief Security Officer Mary Ann Davidson has hit out at an industry in which "most software people are not trained to think in terms of safety, security and reliability." Instead, they are wedded to a culture of "patch, patch, patch," at a cost to businesses of $59 billion, she said. "What if civil engineers built bridges the way developers write code?" she asked. "What would happen is that you would get the blue bridge of death appearing on your highway in the morning." Speaking at the WWW2006 conference in Edinburgh, Scotland, on Thursday, Davidson also touched on the wider subject of the state of the software and security industries. The pressure to deal with the problem of unreliable and insecure software is building, and the industry has reached a "tipping point," she said. It is now "chief executives who are complaining that what they are getting from their vendor is not acceptable, in terms of software assurance," Davidson said. Things are so bad in the software business that it has become "a national security issue," with regulation of the industry currently on the agenda, she said. "I did an informal poll recently of chief security officers on the CSO Council, and a lot of them said they really thought the industry should be regulated," she said, referring to the security think tank. But if regulation is coming, the industry has only itself to blame, she said. "Industries don't want to be regulated, but if you don't want to be regulated, the burden is on you to do a better job." Davidson also hit out at the "hacking mentality," and the incidence of exploits that could cause "a million dollars worth of damage...passed around freely at conferences." She said there was a major difference between people working in the software business and engineers who "are trained to think in terms of safety, security and reliability first." She claimed that the British are particularly good at hacking as they have "the perfect temperament to be hackers--technically skilled, slightly disrespectful of authority, and just a touch of criminal behavior." Colin Barker and Jonathan Bennett of UK.Builder.com reported from London. From rforno at infowarrior.org Sat May 27 02:18:06 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 27 May 2006 02:18:06 -0400 Subject: [Infowarrior] - Gonzales pressures ISPs on data retention Message-ID: CNET News.com http://www.news.com/ Gonzales pressures ISPs on data retention By Declan McCullagh http://news.com.com/Gonzales+pressures+ISPs+on+data+retention/2100-1028_3-60 77654.html Story last modified Fri May 26 18:15:43 PDT 2006 U.S. Attorney General Alberto Gonzales and FBI Director Robert Mueller on Friday urged telecommunications officials to record their customers' Internet activities, CNET News.com has learned. In a private meeting with industry representatives, Gonzales, Mueller and other senior members of the Justice Department said Internet service providers should retain subscriber information and network data for two years, according to two sources familiar with the discussion who spoke on condition of anonymity. The closed-door meeting at the Justice Department, which Gonzales had requested, according to the sources, comes as the idea of legally mandated data retention has become popular on Capitol Hill and inside the Bush administration. Supporters of the idea say it will help prosecutions of child pornography because in many cases, logs are deleted during the routine course of business. Alberto Gonzales Credit: Anne Broache Attorney General Alberto Gonzales In a speech last month at the National Center for Missing and Exploited Children, Gonzales said that Internet providers must retain records for a "reasonable amount of time." "I will reach out personally to the CEOs of the leading service providers and to other industry leaders," Gonzales said. "Record retention by Internet service providers consistent with the legitimate privacy rights of Americans is an issue that must be addressed." Until Gonzales' speech, the Bush administration had generally opposed laws requiring data retention, saying it had "serious reservations" (click for PDF) about them. But after the European Parliament last December approved such a requirement for Internet, telephone and voice over Internet Protocol providers, top administration officials began talking about the practice more favorably. During Friday's meeting, Justice Department officials passed around pixellated (that is, slightly obscured) photographs of child pornography to emphasize the lurid nature of the crimes police are trying to prevent, according to one source. A Justice Department spokesman familiar with the administration's stand on data retention was in meetings on Friday and unavailable for comment, a department representative said. Privacy advocates have been alarmed by the idea of legally mandated data retention, saying that, while child exploitation may be the justification today, those records would be available in all kinds of criminal and civil suits--including terrorism, tax evasion, drug, and even divorce cases. It was not immediately clear what Gonzales and Mueller meant by suggesting that network data be retained. One possibility is requiring Internet providers to record the Internet addresses their customers are temporarily assigned. A more extensive mandate would require companies to keep track of e-mail messages sent, Web pages visited and perhaps even instant-messaging correspondents. 'Preservation' vs. 'retention' Two proposals to mandate data retention have surfaced in the U.S. Congress. One, backed by Rep. Diana DeGette, a Colorado Democrat, says that any Internet service that "enables users to access content" must permanently retain records that would permit police to identify each user. The records could only be discarded at least one year after the user's account was closed. The other was drafted by aides to Wisconsin Rep. F. James Sensenbrenner, the chairman of the House Judiciary Committee, a close ally of President Bush. Sensenbrenner said through a spokesman last week, though, that his proposal is on hold because "our committee's agenda is tremendously overcrowded already." At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation. A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity." Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.) In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency. When adopting its data retention rules, the European Parliament approved U.K.