From rforno at infowarrior.org Wed Nov 15 13:17:43 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 15 Nov 2006 13:17:43 -0500 Subject: [Infowarrior] - Best Buy tries to copyright sales prices Message-ID: Best Buy tries to copyright sales prices http://arstechnica.com/news.ars/post/20061114-8218.html 11/14/2006 12:08:57 PM, by Eric Bangeman Deal site BlackFriday.info yesterday removed the Best Buy "Black Friday" sales price list after the big box retailer threatened to deliver a DMCA takedown notice to Black Friday's ISP. In a brief posting, Black Friday said, "While we believe that sale prices are facts and not copyrightable, we do not want to risk having this website shut down due to a DMCA take down notice." In recent years, information on the post-Thanksgiving sales has become a highly prized commodity, with a number of sites featuring copies of major retailers' ads. Consumers looking for the best prices and wanting to streamline their shopping are responsible for the sites' popularity. Deal sites such as BlackFriday and Fat Wallet are a source of irritation to retailers at this time of year, although DMCA takedown notices tend to be the exception rather than the rule. In November 2003, Best Buy issued a takedown notices to FatWallet over a Black Friday ad posted on the site. FatWallet responded by suing Best Buy for abuse of the DMCA. Such lawsuits are permissible under the DMCA if a company knowingly misrepresents a DMCA notice. FatWallet's case was dismissed with the judge ruling that the bargain-hunting site had not suffered injury because of the takedown notice. By issuing DMCA takedown notices, Best Buy is alleging that its sale prices are copyrighted information and that posting the information before it is publicly released constitutes copyright infringement. While companies may be able to argue that disclosing sale prices weeks ahead of time can cause them harm, it doesn't necessarily follow that a list of products and prices is copyrightable. Best Buy and other retailers that churn out takedown notices are misusing the DMCA, but the larger problem is the law itself. The powers granted by the DMCA are broad enough that it is tempting for companies to wield the law as a bludgeon against whomever is displeasing them. Until the law is changed, companies will continue giving into the temptation to misapply it. From rforno at infowarrior.org Wed Nov 15 13:17:51 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 15 Nov 2006 13:17:51 -0500 Subject: [Infowarrior] - Universities move to hide work from U.S. Eyes Message-ID: Universities move to hide work from U.S. eyes CAROLINE ALPHONSO >From Saturday's Globe and Mail http://www.theglobeandmail.com/servlet/story/RTGAM.20061111.wxuniversities11 /BNStory/National/home Concerned about the U.S. government's prying eyes, a number of Canadian universities are changing the way their professors and students conduct online research. Many university libraries subscribe to RefWorks, a popular U.S.-based Internet tool that allows academics and students to create personal accounts and store research information, as well as generate citations and bibliographies. But the Patriot Act ? which grew out of the Sept. 11 terrorist attacks and which potentially allows U.S. authorities to sweep through databases such as RefWorks ? has prompted Canadian postsecondary institutions to abandon the American server for one housed at the University of Toronto. ?There is certainly concern within Canadian university libraries. It's a concern about a foreign country having access to your personal information without good cause,? said William Maes, librarian at Dalhousie University in Halifax. ?That's the devious thing of the Patriot Act, they can do this without letting anybody know.? With RefWorks, professors and students set up personal accounts on the U.S. database and can then save journal titles for their research records. Amid heightened fears about terrorist activities, Canadian university officials worry that if the research is of a sensitive nature, it could be misunderstood. For example, an academic researching North Korea or nuclear weapons could find the work flagged by the Bush government, university librarians fear. As a result, Dalhousie, Memorial University of Newfoundland and the University of Alberta are among the institutions that have switched to the Canadian server. The hope is that data on a Canadian server will be protected from the Patriot Act, which gives authorities virtually unlimited investigative powers. Mr. Maes said it is still possible for the RCMP and CSIS to probe the Ontario server, but in Canada there is at least judicial oversight. Mr. Maes said the Halifax-based university has been using RefWorks for two years now, but strengthened privacy legislation in Nova Scotia coupled with the Patriot Act drove Dalhousie, as well as other Atlantic institutions, to move to the Ontario server this academic year. Universities still have access to RefWorks, but now the personal information of professors and students is stored in Ontario. The U of T server, managed on behalf of the Ontario Council of University Libraries, was created four years ago to give the province's institutions more control over how research information is managed. Universities pay RefWorks for the site licences, and then pay a small fee to U of T to offset the costs of using the server. ?It made more sense that if it's Canadian academic work, it should be housed on a Canadian academic server,? said John Teskey, director of libraries at the University of New Brunswick. Karen Adams, library director at the University of Alberta, said her institution switched over to the Ontario server this past month after using RefWorks for several years. The reason: ?We have strong privacy legislation here in Alberta, and the U.S. Patriot Act was just another angle that caused us to realize the importance of it all [protecting users].? RefWorks president Colleen Stempien said that while she understands the concerns of some Canadian universities, the company goes to great lengths to protect the data of its customers. Ms. Stempien said the company's lawyers are looking at what powers the U.S. government has under the Patriot Act. She said RefWorks didn't have a problem when Canadian universities requested to switch servers. ?If our customers are concerned about it, we want our customers to be comfortable,? she said. ?Since there was an opportunity to host it somewhere where they felt more comfortable there was no reason to say no.? Indeed, some researchers at Memorial refused to sign on to RefWorks until the switch took place, said Karen Lippold, head of the university's information-services division. The university signed on to RefWorks over the summer, and moved to the Canadian server last month. There are about 300 faculty and students at Memorial using the service. ?We had some people who didn't seem to think it was an issue. We had some