-backed requirements, saying that communications providers in its 25 member countries--several of which had enacted their own data retention laws already--must retain customer data for a minimum of six months and a maximum of two years. The Europe-wide requirement applies to a wide variety of "traffic" and "location" data, including the identities of the customers' correspondents; the date, time and duration of phone calls, voice over Internet Protocol calls or e-mail messages; and the location of the device used for the communications. But the "content" of the communications is not supposed to be retained. The rules are expected to take effect in 2008. From rforno at infowarrior.org Mon May 29 17:08:13 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 May 2006 17:08:13 -0400 Subject: [Infowarrior] - Music Phones Want to Be Free Message-ID: Music Phones Want to Be Free By Eliot Van Buskirk| Also by this reporter 02:00 AM May, 29, 2006 http://www.wired.com/news/columns/1,71000-0.html For years, people have been speculating about the two possible futures of portable devices. Are they going to continue to be somewhat specialized, or will we end up with one device that does everything? From the music fan's perspective, the core dilemma is a practical one: whether to replace iPods with cell phones that can play music. Although conventional industry wisdom is that the switch to music cell phones is all but inevitable, I took the opposite position in a recent blog post, predicting that I'd never make the switch. I cited capacity, interface and battery problems, as well as the issue of control over one's own media. Some of the people who responded agreed with me. Chuck, for instance, wrote, "I carry my iPod everywhere, anyway. As an owner of a completely full 60-GB (player), a cell phone would never be up to par." But I took a beating from respondents who are already happily listening to side-loaded MP3s on their phones. Cloksin wrote, "I highly disagree with you. I have a Samsung A950 phone with built-in MP3 player. The interface is simple, a Play/Pause, Stop, FF and Rew buttons are on the face of the phone when closed. Just hold down the Play button and the screen on the outside shows all my songs, I don't even have to open the phone. An iPod-like dial lets me navigate through my music with ease." Not everyone was so genial. D wrote, "This is the most backward article I have ever read! You are totally misled in your perceptions of music on a cell phone." After reading these comments, the music cell phone question was very much on my mind as I attended the Streaming Media East conference the following day. Panelists on the "future of wireless devices" panel made it clear that cell phones will need to be easy to use in order to gain traction in the portable music market. Troy Ruhanen, executive vice president of BBDO North America, told me, "Anything in this space has to be dead easy. I mean, look at the iPod." That's good advice. But the industry shows few signs of heeding it. Howard Homonoff, CEO of Homonoff Media, said that carriers are excited about music cell phones because they see a "dual-revenue system" on the horizon, in which they'll sell music and other content to customers, as well as selling ads based on their customers' geographical location and consumption preferences. This dual-revenue system is crucial to cell carriers' success. According to Ruhanen, "It has to pay out, because the voice model will not pay out." The first part of the equation is already working quite well. Ruhanen revealed that "Cingular already makes more money from music than iTunes does," and said that a significant number of subscribers pay $10 per month for six new ringtones. However, the panel acknowledged that cell phone customers could revolt against the second phase. Carriers plan on ramping up cellular advertising slowly. "My concern is that the first phase could kill it," Ruhanen said. And later on, he said, "Ads later, subscriptions first." As for privacy concerns associated with geographic and music-customized targeting, "This is a generation that publishes itself on MySpace," Ruhanen quipped, eliciting a chuckle from attendees. A large percentage of Americans have expressed interest in listening to music on their phones. According to a LetsTalk study conducted late last year, 47 percent of Americans want music cell phones and, interestingly, "women were more interested in new functionality ... 18- (to) 34-year-old women were off the charts ... 76 percent wanted a music player." So, demand for music phones is strong, and consumers and carriers/manufacturers want cell phones to be as simple to use as an iPod. Will carriers, seemingly hellbent on adding advertisements and targeted promotions, be able to offer a simple, uncomplicated listening experience? Worse still, will they eventually eliminate MP3 support to get customers to buy their protected content? After all, MP3s are not part of the dual-revenue system they're counting on. It seems clear that carriers for now will see music cell phones as a failure if people end up using them like iPods. But that's exactly the experience they'll have to offer if they want music fans to make the switch. It's a contradictory situation. But if they're smart, they'll keep the lesson of the iPod's simplicity in mind, even at the expense of ad- and music-sales revenue in the short term. If they miss a trick, Apple Computer's rumored to be waiting in the wings with its iPhone, and probably wouldn't mind repeating the lesson. - - - Eliot Van Buskirk, who also contributes to the Listening Post blog, has covered digital music since 1998, after seeing the world's first MP3 player sitting on a colleague's desk. He plays bass and rides a bicycle. From rforno at infowarrior.org Tue May 30 16:03:49 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 30 May 2006 16:03:49 -0400 Subject: [Infowarrior] - How Secure Is Your Flight? Message-ID: How Secure Is Your Flight? Challenges to air travel security named by the Government Accounting Office in a new study have caused the Transportation Security Administration to rethink implementation of the Secure Flight Program. By: Sandy Smith Following the events of Sept. 11, 2001, Congress created the Transportation Security Administration (TSA) and directed it to assume the function of passenger prescreening - the matching of passenger information against terrorist watch lists to identify passengers who should undergo additional security scrutiny - for domestic flights. Such screenings currently are conducted by air carriers, which compare passenger names against government-supplied terrorist watch lists and apply the Computer-Assisted Passenger Prescreening System rules, known as CAPPS rules. For the past four years, TSA has been working to develop the Secure Flight program. As currently envisioned, under Secure Flight, when a passenger makes flight arrangements, the organization accepting the reservation, such as the air carrier?s reservation office or a travel agent, will enter passenger name record (PNR) information - obtained from the passenger - into the air carrier?s reservation system. While the government will ask for only portions of the PNR, the PNR data can include the passenger?s name, phone number, number of bags, seat number and form of payment, among other information. Approximately 72 hours prior to the flight, portions of the passenger data contained in the PNR will be sent to Secure Flight through a network connection provided by the Department of Homeland Security?s Customs and Border Patrol Security (CBP). Reservations or changes to reservations that are made less than 72 hours prior to flight time will be sent immediately to TSA through CBP. Upon receipt of passenger data, TSA plans to process the passenger data through the Secure Flight process. During this process, Secure Flight will determine if the passenger data match the data extracted daily from the Terrorist Screening Center?s (TSC) Terrorist Screening Database (TSDB), which is the information consolidated by TSC from terrorist watch lists to provide government screeners with a unified set of terrorist-related information. Currently, that database contains approximately 200,000 names. In addition, TSA will screen against its own watch list composed of individuals who do not have a nexus to terrorism but who may pose a threat to aviation security. When a passenger checks in for the flight at the airport, he or she will receive a level of screening based on his or her designated category. A cleared passenger will be provided a boarding pass and allowed to proceed to the screening checkpoint in the normal manner. Passengers who are not cleared will receive additional security scrutiny at the screening checkpoint. A no-fly passenger will not be issued a boarding pass. Instead, appropriate law enforcement agencies will be notified. Law enforcement officials will determine whether the individual will be allowed to proceed through the screening checkpoint or if other actions are warranted, such as additional questioning of the passenger or taking the passenger into custody. It all sounds good on paper, but the plan is headed back to the drawing board after repeated delays and a price tag of some $130 million and counting. TSA Director Edmund ?Kip? Hawley admitted to the Senate Committee on Commerce, Science and Transportation on Feb. 9, ?Despite sincere and dedicated efforts by TSA, there has been an undercurrent of concern from outside stake-holders, really from the beginning. Over the past four years, many concerns have been raised and addressed but Secure Flight continues to be a source of frustration.? Hawley said the plan was to ?re-baseline the program and insure that we use technology development best-practices in management, security and operations. While the Secure Flight regulation is being developed, this is the time to ensure that Secure Flight?s security, operational and privacy foundation is solid.? He said TSE plans to move forward with the Secure Flight program as ?expeditiously as possible,? but added, ?in view of our need to establish trust with all of our stakeholders on the security and privacy of our systems and data, my priority is to ensure that we do it right...not just that we do it quickly.? The decision to ?rebaseline? the program came in part, no doubt, because of a scathing report from the Government Accountability Office (GAO), which must certify the program before it can take effect. GAO and others have concerns that the process being used to manage the program is not effective and doubts about whether passengers? rights to privacy will be protected and if the system?s database can handle the amount of data it will be expected to store and analyze. What GAO Said In recent testimony to the Senate Committee on Commerce, Science and Transportation, Cathleen A. Berrick, director of Homeland Security and Justice Issues for GAO, offered an overview of TSA?s progress and challenges in: * Developing, managing and overseeing Secure Flight; * Coordinating with key stakeholders critical to program operations; * Addressing key factors that will impact system effectiveness; and * Minimizing impacts on passenger privacy and protecting passenger rights. ?The purpose of Secure Flight,? explained Berrick, ?is to enable our government to protect the public and strengthen aviation security by identifying and scrutinizing individuals suspected of having ties to terrorism, or who may otherwise pose a threat to aviation, in order to prevent them from boarding commercial aircraft in the United States, if warranted, or by subjecting them to additional security scrutiny prior to boarding an aircraft. The program also aims to reduce the number of individuals unnecessarily selected for secondary screening while protecting passengers? privacy and civil liberties.? GAO found that while TSA has made some progress in developing and testing the Secure Flight Program, the agency has not followed ?a disciplined life cycle approach? to manage systems development, nor has it fully defined system requirements, she said. Instead, TSA has thrown together the management system in a piecemeal fashion in an effort to develop the program quickly. In addition, GAO and stakeholders worried that TSA was proceeding to develop Secure Flight without a program management plan that contains a schedule for implementation and cost estimates. The entire process, said Berrick, resulted in project activities being conducted out of sequence, requirements not being fully defined and documentation containing contradictory information or omissions. Further, while TSA has taken steps to implement an information security management program for protecting information and assets, its efforts are incomplete, according to Berrick. ?Because Secure Flight?s system development documentation does not fully address how passenger privacy protections are to be met, it is not possible to assess potential system impacts on individual privacy protections,? said Berrick. Privacy The Privacy Act and the Fair Information Practices - a set of internationally recognized privacy principles that underlie the Privacy Act - limit the collection, use and disclosure of personal information by federal agencies. TSA officials have stated that they are committed to meeting the requirements of the Privacy Act and the Fair Information Practices. However, said Berrick, ?it is not yet evident how this will be accomplished because TSA has not decided what passenger data elements it plans to collect, or how such data will be provided by stakeholders.? At one point, TSA indicated it would collect such information as credit histories, which caused an outcry among a large number of consumer and civil rights groups. >From GAO?s perspective, part of the problem is that TSA has not issued the systems of records notice, which is required by the Privacy Act, or the privacy impact assessment, which is required by the E-Government Act, which describe how TSA will protect passenger data once Secure Flight becomes operational. In addition, privacy requirements were not incorporated into the Secure Flight system development process in a manner that would explain whether personal information would be collected and maintained in the system in a manner that complies with privacy and security requirements. The American Civil Liberties Union (ACLU) says that many of the privacy and civil liberties concerns identified in the Computer-Assisted Passenger Prescreening System (CAPPS II) remain with Secure Flight. ?We are concerned that the government is moving ahead with building this system before ironing out the fundamental problems with the old watch list systems on which it would be based,? says Barry Steinhardt, director of the ACLU?s Technology and Liberty Program. ?At best, ?Secure Flight? is a misnomer - it still does not protect innocent travelers? safety or privacy.? The Business Travel Coalition has joined with the ACLU to protest the Secure Flight program. ?The same major problems that plagued CAPPS II remain with the ?Secure Flight? program, ? says Kevin Mitchell, chairman of the Business Travel Coalition. ?It