people who felt it was an issue and were holding off and weren't going to establish an account until it moved,? Ms. Lippold said. ?We're pleased that it is now in Canada.? While some universities have already made the switchover fearing the scope of the Patriot Act, others outside Ontario are still considering the move. Michelle Lamberson, director of the office of learning technology at the University of British Columbia, said that users at the institution receive a warning that their information is being stored in the United States when they log into RefWorks. UBC is looking at switching over to the Ontario-based server to make sure private information is kept safe, she said. From rforno at infowarrior.org Wed Nov 15 21:40:51 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 15 Nov 2006 21:40:51 -0500 Subject: [Infowarrior] - Specter propose last-minute spy bill Message-ID: Republicans propose last-minute spy bill By Anne Broache http://news.com.com/Republicans+propose+last-minute+spy+bill/2100-1028_3-613 6026.html Story last modified Wed Nov 15 17:22:28 PST 2006 The outgoing Republican chairman of a key U.S. Senate committee has made a last-minute attempt at giving the Bush administration what he calls the necessary "resources" for carrying out its phone call and Internet surveillance within the law, but critics remain unconvinced. In remarks on the Senate floor on Tuesday afternoon, Judiciary Committee Chairman Arlen Specter marketed his new 11-page proposal as "a significant advance in protecting civil liberties." Once one of the few Republicans to question openly the legality of the National Security Agency's warrantless terrorist surveillance program, the veteran Pennsylvanian politician drew criticism this summer for endorsing a bill that would allow--but not require--the Bush administration to submit the operations for court review. The Senate Judiciary Committee chairman's latest effort drew near-immediate skepticism from the American Civil Liberties Union and from California Democratic Sen. Dianne Feinstein, who co-sponsored what civil liberties groups viewed as a more stringent bill with Specter earlier this year. That bill narrowly cleared a committee vote in July but has since stalled. "I am really unsure why passage of this bill now would achieve anything," Feinstein said in her own Senate floor remarks. Specter's new bill arrives less than a week after President Bush called on the lame-duck Congress to prioritize legislation that would effectively authorize the administration's terrorist surveillance project, which is already the target of a few dozen lawsuits. The House of Representatives in September approved an administration-backed bill that drew fire from civil libertarians, who argued it would expand the government's electronic spying powers to unprecedented levels. Titled the "Foreign Intelligence Surveillance Oversight and Resource Enhancement Act of 2006," the latest Specter bill does not appear to grant as much latitude for warrantless spying as the approved House bill. Specter's proposal, for instance, would require the U.S. Supreme Court to review all appeals of cases challenging the legality of the specific spy program acknowledged by the president last December, whereas the version approved by the House would effectively quash all such challenges. The bill also proposes a number of changes to existing law that some found troubling. One section, for instance, would require the U.S. attorney general to "fully inform" the Senate and House of Representatives intelligence committees semiannually of any electronic surveillance undertaken without a court order. But it would also scale back a 1947 law that governs reports on government intelligence activities to Congress, requiring only that the chairmen of each congressional intelligence committee be privy to those documents. Perhaps most notably, one section would erase the need for the government to obtain a warrant when tapping into "foreign-to-foreign" communications, even if Americans are involved in those exchanges, said Mike German, a policy counsel for the ACLU. Under existing law, a showing of probable cause is required, he said, meaning that "a U.S. person located abroad would lose his right to privacy under this section of the bill." Among other provisions, the bill would also permit hiring of new lawyers as needed by the Department of Justice, the FBI, the National Security Agency and the secret Foreign Intelligence Surveillance Court, which is tasked with issuing court orders for eavesdropping on conversations when at least one end is located in the United States. It would also allow authorities 168 hours--rather than the existing 72--to make after-the-fact applications for warrants in "emergency" situations when higher-ups decide surveillance must begin immediately. "With these additional resources, I am advised that the NSA will be in a position to have individual warrants for all calls which originate in the United States and go overseas," Specter said. The ACLU's German disputed the extended window, saying "there has not been an adequate showing that they need that extra time." It remains unclear whether the Senate will take up Specter's proposal during the lame-duck session, as a number of spending bills still await action. An aide to Senate Majority Leader Bill Frist, who sets the schedule, said the issue was "not totally off the table, but time is the problem." From rforno at infowarrior.org Wed Nov 15 21:42:19 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 15 Nov 2006 21:42:19 -0500 Subject: [Infowarrior] - A Sneak Peek at a Fractured Web Message-ID: A Sneak Peek at a Fractured Web By Mark Anderson| Also by this reporter 02:00 AM Nov, 13, 2006 http://www.wired.com/news/technology/1,72104-0.html CAMBRIDGE, Massachusetts -- Internet censorship is spreading and becoming more sophisticated across the planet, even as users develop savvier ways around it, according to early results in the first-ever comprehensive global survey of internet censorship. The internet watchdog organization OpenNet Initiative is compiling a year's worth of data gathered by nearly 50 cyberlaw, free-speech and network experts across as many countries, whose governments are known internet filterers. The study systematically tested if, when, how and by whom thousands of controversial websites are blocked in each nation. Last week, ONI researchers gathered at the Berkman Center for Internet and Society at Harvard Law School to begin hashing through their as-yet unpublished -- and in many cases, still incomplete -- findings. Wired News sat down with five members of the ONI team to catch a sneak preview of the study that, when it's published in the spring, is expected to set the gold standard for measuring freedom of expression across the internet. The spectrum of internet censorship, the researchers found, ranged from transparent to utterly murky. Perhaps the country with the