makes no sense whatsoever to subject travelers to a system that is already a proven failure.? In its review of Secure Flight?s system requirements, GAO found that privacy concerns were broadly defined in functional requirements documentation, which states that the Privacy Act must be considered in developing the system, but those broad functional requirements have not been translated into specific system requirements. ?Until TSA finalizes these requirements and notices, privacy protections and impacts cannot be assessed,? said Berrick. TSA also is determining how it will meet a Congressional mandate that the Secure Flight program include a process whereby aviation passengers determined to pose a threat to aviation security may appeal that determination and correct erroneous information contained within the prescreening system. According to TSA officials, no final decisions have been made regarding how TSA will address the challenges of passenger appeals and of correcting misinformation stored in the system. Data Accuracy Perhaps as important, if not more so, than privacy is the accuracy of the data in the system. In a review of the TSC?s role in Secure Flight, the Department of Justice Office of Inspector General found that TSC could not ensure that the information contained in its databases was complete or accurate. According to a TSC official, TSA and TSC plan to enter into a letter of agreement that will describe the data elements from the terrorist-screening database, among other things, to be used for Secure Flight. To address accuracy, TSA and TSC plan to work together to identify false positives - passengers inappropriately matched against data contained in the terrorist-screening database - by using intelligence analysts to monitor the accuracy of data matches. ?An additional factor that could impact the effectiveness of Secure Flight in identifying known or suspected terrorists,? Berrick noted, ?is the system?s inability to identify passengers who assume the identity of another individual by committing identity theft, or who use false identifying information.? Just how much data it will be required to screen is a concern for TSA, and, in fact, all key program stakeholders also stated that additional information is needed before they can finalize their plans to support Secure Flight operations. ?A TSC official stated, for example, that until TSA provides estimates of the volume of potential name matches that TSC will be required to screen, TSC cannot make decisions about required resources,? said Berrick. ?Also, ongoing coordination of prescreening and name-matching initiatives with CBP and TSC can impact how Secure Flight is implemented.? Several activities that have an impact on Secure Flight?s effectiveness are still in process, or have not yet been decided, according to GAO. For example, TSA conducted name-matching tests, which compared passenger and terrorist screening database data, to evaluate the ability of the system to function. However, TSA has not yet made key policy decisions that could significantly impact program operations, including what passenger data it will require air carriers to provide and the name-matching technologies it will use. TSA has taken steps to collaborate with Secure Flight stakeholders whose participation is essential to ensuring that passenger and terrorist watch list data are collected and transmitted to support Secure Flight. TSA is in the early stages of coordinating with Customs and Board Patrol Security and the Terrorist Screening Center on broader issues of integration and interoperability related to other people-screening programs used by the government to combat terrorism. In addition, TSA has conducted preliminary network connectivity testing between TSA and federal stakeholders to determine, for example, how information will be transmitted from CBP to TSA and back. ?However,? said Berrick, ?these tests used only dummy data and were conducted in a controlled environment, rather than in a real-world operational environment.? According to CBP, without real data, it is not possible to conduct stress testing to determine if the system can handle the volume of data traffic that will be required by Secure Flight. TSA acknowledged it has not determined what the real data volume requirements will be, and cannot do so until the regulation for air carriers has been issued and their data management role has been finalized. In her testimony, Berrick commented that additional information and testing are needed to enable stakeholders to provide the necessary support for the program. ?TSA has, for example, drafted policy and technical guidance to help inform air carriers of their Secure Flight responsibilities, and has begun receiving feedback from the air carriers on this information,? she said. However, key program stakeholders - including the CBP, the Terrorist Screening Center TSC and air carriers - stated that they need more definitive information about system requirements - and the cost of the program - from TSA to plan for their support of the program. What?s the Cost? Many stakeholders voiced concern that TSA has not yet established cost estimates for developing and deploying either an initial or a full operating capability for Secure Flight, and it has not developed a life cycle cost estimate (estimated costs over the expected life of a program, including direct and indirect costs and costs of operation and maintenance). TSA also has not updated its expenditure plan - plans that generally identify near-term program expenditures - to reflect the cost impact of program delays, estimated costs associated with obtaining system connectivity with CBP or estimated costs expected to be borne by air carriers. In her testimony, Berrick noted: * Program and life cycle cost estimates are critical components of sound program management for the development of any major investment. * Developing cost estimates is also required by OMB guidance and can be important in making realistic decisions about developing a system. * Expenditure plans are designed to provide lawmakers and other officials overseeing a program?s development with a sufficient understanding of the system acquisition to permit effective oversight, and to allow for informed decision-making about the use of appropriated funds. ?In our March 2005 report, we recommended that TSA develop reliable life cycle cost estimates and expenditure plans for the Secure Flight program, in accordance with guidance issued by OMB, in order to provide program managers and oversight officials with the information needed to make informed decisions about program development and resource allocations,? Berrick pointed out. ?Although TSA agreed with our recommendation, it has not yet provided this information.? TSA officials told GAO that developing program and life cycle cost estimates for Secure Flight is challenging because no similar programs exist from which to base cost estimates and because of the uncertainties surrounding Secure Flight requirements. They contended that cost estimates cannot be accurately developed until after system testing is completed and policy decisions have been made regarding Secure Flight requirements and operations. TSA