most accessible filtering system was Saudi Arabia, said Berkman Center research affiliate Helmi Noman. "On their website, they have all the information of why they block and what they block," he said. "And they invite contributions (of other sites to be blocked) from the public." Vietnam, on the other hand, floats decoys. As ONI first documented this summer and confirmed in this year's study, the Southeast Asian regime purports to censor sexually explicit content. But ONI's computers found no such blocking in place. They did find, however, plenty of unadvertised censorship of political and religious websites critical of the country's one-party state. Sometimes a censoring government tries to conceal its filtering behind spoofed web-browser error messages. ONI discovered that Tunisia, for instance, masks filtered pages by serving a mockup of Internet Explorer's 404 error page. These supposed error pages stood out, because ONI doesn't use IE. "Rather than getting a page that says 'This page has been blocked,' you get a page saying 'Page not found,' designed to look exactly like the Internet Explorer 404 page," said Cairo-based ONI consultant Elijah Zarwan. Sometimes a censoring government apparently dips into the bag of tricks more commonly used by online extortionists and script kiddies. ONI researcher Stephen Murdoch of Cambridge University points to denial of service (or DoS) attacks on multiple opposition-party websites preceding countrywide elections in both Belarus and Kyrgyzstan. Although ONI cannot prove the government was the instigator, the government benefited from the attacks. If the state had nothing to do with the DoS carpet bombings, some mysterious third party took big risks acting malevolently on the state's behalf. Indeed, speculates ONI researcher Nart Villeneuve of the University of Toronto's Citizen Lab, the difficulty in tracing the source may be why DoS attacks may appear more and more attractive to governments. "There is some plausible deniability in a denial of service attack," he said. "Whereas if they send out a fax to internet service providers saying to block this site, and somebody leaks that fax, then we can directly prove that the government is blocking this site." Government filtering is beginning to expand beyond the bounds of the web browser, too. Last summer, Bahrain blocked all access to Google Earth, before yielding to global political pressure from bloggers and lifting the ban. Internet filtering can sometimes have clearly commercial motives, said Noman. "The (United Arab Emirates) block voice over IP, but they think they have a legal reason: The only telecommunications company in the country is the sole (legal) provider of telecommunications services. So going through the internet is a violation of the monopoly," he said. However, government censors don't have a corner on innovation. The new generation of censorship circumvention hacks are coming online too, though they're typically known only by the tiny percentage of users who are also geeks. Nolman discussed a new breed of web browser and web applications that can use foreign web servers to disguise a user's IP address, and thus evade censorship protocols. He declines to mention any specific products, though, for fear of giving away too much information to the other side. More prosaic workarounds exist too. In Syria, Zarwan said, content from some blocked websites quickly translates into impromptu e-mail blasts from the website owners to its regular readers. "E-mail and SMS are probably more important than the web for political organizing," he said. One Syrian website used to "go after government members by name and was really fearless," said Zarwan. "It was quickly blocked. So they started sending (the site's content) out by e-mail. Then the government started blocking that e-mail address, and so he started a new e-mail address ... to the point where he was changing e-mail addresses three times a week." In Egypt, Zarwan added, activists from the local pro-democracy group Kifaya performed a similar trick, only using Yahoo Groups instead of e-mail. Egypt, Syria, Tunisia, Iran, Vietnam, Saudi Arabia, Kyrgyzstan and Belarus also have the distinction of making up the lion's share of Reporters Without Borders' new list of 13 Internet Enemies, released last week. Reporters Without Borders' Julien Pain is one activist eager to see ONI's final report next spring. "Five years ago, only a few countries censored the internet, or censored it at all efficiently," he said. "The first one to do that was China, and they were kind of a model for other dictatorships around the world." But we see now that it's spreading all over the world, and even in sub-Saharan African countries," Pain said. ONI is a collaboration between digital frontier organizations at Harvard University, the University of Toronto, Cambridge and Oxford Universities in the U.K. Although many organizations, including ONI itself, have released progress reports on the state of internet censorship in individual countries, no one has to date attempted a comparative study of all of them at once. ONI's past work has been extremely thorough and up to date, said Brad Adams of Human Rights Watch, so he expects the ONI survey will become the bellwether for internet free-speech researchers around the world. "I've found their work to be very impressive, because it's such a complicated field," he said. "It's not like other fields where at least it's static enough that you can draw some straightforward conclusions. This is hard work." One of ONI's worries, said project manager Rob Faris, is that the information it gathers will be used by censorious governments to refine their techniques and tighten their grip. "One of the things that we could do inadvertently in our work is to create a compendium of websites that should have been blocked by the standards of that country that haven't been blocked," Faris said. "We don't want to do their work for them." From rforno at infowarrior.org Wed Nov 15 21:43:22 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 15 Nov 2006 21:43:22 -0500 Subject: [Infowarrior] - Vista and More: Piecing Together Microsoft's DRM Puzzle Message-ID: Vista and More: Piecing Together Microsoft's DRM Puzzle Matt McKenzie http://computerworld.com/action/article.do?command=viewArticleBasic&article Id=9005047&intsrc=hm_ts_head November 15, 2006 (Computerworld) If you ask five veteran Windows users to explain Vista's take on digital rights management (DRM), you're likely to get five different answers that have just one thing in common: Whatever it is, they know they don't like it. In a nutshell, this is the dilemma Microsoft faces as it prepares to launch Windows Vista. By any standard, Vista's new DRM capabilities -- aimed at protecting the rights of content owners by placing limits on how consumers can use digital media -- hardly qualify as a selling point; after all, it's hard to sing the praises of