officials did acknowledge they currently are assessing program and life cycle costs as part of establishing a new baseline and that this new baseline will reflect updated cost, funding, scheduling and other aspects of the program?s development. ?While we recognize that program unknowns introduce uncertainty into the program-planning process, including estimating tasks, time frames and costs, uncertainty is a practical reality in planning all programs and is not a reason for not developing plans, including cost and schedule estimates, that reflect known and unknown aspects of the program,? Berrick insisted. ?Program management plans and related schedules and cost estimates - based on well-defined requirements - are important in making realistic decisions about a system?s development, and can alert an agency to growing schedule or cost problems and the need for mitigating actions. Moreover, best practices and related federal guidance emphasize the need to ensure that programs and projects are implemented at acceptable costs and within reasonable and expected time frames.? To review the full GAO report on Secure Flight, visit http://www.gao.gov/cgi-bin/getrpt?GAO-06-374T . From rforno at infowarrior.org Tue May 30 16:05:01 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 30 May 2006 16:05:01 -0400 Subject: [Infowarrior] - Court outlaws EU-U.S. passenger data transfer Message-ID: Court outlaws EU-U.S. passenger data transfer By Lars Pasveer http://news.com.com/Court+outlaws+EU-U.S.+passenger+data+transfer/2100-1029_ 3-6077893.html Story last modified Tue May 30 11:41:16 PDT 2006 A 2004 deal between the European Union and the United States that would allow transfers of passenger data records has been deemed illegal by the European Court of Justice in Luxemburg. The judgement follows six pleas by the European Parliament around the exchange of the data, called Passenger Name Records (PNR). The deal was struck two years ago between the European Commission and the United States government despite opposition by the European Parliament. Airlines were forced to release data originally deemed private under European law, or face revocation of landing rights within the United States. The Luxembourg court has now ruled that the deal goes against European Community law, and has concluded it should therefore be annulled, with exchange of PNR data to cease as of Sept. 30. In the meantime, airlines claim to have invested millions of dollars to make their computer systems suitable for the required transfers. The so-called "no-fly lists" compiled with such data--complemented by credit card records--have in recent years forced some flights to return to Europe or divert to Canada. Of the six pleas, the court only reviewed the first, looking mainly at the technical legal grounds on which the European Commission entered into the agreement. This will disappoint many members of the European Parliament, who had hoped the courts would base the verdict on privacy issues. Now that the agreement has been annulled, the court said other issues are irrelevant. "It is not necessary to consider the other limbs of the first plea or the other pleas relied upon by the Parliament," the court said. Lars Pasveer of ZDNet Netherlands reported from the Hague. From rforno at infowarrior.org Tue May 30 19:43:46 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 30 May 2006 19:43:46 -0400 Subject: [Infowarrior] - Wrestling with Windows' hidden "features" Message-ID: Wrestling with Windows' hidden "features" Windows-IE desktop integration issues may not be huge security risks, but they're still a bit scary http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/05/19/ 78413_21OPsecadvise_1.html By Roger A. Grimes May 19, 2006 One of the reasons Microsoft Windows frustrates so many people is its list of unexpected desktop integration issues that can lead to security issues. Is it a feature or a security bug? When I was teaching in Brazil last week, Jose Antunes, a student of mine, showed me a Windows trick he discovered accidentally. It may be something that was discovered and reported years ago, but it was new to me --- and my "Where Windows Malware Hides" document didn?t discuss it. The trick is that Internet Explorer 6 and 7 beta can be fooled into running Windows desktop shortcuts instead of going to the Internet. For example, right-click your desktop and choose Create a Shortcut. Tell the shortcut to run Notepad.exe, but name the shortcut "www.aol.com." Now type www.aol.com into IE (Internet Explorer) and see what happens. Instead of going to www.aol.com, IE starts Windows notepad. Huh? On its face, this appears to be a simple desktop shortcut that can bypass DNS resolution, but there are many ways this trick could be used maliciously after another vulnerability is used to exploit a system. Over the years, I and many others have documented similar behavior between IE and the Windows desktop (Desktop.ini files and execution path issues, for instance): Type "c:\" in IE and it will magically change to Windows Explorer instead. After discussing this issue with some other Microsoft MVPs, we agreed that although this behavior is unexpected to most of us, it probably was enabled by Microsoft as some sort of alias shortcut. For example, make a desktop shortcut called "g" and point it to www.google.com; then you can type "g" into IE and get to Google, and so on. Ken Schaefer recognized that this shortcut trick only happens if you don?t type in the http or https URI (Uniform Resource Identifier) protocol handler first. It appears that when the URI handler isn?t typed in, IE begins to cycle through various searches and guesses before it eventually adds in http://. For instance, type in microsoft.com or "Microsoft" and you?ll see IE trying a variety of different URLs before correctly guessing http://www.microsoft.com. Martin Zugec discovered with a little testing that IE appears to check the following locations for shortcuts before connecting to the eventual Web site when the URL handler is not typed in: -- %UserProfile%\Desktop -- %AllUsersProfile%\Desktop -- %UserProfile%\Favorites I suspect there are more locations checked than this. So, is this a feature or a bug? About half of the MVP camp, me included, didn?t like this unexpected behavior. If it?s documented or has been previously discussed, it isn?t well known (then again, that's true for hundreds of Windows topics). From a security perspective, I guess I shouldn?t be too worried. It isn?t as if this finding could be used by an initial exploit; an attacker would have to execute another attack successfully to be able to plant the desktop shortcut trick. And at that point, there are hundreds of other things the attacker can do to accomplish the same thing -- most of them less obvious. So, why am I bothered? Ultimately, it?s because of the fear of the unknown. It isn?t this trick that makes me question Windows so significantly, but the question about what else is in there that I don?t know about. The same fear is valid in other operating systems, but there is a great sense of security in an operating system where most behaviors can be readily examined. In Linux and other open source OSes, you can manually