technology designed to make life harder for its users. Microsoft itself defines DRM in straightforward terms, as "any technology used to protect the interests of owners of content and services." In theory, it's an easy concept to grasp; in practice, however, modern DRM technologies include a multitude of hardware-, software- and media-based content-protection schemes, many of which have little or nothing in common. DRM at the hardware level Vista's DRM technologies fall into several distinct categories, all of which are either completely new to the operating system or represent a significant change from the technology found in previous versions of Windows. The Intel-developed Trusted Platform Module (TPM) makes DRM harder to circumvent by extending it beyond the operating system and into the PC's hardware components. TPM is used with Vista's BitLocker full-drive encryption technology to protect a PC's data against security breaches. A TPM microchip embedded on the PC's motherboard stores unique system identifiers along with the BitLocker decryption keys. If a system is tampered with -- for example, if the hard drive is removed and placed in a different machine -- TPM detects the tampering and prevents the drive from being unencrypted. A set of related technologies grouped under the name Output Protection Management (OPM) also takes DRM to the hardware level. Perhaps the most prominent (or notorious) OPM technology, known as Protected Video Path (PVP), provides a good example of how hardware-based DRM works and what it can do. PVP content-protection technology is supported both in Windows Vista and within a small but growing number of high-end graphics adapters, high-definition displays and even digital display connector cables. It is intended, first and foremost, to protect the high-quality digital content that is slowly becoming available on the next-generation Blu-ray and HD-DVD optical media technology. Most commercial DVDs, of course, already include copy-protection technology. This protection, however, works only in conjunction with the DVD player itself. It cannot stop attempts to intercept and copy the protected content further downstream, as it moves first to the graphics card and finally to a user's display -- a problem sometimes referred to as the "analog gap." PVP eliminates these security gaps, enabling a series of DRM measures that keep a high-resolution content stream encrypted, and in theory completely protected, from its source media all the way to the display used to watch it. If the system detects a high-resolution output path on a user's PC (i.e., a system capable of moving high-res content all the way to a user's display), it will check to make sure that every component that touches a protected content stream adheres to the specification. If it finds a noncompliant device, it can downgrade the content stream to deliver a lower-quality picture -- or it can even refuse to play the content at all, depending on the rights holder's preferences. What does all this mean to a typical Windows Vista user who just wants to sit back, relax and watch a movie on his brand-new, state-of-the-art multimedia dream machine? That depends, of course, to a great extent on what he wants to watch; the latest Hollywood blockbuster is far more likely to require a PVP-compliant system than less mainstream fare. But sooner or later, most Vista users will probably encounter PVP-protected content -- and more often than not, they will walk away from the encounter at least a little frustrated, disappointed or even angry. Matt Rosoff, lead analyst at research firm Directions On Microsoft, asserts that this process does not bode well for new content formats such as Blu-ray and HD-DVD, neither of which are likely to survive their association with DRM technology. "I could not be more skeptical about the viability of the DRM included with Vista, from either a technical or a business standpoint," Rosoff stated. "It's so consumer-unfriendly that I think it's bound to fail -- and when it fails, it will sink whatever new formats content owners are trying to impose." The Hollywood factor As Rosoff's statement implies, many of Vista's DRM technologies exist not because Microsoft wanted them there; rather, they were developed at the behest of movie studios, record labels and other high-powered intellectual property owners. "Microsoft was dealing here with a group of companies that simply don't trust the hardware [industry]," Rosoff said. "They wanted more control and more security than they had in the past" -- and if Microsoft failed to accommodate them, "they were prepared to walk away from Vista" by withholding support for next-generation DVD formats and other high-value content. Microsoft's official position is that Vista's DRM capabilities serve users by providing access to high-quality content that rights holders would otherwise serve only at degraded quality levels, if they chose to serve them at all. "In order to achieve that content flow, appropriate content-protection measures must be in place that create incentives for content owners while providing consumers the experiences they want and have grown to expect," said Jonathan Usher, a director in the Consumer Media Technology Group within Microsoft's Entertainment and Devices division. "We expect that the improvements in Windows Vista will attract new content to the PC, which is exactly what consumers want." Yet Usher also pointed out that while Microsoft may provide the DRM technology, it is entirely up to content providers to decide whether their business models should make use of it. "As a platform provider, we provide the technology that allows our partners to test and implement new business models and scenarios," Usher stated. "It remains up to the market to determine the equilibrium that drives any free-enterprise system. "Consumers are the final arbiters because they can vote with their wallets," Usher added. "This is as it should be in any well-functioning market, and we believe the improvements in Windows Vista play to this strength." Hollywood isn't the only group that benefits from Vista's assortment of content-protection technologies. While Microsoft can truthfully claim that it wanted no part of the DRM schemes added to Vista for Hollywood's benefit, the company clearly stands to benefit, both now and in the future, from its control over other pieces of the Vista DRM puzzle. WGA: The next generation One of these, dubbed the Software Protection Platform (SPP), deals mostly with the integrity of Windows itself. The next generation of Microsoft's Windows Genuine Advantage (WGA) program, SPP requires that users validate their version of Vista with a software license key within 30 days of its activation. Users who don't validate the operating system will be prevented from using certain features, including the new Aero graphical user interface, the ReadyBoost system performance application and, most