inspect the kernel source code or compile your own. And outside the kernel, I can inspect the files in the configuration /etc folder and examine supporting libraries, and every program comes with the source code. Although I might not know about all of Linux's unexpected behaviors -- and it does have them -- they occur less frequently, and often with transparency. With Windows, I have to trust Microsoft. And let me say, I do trust Microsoft the majority of the time. It?s just that I have no way of knowing what other surprises lurk for me, and how they affect my overall security risk. And if I find a feature I don?t want, can I easily turn it off? From rforno at infowarrior.org Tue May 30 22:57:11 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 30 May 2006 22:57:11 -0400 Subject: [Infowarrior] - The DVD War Against Consumers Message-ID: The DVD War Against Consumers Makers of new DVD players are going too far in copyright protection efforts, but buyers needn't take it lying down http://www.businessweek.com/print/technology/content/may2006/tc20060526_6800 75.htm Having grown tired of one war, we're on the eve of another, complete with alliances, secret codes, and laser beams. No, not Iran -- it's the fight over the next generation of DVD devices. The real battle isn't between Sony (SNE ) and Microsoft (MSFT ) and their chosen formats, it's between the manufacturers and us -- the consumers, the ones who ultimately pay for it all. And the battle is over Digital Rights Management (DRM), because in addition to increased storage, these new disks are packed full of copy-protection functions, some of which impair our ability to use the content we pay for, the way we like and are legally entitled to. Sony is championing a standard called Blu-ray, Microsoft is pushing HD-DVD. Both formats have plenty of corporate backers. The upcoming PlayStation 3 will support Blu-ray, the Xbox 360 will get an add-on drive that uses HD-DVD. Both standards incorporate sophisticated DRM technology. The current crop of DVDs uses a copy protection scheme that encrypts the disk, but that scheme was broken several years ago and the hack was widely incorporated in innumerable freeware DVD decryption programs. The movie studios have vowed not to let that happen to them again. BORDER PATROL. But all software-based copy-protection schemes can be broken. The only way a DRM can really work is to control all of the hardware the video data flow through, including the monitor. The problem is that at some point an unencrypted video signal is sent to a display device. It can be split off before it gets there or videotaped once it's on the screen. The AACS (Advanced Access Content System) standard supported by both the Sony and Microsoft camps addresses this problem. The standard calls for scaling down HD content to a low resolution if the player isn't hooked up to an HDCP-compliant connection. HDCP (High Bandwidth Digital Content Protection) is a DRM system invented by Intel (INTC ) that attempts to control video and audio as it flows out of a player and onto a display. In other words, if the player is connected to a monitor without the right cables, the quality of the image will be deliberately degraded. Blu-ray, however, goes beyond the AACS, incorporating two other protection mechanisms: The ROM Mark is a cryptographic element overlaid on a "legitimate" disk. If the player doesn't detect the mark, then it won't play the disc. This will supposedly deal with video-camera-in-the-theatre copies. STRANGLEHOLD ON CONTENT. Even more extreme is a scheme called BD+ that deals with the problem of what to do when someone cracks the encryption scheme. The players can automatically download new crypto if the old one is broken. But there's an ominous feature buried in this so-called protection mechanism: If a particular brand of player is cryptographically "compromised," the studio can remotely disable all of the affected players. In other words, if some hacker halfway across the globe cracks Sony's software, Sony can shut down my DVD player across the Net. The Blu-ray's DRM scheme is simply anti-consumer. The standard reflects what the studios really want, which is no copying of their material at all, for any reason. They're clearly willing to take active and unpleasant measures to enforce this. Last year's Sony/BMG rootkit fiasco comes to mind (see BW Online, 11/29/05, "Sony BMG's Costly Silence"). The possibility that they would disable thousands of DVD players, not because they're hacked but just because they might be vulnerable, would have been unthinkable a few years ago; it's clearly an option today. What do consumers really want? We want high-quality video and sound, of course. These days we also want interoperability. When we buy content, we expect to play it on every gadget that we own. The newest video servers require content to be copied to the hard drives, so that they can stream video throughout the house. Soon, we'll also want to take the movies that we paid for with us on small multimedia players like video iPods. OTHER ANSWERS. I support the rights of the studios to protect their content right up until it stops me from doing something reasonable that I want to do. Blu-ray crosses this line. So should the studios just roll over and close their doors? I have some suggestions for them: ? Find a new pricing model. There's an iTunes for movies out there somewhere. ? Fuggetaboutit. It's true that lots of people download movies off the Internet or buy bootleg copies, but how many adults will sit in front of a computer screen and watch a pixilated movie or be content to watch a DVD where someone's head keeps blocking the camera every few minutes? The kids who download movies off the Net can't afford to buy a real copy anyway. Stopping them from downloading and watching a movie doesn't translate into an extra sale. ? Go through the motions. Build a minimal DRM, enough to deter people from casual copying. Then, grit your teeth and bear it. CHOOSING CHOICE. Part of the profit on movies comes from secondary-channel sales. The days when the studios made all of their money from the box office are long over. Now, they show movies on cable, on pay-per-view, in hotels, and on airplanes. There are too many places for the content to get out. The more the studios widen their channels to distribute their product, the more opportunities there will be for someone to steal a copy. Plus, the move to digital distribution of movies in theaters means that there's a much better chance of someone snarfing a nice, clean, digital copy. What should consumers do? Well, I'm a gadget freak but I'm not going to rush out and buy one of the first players available. When I do, given a choice between Blu-ray and a less-restrictive DRM format, I'll go with the latter, all other things being equal. As to the DRM stuff, if you need to copy a DVD for a legitimate purpose and the protection scheme won't let you and someone posts a hack on the Net, well...you have a choice to make. Holtzman is the former CTO of Network Solutions and the editor of Globalpov.com, a blog that explores social changes brought about by information technology From rforno at infowarrior.org Tue May 30 22:59:21 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 30 May 2006 22:59:21 -0400 Subject: [Infowarrior] - Was Congress Misled by "Terrorist" Game Video? In-Reply-To: Message-ID: (c/o J) http://gamepolitics.livejournal.com/285129.html 2006-05-11 10:00:00 Was Congress Misled by "Terrorist" Game Video? We Talk to Gamer Who Created the Footage Was an elite congressional intelligence committee shown video footage from an off-the-shelf retail game and told by the Pentagon and a highly-paid defense contractor that it was a jihadist creation designed to recruit and indoctrinate terrorists? It's looking more and more like that is the case. The bizarre story began to unfold last week when Reuters reported that the House Permanent Select Committee on Intelligence was shown video footage of combat action which was represented as a user-modified version (or "mod") of Electronic Art's best-selling Battlefield 2, a modern-day military simulation which features combat between U.S. forces and those of the fictitious Middle East Coalition (MEC) as well as the People's Republic of China. Reuters quoted a Pentagon official, Dan Devlin, as saying, "What we have seen is that any video game that comes out... (al Qaeda will) modify it and change the game for their needs." The influential committee, chaired by Rep. Peter Hoekstra (R-MI), watched footage of animated combat in which characters depicted as Islamic insurgents killed U.S. troops in battle. The video began with the voice of a male narrator saying, "I was just a boy when the infidels came to my village in Blackhawk helicopters..." Several GP readers immediately noticed that the voice-over was actually lifted from Team America: World Police, an outrageous 2004 satirical film produced by the creators of the popular South Park comedy series. At about the same time, gamers involved in the online Battlefield 2 community were pointing out the video footage shown to Congress was not a mod of BF2 at all, but standard game footage from EA's Special Forces BF2 add-on module, a retail product widely available in the United States and elsewhere. GamePolitics has been seeking comment on the video from the Pentagon and Science Applications International Corp (SAIC), a defense contractor based in San Diego. Committee chair Hoekstra's office referred GP back to the committee for comment. A call there had not been returned by press time. According to Reuters, the U.S. government is paying SAIC $7 million to monitor Islamist web sites, which is where they apparently discovered a copy of the footage. However, the video can also readily be accessed via links found in the user forums of the popular Planet Battlefield site, operated by IGN Entertainment of Brisbane, California. It is unclear whether SAIC vetted the origin of the video before showing it to key members of Congress and representing it as a terrorist recruiting tool. [..] From rforno at infowarrior.org Tue May 30 23:02:15 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 30 May 2006 23:02:15 -0400 Subject: [Infowarrior] - Now it's "terrorism" invoked in ISP snooping proposal Message-ID: Terrorism invoked in ISP snooping proposal By Declan McCullagh http://news.com.com/Terrorism+invoked+in+ISP+snooping+proposal/2100-1028_3-6 078229.html Story last modified Tue May 30 18:59:06 PDT 2006 In a radical departure from earlier statements, Attorney General Alberto Gonzales has said that requiring Internet service providers to save records of their customers' online activities is necessary in the fight against terrorism, CNET News.com has learned. Gonzales and FBI Director Robert Mueller privately met with representatives of AOL, Comcast, Google, Microsoft and Verizon last week and said that Internet providers--and perhaps search engines--must retain data for two years to aid in anti-terrorism prosecutions, according to multiple sources familiar with the discussion who spoke on condition of anonymity on Tuesday. "We want this for terrorism," Gonzales said, according to one person familiar with the discussion. Gonzales' earlier position had only emphasized how mandatory data retention would help thwart child exploitation. In a speech last month at the National Center for Missing and Exploited Children, Gonzales said that Internet providers must retain records to aid investigations of criminals "abusing kids and sending images of the abuse around the world through the Internet." If data retention becomes viewed primarily as an anti-terrorism measure, recent legal and political spats could complicate the Justice Department's efforts to make it standard practice. Especially after recent reports that AT&T has opened its databases to the National Security Agency, Internet and telecommunications executives have become skittish about appearing to be cooperating too closely with the federal government's surveillance efforts. In addition, the positive publicity that Google received during its legal dispute with the Justice Department over search terms has demonstrated to Internet companies the benefits of objecting to government requests on privacy grounds. "A monumental data trove is a crazy thing from a privacy perspective," said one person familiar with Friday's discussions. "It's crazy that the U.S. government is going to retain more data than the Chinese government does." Comcast said in a statement that "we fully share the attorney general's concern with the need to combat illegal use of the Internet for child pornography, terrorism and other illegal activities. We applaud the attorney general's initiative in convening an internal task force on this issue and look forward to continuing to cooperate with him and the FBI." ISP snooping time line In events first reported by CNET News.com, Bush administration officials have said Internet providers must keep track of what Americans are doing online. Here's the time line: June 2005: Justice Department officials quietly propose data retention rules. December 2005: European Parliament votes for data retention of up to two years. April 14, 2006: Data retention proposals surface in Colorado and the U.S. Congress. April 20, 2006: Attorney General Gonzales says data retention "must be addressed." April 28, 2006: Rep. DeGette proposes data retention amendment. May 16, 2006: Rep. Sensenbrenner drafts data retention legislation, but backs away from it two days later. May 26, 2006: Gonzales and FBI Director Mueller meet with Internet and telecommunications companies. Details of the Justice Department's proposal remain murky. One possibility is requiring Internet providers to record the Internet addresses that their customers are temporarily assigned. A more extensive mandate would require them to keep track of the identities of Americans' e-mail and instant messaging correspondents and save the logs of Internet phone calls. A Justice Department representative said Tuesday that the proposal would not require Internet providers to retain records of the actual contents of conversations and other Internet traffic. Until Gonzales' public remarks last month, the Bush administration had generally opposed laws requiring data retention, saying it had "serious reservations" (click for PDF) about them. But after the European Parliament last December approved such a requirement for Internet, telephone and voice over Internet Protocol (VoIP) providers, top administration officials began talking about it more favorably. Two proposals to mandate data retention have surfaced in the U.S. Congress. One, backed by Rep. Diana DeGette, a Colorado Democrat, says that any Internet service that "enables users to access content" must permanently retain records that would permit police to identify each user. The records could be discarded only at least one year after the user's account was closed. The other was drafted by aides to Wisconsin Rep. F. James Sensenbrenner, the chairman of the House Judiciary Committee and a close ally of President Bush. Sensenbrenner said through a spokesman earlier this month, though, that his proposal is on hold because "our committee's agenda is tremendously overcrowded already." 