controversially, the Windows Defender antispyware program. After 30 days, Vista goes into a reduced functionality mode, similar to Windows Safe Mode -- users have access to a Web browser (so they can validate or purchase a copy of Vista), but none of their computers' other functions. (For details, see "The Skinny on Windows DRM and Reduced Functionality in Vista".) Windows Media Then there's the DRM built into the latest version of Microsoft's Windows Media platform, which was also significantly updated for Vista -- although for the time being, it remains interoperable with earlier versions of the Windows Media platform and associated DRM technologies, known as WMDRM. The key here, according to Bill Rosenblatt, founder of GiantSteps Media Technology Strategies and managing editor of Jupiter Media's "DRM Watch" newsletter, is the widespread use of WMDRM as a de facto digital music DRM standard. Rosenblatt noted that besides serving as the underlying content-protection technology for almost every digital music service except for Apple's iTunes Music Store, WMDRM offers a fair amount of interoperability between digital music and portable music players labeled with the Microsoft-sponsored "PlaysForSure" moniker. "Microsoft has developed an ecosystem of device makers around WMDRM 10," the version introduced with Windows XP, he said. "As a result, the Windows platform has developed a certain amount of interoperability" between music services such as Napster and MusicMatch on the one hand, and hardware manufacturers on the other. Yet, according to Rosenblatt, there is trouble in paradise -- at least Microsoft's "PlaysForSure" partners are likely to see it that way. Enter Zune Microsoft, Rosenblatt noted, faced an intractable problem: Its current efforts, including the PlaysForSure program, were getting the company nowhere against Apple Computer's iPod, with a market share greater than 70% and unassailable brand recognition. Now, he said, armed with its own Zune portable music player and associated retail operation, a significant move away from the current, interoperable WMDRM model seems to be in the cards. "Music bought for Zune may not be playable on other PlaysForSure devices; Zune will decrease interop, not increase it," said Rosenblatt. "Customers who bought tracks from Napster et al. can play them on Zune, but not vice versa. "Why do this?" Rosenblatt asked. "The device ecosystem strategy is too fragmented, too complex to use and too hard to market to consumers; it simply is not an effective strategy to compete against Apple." In addition, he noted, while Microsoft's WMDRM is "much more flexible and powerful than Apple's own FairPlay DRM platform, it is also more complex -- and the existing [PlaysForSure] arrangement did not help matters." Microsoft's Jonathan Usher acknowledged that interoperability differences between Zune and the existing PlaysForSure specification were necessary in order for Microsoft to deliver the type of user experience and feature set it envisioned for Zune. "The Zune team?s focus is on building a rich community and service around the brand that provides consumers with a unique, integrated end-to-end experience," Usher said. "PlaysForSure, on the other hand, is designed for partners who choose to rely on broad compatibility -- for example, a device manufacturer who wants to connect to multiple services or a service provider who wants to connect to multiple devices." Rosenblatt and Rosoff both noted that Zune is more than just a vanity project for Microsoft, or even an attempt to open a second front in the company's renewed rivalry with Apple. In fact, both analysts suggested that Zune, like the company's Xbox gaming console, is Microsoft's hedge against the increasingly distinct possibility that the PC won't evolve into the all-purpose digital media center the company once hoped it could become. "Customers naturally want to know, 'What is going to happen when I try to play a Blu-ray DVD, or an HD-DVD, or some other type of protected content on Vista?' " Rosoff said. "And what's Microsoft's answer? 'That depends.' It's not exactly an encouraging answer." The business of DRM Finally, Bill Rosenblatt pointed out that Microsoft might yet turn DRM technology into a profitable, sustainable business -- not in the consumer market, but rather within the enterprise market, where content-protection technologies are winning over a growing number of supporters who see it as an important weapon against data loss, regulatory compliance lapses and other potentially costly business process failures. "Microsoft actually enjoyed quite a bit of success when it released Windows Rights Management Services back in 2003," Rosenblatt said. "If Microsoft can put some marketing effort behind this product once it gets through its Vista-launch fire drill, I don't think it will be disappointed." From rforno at infowarrior.org Wed Nov 15 23:36:09 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 15 Nov 2006 23:36:09 -0500 Subject: [Infowarrior] - Windows SPP and Reduced Functionality in Vista Message-ID: The Skinny on Windows SPP and Reduced Functionality in Vista Scot Finnie http://www.computerworld.com/action/article.do?command=viewArticleBasic&art icleId=9004970 November 10, 2006 (Computerworld) One aspect of Microsoft's Windows Vista operating system that has raised users' hackles is its new antipiracy system, called Software Protection Platform (SPP). To understand SPP, it's necessary to take a few steps back. Microsoft began its aggressive campaign against software piracy in Office XP and Windows XP with functionality called Office product activation (OPA) and Windows product activation (WPA). In July 2005, Microsoft unleashed Windows Genuine Advantage (WGA), which required users of Microsoft's Windows Update, Microsoft Update and Microsoft Download pages to install the first component of WGA, subsequently dubbed WGA Validation. One of the first pieces of software requiring a WGA check was Windows Defender. At that time, Microsoft began requiring that you either install WGA Validation or not use any of Microsoft's download sites. (It was still possible to get Microsoft's security patches through Windows XP's Automatic Updates without installing WGA Validation.) WGA Validation is a piece of code that runs in Windows and that determines all on its own whether the installed copy of Windows it's running in might have been pirated or improperly authorized. Earlier this year, Microsoft delivered the second component of WGA, called WGA Notifications. Its purpose is to inform the user that WGA Validation has found a problem with the installed copy of Windows. It also tries to help the user find a solution, including asking for money to relicense Windows. WGA Notifications ran into a buzz saw of criticism when an early version of it reconnected with Microsoft servers in the background on a daily basis. Even more important, there was a wave of reported false positives. WGA Notifications is technically an optional install from Windows Update or Automatic Updates, but the manner in which you choose not to receive it is not intuitive for most users. WPA and WGA work together on Windows XP machines they're installed on. WGA is also capable of running solo on Windows 2000 computers. Enter Windows Vista. Microsoft took the opportunity of a new Windows release to unify the processes of WPA, WGA Validation and WGA Notifications. Possibly because of the bad press WGA received over the summer, Vista's new antipiracy system is called Software Protection Platform. The most overt change in SPP is that Microsoft's antipiracy measures now have an enforcement action. Whereas WGA Notifications just nagged you, with little negative fallout other than the nagging itself, SPP carries a big stick. After numerous warnings and a grace period, SPP will automatically and without option force Windows Vista into what Microsoft terms "reduced functionality mode" (RFM). How SPP works Perhaps because many of the early reports about SPP and RFM were based on a series of whirlwind press briefings, an online FAQ, and later a white paper (download Word document), a lot of conflicting reports included different descriptions of how RFM works. We asked Microsoft to provide some clarity on SPP and RFM. Here are the company's answers, relayed by its public relations firm: CW: What exactly is SPP's reduced functionality mode? Microsoft: When a user enters RFM, the default Web browser will be started and the user will be presented with an option to purchase a new product key. There is no start menu, no desktop icons, and the desktop background is changed to black. The Web browser will fully function and Internet connectivity will not be blocked. After one hour, the system will automatically log the user out. It will not shut down the machine, and the user can log back in. CW: How long does RFM last? Microsoft: RFM lasts until the user remedies the situation. In the event that a system is placed into RFM, there are several remedies available. First, the user can simply follow the prescribed activation process and options described above -- these include entering a new product key, obtaining a new product key or re-entering the original product key. For volume-licensing customers, the user can return to normal Windows operating mode by connecting to a key management service (KMS) to automatically renew the activation or obtain a multiple activation key (MAK). Finally, if the system is in RFM because of hardware changes, the user can restore the original hardware configuration. At any time in the process, a user can contact Microsoft support for additional help. CW: Does RFM automatically log off users after a period of time? Microsoft: In RFM, users are logged off of the Internet after one hour of usage. CW: And does RFM let you log back in later? Microsoft: Users will be able to immediately log back in. CW: When does SPP's RFM begin? After 30 days? Microsoft: A copy of Windows Vista can go into reduced functionality mode under two scenarios: 1. If any of the following events occurs (for each license type): Retail License (or corporate user with a MAK): * Failure to activate within the grace period (30 days after installation) * Failure to renew activation within three days of a major hardware replacement OEM License (or non-volume-license enterprise with OEM-sourced, preactivated Vista image): * Failure to activate within three days of switch to a non-OEM motherboard Enterprise License using KMS: * Failure to activate with KMS within 30 days of installation * Failure to renew activation with KMS within 210 days of previous activation * Failure to renew activation with KMS within 30 days of hard drive replacement 2. A copy of Windows Vista may be required to reactivate for the following reasons, and failure to successfully reactivate during the 30-day grace period will cause the copy of Windows Vista to go into reduced functionality mode: * The activation process has been determined to have been tampered with or worked around, or other tampering of license files is detected. * A leaked, stolen or prohibited product key is detected that is blocked by Microsoft product activation servers. Before being placed into RFM, users will always have a grace period to resolve the situation. During the grace period, reminders will pop up to inform them that they must activate within the specified time period or else they will lose Windows functionality. During the last three days of the grace period, the reminders are displayed with increasing frequency. From rforno at infowarrior.org Thu Nov 16 09:29:35 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 16 Nov 2006 09:29:35 -0500 Subject: [Infowarrior] - Some Americans Lack Food, but USDA Won't Call Them Hungry Message-ID: "Food security?" As opposed to ensuring an "Adequate Food Supply" because folks who lack an adequate supply might indeed be "hungry"? I guess you can't have a modern gov program unless it involves the word "security" in some fashion. But if it gets more money for food as a result, I guess it's a good thing........rf Some Americans Lack Food, but USDA Won't Call Them Hungry By Elizabeth Williamson Washington Post Staff Writer Thursday, November 16, 2006; A01 http://www.washingtonpost.com/wp-dyn/content/article/2006/11/15/AR200611150 1621_pf.html The U.S. government has vowed that Americans will never be hungry again. But they may experience "very low food security." Every year, the Agriculture Department issues a report that measures Americans' access to food, and it has consistently used the word "hunger" to describe those who can least afford to put food on the table. But not this year. Mark Nord, the lead author of the report, said "hungry" is "not a scientifically accurate term for the specific phenomenon being measured in the food security survey." Nord, a USDA sociologist, said, "We don't have a measure of that condition." The USDA said that 12 percent of Americans -- 35 million people -- could not put food on the table at least part of last year. Eleven million of them reported going hungry at times. Beginning this year, the USDA has determined "very low food security" to be a more scientifically palatable description for that group. < - > In assembling its report, the USDA divides Americans into groups with "food security" and those with "food insecurity," who cannot always afford to keep food on the table. Under the old lexicon, that group -- 11 percent of American households last year -- was categorized into "food insecurity without hunger," meaning people who ate, though sometimes not well, and "food insecurity with hunger," for those who sometimes had no food. That last group now forms the category "very low food security," described as experiencing "multiple indications of disrupted eating patterns and reduced food intake." Slightly better-off people who aren't always sure