'Preservation' vs. 'retention' At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police agencies performing an investigation--a practice called data preservation. A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity." Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on if a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.) In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency. When adopting its data retention rules, the European Parliament approved U.K.-backed requirements saying that communications providers in its 25 member countries--several of which had enacted their own data retention laws already--must retain customer data for a minimum of six months and a maximum of two years. The Europe-wide requirement applies to a wide variety of "traffic" and "location" data, including the identities of the customers' correspondents; the date, time, and duration of phone calls, VoIP calls, or e-mail messages; and the location of the device used for the communications. But the "content" of the communications is not supposed to be retained. The rules are expected to take effect in 2008. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Wed May 31 12:02:56 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 31 May 2006 12:02:56 -0400 Subject: [Infowarrior] - Pre-9/11 records help flag suspicious calling Message-ID: Pre-9/11 records help flag suspicious calling Updated 5/22/2006 11:46 PM ET By John Diamond and Leslie Cauley, USA TODAY http://www.usatoday.com/news/washington/2006-05-22-nsa-template_x.htm WASHINGTON ? Armed with details of billions of telephone calls, the National Security Agency used phone records linked to the Sept. 11, 2001 attacks to create a template of how phone activity among terrorists looks, say current and former intelligence officials who were briefed about the program. The template, the officials say, was created from a secret database of phone call records collected by the spy agency. It has been used since 9/11 to identify calling patterns that indicate possible terrorist activity. Among the patterns examined: flurries of calls to U.S. numbers placed immediately after the domestic caller received a call from Pakistan or Afghanistan, the sources say. USA TODAY disclosed this month that the NSA secretly collected call records of tens of millions of Americans with the help of three companies: AT&T, Verizon and BellSouth. The call records include information on calls made before the Sept. 11 attacks. Verizon and BellSouth released statements last week denying they had contracts with the NSA to provide the call information. A Verizon spokesman said the company's statement did not include MCI, the long-distance company that Verizon acquired in January. The "call detail records" are the electronic information that is logged automatically each time a call is initiated. For more than 20 years, local and long-distance companies have used call detail records to figure out how much to charge each other for handling calls and to determine problems with equipment. In addition to the number from which a call is made, the detail records are packed with information. Also included: the number called; the route a call took to reach its final destination; the time, date and place where a call started and ended; and the duration of the call. The records also note whether the call was placed from a cellphone or from a traditional "land line." "They see everything," says Sergio Nirenberg, director of systems engineering at Science Applications International Corp., a Fortune 500 research and engineering company that works with the federal government. Nirenberg said he does not have direct knowledge of the NSA database. The disclosure of the call record database has raised concerns among lawmakers, such as Sen. Ron Wyden, D-Ore., that the records give the government access to information about innocent Americans. President Bush has insisted that intelligence efforts are only "focused on links to al-Qaeda and their known affiliates." The intelligence officials offered new insight into one way the database of calls is used to track terrorism suspects. The officials, two current U.S. intelligence officials familiar with the program and two former U.S. intelligence officials, agreed to talk on condition of anonymity. The White House and the NSA refused to discuss the template or the program. Using computer programs, the NSA searches through the database looking for suspicious calling patterns, the officials say. Because of the size of the database, virtually all the analysis is done by computer. Calls coming into the country from Pakistan, Afghanistan or the Middle East, for example, are flagged by NSA computers if they are followed by a flood of calls from the number that received the call to other U.S. numbers. The spy agency then checks the numbers against databases of phone numbers linked to terrorism, the officials say. Those include numbers found during searches of computers or cellphones that belonged to terrorists. It is not clear how much terrorist activity, if any, the data collection has helped to find. Not every call record contains the same level of detail. Depending upon how a business has its phone system set up, the call detail records might not register complete information on an outgoing call, Nirenberg says. The records might note only the general number of the business, not the desk extension or, in the case of a hotel, the room extension. Incoming calls that don't go through the switchboard and are dialed directly would have complete call detail records, Nirenberg says. Not all local calls generate a call detail record, Nirenberg says. But that's not to say that phone companies can't create a record for local calls. "It's just a matter of whether they enable that function" that allows that to happen, he says. Cellphone calls, on the other hand, create call detail records in almost every case. Toll calls ? meaning those that aren't technically long-distance but still cost extra ? also generate call detail records, he says. "If they charge you separately for it, they have a call detail record," Nirenberg says. The current and former intelligence officials say that the point of the database is to create leads. The database enables intelligence analysts to focus on a manageable number of suspicious calling patterns, they say.