where their next meal is coming from are labeled "low food security." From rforno at infowarrior.org Thu Nov 16 18:26:41 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 16 Nov 2006 18:26:41 -0500 Subject: [Infowarrior] - Apparently DOD hasn't heard of Expedia or Travelocity Message-ID: It Sounded Like A Good Idea... http://www.cbsnews.com/stories/2006/11/16/tech/printable2188041.shtml WASHINGTON, Nov. 16, 2006(AP) The Pentagon that gave taxpayers a $434 hammer and a $600 toilet seat cover now has a half-billion-dollar travel booking system that is bypassed by more than eight in 10 users. Senate investigators found the Pentagon's Web-based product - despite its high price tag - fails to find the cheapest airfares, offers an incomplete list of flights and hotels and won't recognize travel categories used by the National Guard and Reserves. The investigators found that Defense Department travelers are contacting professional travel agents to find their hotels, flights and rental cars, and then using the computer system to enter those choices. Once the system is activated at an installation, travelers must use it to make their reservations, the Pentagon said. The result: a half-hour booking process that, according to testimony before the Senate Permanent Subcommittee on Investigations, would take travel professionals only five minutes. The Defense Travel System was designed as the Pentagon's moneysaving version of an Internet travel site, where a traveler can make reservations without the need for fee-based travel agents. The contract for the travel system was awarded in 1998 to a company that is now part of Northrop Grumman Mission Systems. The subcommittee, in checks this year of 41 military installations and the Pentagon, found that 83 percent of travelers have been contacting professional travel agents before entering the information in the new system. Investigators said they checked 755,000 trips between January and September. At the Pentagon, less than 20 percent of travelers used the Defense Travel System as intended, without the travel agents. Virtually no travelers used the system at Dugway Proving Grounds in Utah, and Fort Leavenworth, Kan., investigators found. Pentagon officials insist the new system is working well. "If my boss said I had to leave in a couple of hours, I could do that," said Marine Maj. Stewart Upton, a Pentagon spokesman. "The future is in Internet booking. The system is effective, it's efficient, it gives you options on airlines, rental car agencies and hotels. We're very impressed." Investigators and Congress' Government Accountability Office are now questioning the Pentagon estimates of how much it saved by replacing the old paper form system with the expensive computerized one. A senator plans legislation to force the Pentagon to use travel agents, saying military staff is wasting too much time using the cumbersome new system and therefore erasing any cost savings. Sen. Norm Coleman, R-Minn., chairman of the investigative panel, said the Pentagon's idea of eliminating travel agents "would be the same as directing all DoD personnel to speak Arabic in order to save money on translation services. "DoD is claiming the savings from reduced travel agent fees without considering the cost of having the troops do the work," Coleman said. For 2006, the Pentagon estimated savings at between $13.9 million and $33.4 million. After 2007, the savings would range between $56 million and $177 million annually, with recent estimates supporting the higher figure, the Pentagon said. But the cost of the Defense Travel System has skyrocketed. It grew from an initial estimate of $263 million to $474 million, bringing to mind some of the Pentagon's classic wasteful expenditures. Coleman said further efforts to save the computer system are a waste. "I am appalled that DoD did not pull the plug on the travel function" of the new system long before now, he said. ?MMVI The Associated Press. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. From rforno at infowarrior.org Thu Nov 16 19:40:14 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 16 Nov 2006 19:40:14 -0500 Subject: [Infowarrior] - FW: [Politech] Refuse to show ID, get Tasered by angry cops with an attitude [priv] In-Reply-To: <455D01B6.8010304@well.com> Message-ID: ------ Forwarded Message From: Declan McCullagh Date: Thu, 16 Nov 2006 16:26:30 -0800 Based on preliminary reports, this is what seems to have happened on Tuesday evening: Mostafa Tabatabainejad, a UCLA student, was quietly studying in the campus library around 11:30pm. Campus police asked him for his ID, a usual procedure. Mostafa didn't have it with him and walked toward the exit. While en route, one of the police officers laid a hand on Mostafa (which may well be simple battery) and he reacted by saying "Get off of me." That's when he was hit with a blast from a Taser, which can render someone unable to walk for 5 to 15 minutes. But the cops, through malice or ignorance, kept demanding that Mostafa immediately stand up and walk to the door. He was screaming at this point and said he could not, at which point they Tased him again and again. The cops also threatened to Taser bystanders as well if they persisted in asking for badge numbers. This, too, is on videotape and is in fact a crime. (Think that cop will go to jail? Right.) The video is here: http://www.youtube.com/watch?v=W3CdNgoC0cE Articles on this incident: http://dailybruin.com/news/articles.asp?id=38958 http://dailybruin.com/news/articles.asp?id=38960 http://www.latimes.com/news/printedition/california/la-me-cellcamera16nov16, 1,2951795.story http://cbs2.com/local/local_story_319101652.html Other amateur video that seems to show LAPD brutality: http://commentisfree.guardian.co.uk/dan_glaister/2006/11/candid_cameras.html http://www.latimes.com/news/local/la-me-cellcamera16nov16,0,4794591.story Response from civil liberty groups (courtesy of Marc Rotenberg): http://www.acsblog.org/ http://theamericanmuslim.org/tam.php/features/articles/call_for_probe_of_ucl a_muslim_student_taser_incident/0011752 Background on police use of tasers, which has resulted in deaths: http://web.amnesty.org/library/index/ENGAMR511392004 http://web.amnesty.org/library/index/engamr510302006 Excerpt: "They have been used against unruly schoolchildren... and people who argue with police or fail to comply immediately with a command. Cases described in this report include the stunning of a 15-year-old schoolgirl in Florida, following a dispute on a bus, and a 13- year-old girl in Arizona, who threw a book in a public library." -Declan _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/) From rforno at infowarrior.org Fri Nov 17 09:34:10 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 17 Nov 2006 09:34:10 -0500 Subject: [Infowarrior] - New British passport 'security' cracked in 48 hours Message-ID: Three million Britons have been issued with the new hi-tech passport, designed to frustrate terrorists and fraudsters. So why did Steve Boggan and a friendly computer expert find it so easy to break the security codes? Friday November 17, 2006 The Guardian http://www.guardian.co.uk/idcards/story/0,,1950226,00.html Six months ago, with the help of a rather scary computer expert, I deconstructed the life of an airline passenger simply by using information garnered from a boarding-pass stub he had thrown into a dustbin on the Heathrow Express. By using his British Airways frequent-flyer number and buying a ticket in his name on the airline's website, we were able to access his personal data, passport number, date of birth and nationality. Based on this information, using publicly available databases, we found out where he lived, his profession, all his academic qualifications and even how much his house was worth. It would have been only a short hop to stealing his identity, committing fraud in his name and generally ruining his life. Great news then, we thought, that the UK had just begun to issue new, ultra-secure passports, incorporating tiny microchips to store the holder's details and a digital description of their physical features (known in the jargon as biometrics). These, the argument went, would make identity theft much more difficult and pave the way for the government's proposed ID cards in 2008 or 2009. Today, some three million such passports have been issued, and they don't look so secure. I am sitting with my scary computer man and we have just sucked out all the supposedly secure data and biometric information from three new passports and displayed it all on a laptop computer. The UK Identity and Passport Service website says the new documents are protected by "an advanced digital encryption technique". So how come we have the information? What could criminals or terrorists do with it? And what could it mean for the passports and the ID cards that are meant to follow? First it is necessary to explain why the new passports were introduced, and how they work.After the 9/11 attack on the World Trade Centre, in which fake passports were used, the US decided it wanted foreign citizens who presented themselves at its borders to have more secure "machine-readable" identity documents. It told 27 countries that participated in a visa waiver programme that citizens with passports issued after the 26th of last month must have micro-chipped biometric passports or would have to apply for a US visa. Among those 27 countries are the major EU members, and other friendly nations ranging from Andorra and Iceland to Singapore, Japan and Brunei. The UK, of course, is also included. Standards for the new passports were set by the International Civil Aviation Organisation (ICAO) in 2003 and adopted by the waiver countries and the US. The ICAO recommended that passports should contain facial biometrics, though countries could introduce fingerprints at a later date. All these would be stored on a Radio Frequency Identification (RFID) microchip, which can be accessed from a short distance using radio waves. Similar chips are commonly found in retail, where they are used for stock control. Fatally, however, the ICAO suggested that the key needed to access the data on the chips should be comprised of, in the following order, the passport number, the holder's date of birth and the passport expiry date, all of which are contained on the printed page of the passport on a "machine readable zone." When an immigration official swipes the passport through a reader, this feeds in the key, which allows a microchip reader to communicate with the RFID chip. The data this contains, including the holder's picture, is then displayed on the official's screen. The assumption at this stage is that this document is as authentic as it is super-secure. And, as we shall see later, this could be highly significant. Once the passports began to be issued in the UK in March, we began laying the foundations for examining them. Phil Booth, national coordinator of the campaign group NO2ID, suggested to his members that they apply for a new passport. Anyone who gets one before ID cards are rolled out will not have to register for a card until their passports expire in 10 years' time, and this appealed to Booth. At the same time, Adam Laurie, my computer expert and technical director of the Bunker Secure Hosting, a Kent-based computer security company, and I began laying plans to examine the new passports. Laurie is actually not a scary individual - he is regarded in the industry as a technical wizard who cares about privacy and civil rights - but much of the electronic information he uncovers is. Two years ago, he revealed that Bluetooth mobile phones could be accessed remotely, drained of their contact details, diary entries and pictures, and manipulated to act as bugging devices. The cellphone industry spent millions of pounds plugging the gaps he exposed. By last month, Booth, Laurie and I each had access to a new biometric chipped passport and were ready to begin testing them. Laurie's first port of call was the ICAO's website, where the organisation had published specifications for the new travel documents. This is where he learned that the key to opening up the secure chip was contained in the passports themselves - passport number, date of birth and expiry date. "I was amazed that they made it so easy," Laurie says. "The information contained in the chip is not encrypted, but to access it you have to start up an encrypted conversation between the reader and the RFID chip in the passport. "The reader - I bought one for ?250 - has to say hello to the chip and tell it that it is authorised to make contact. The key to that is in the date of birth, etc. Once they communicate, the conversation is encrypted, but I wrote some software in about 48 hours that made sense of it. "The Home Office has adopted a very high encryption technology called 3DES - that is, to a military-level data-encryption standard times three. So they are using strong cryptography to prevent conversations between the passport and the reader being eavesdropped, but they are then breaking one of the fundamental principles of encryption by using non-secret information actually published in the passport to create a 'secret key'. That is the equivalent of installing a solid steel front door to your house and then putting the key under the mat." Within minutes of applying the three passports to the reader, the information from all of them has been copied and the holders' images appear on the screen of Laurie's laptop. The passports belong to Booth, and to Laurie's son, Max, and my partner, who have all given their permission. Booth is staggered. He has undercut Laurie by finding an RFID reader for ?174, which also works. "This is simply not supposed to happen," Booth says. "This could provide a bonanza for counterfeiters because drawing the information from the chip, complete with the digital signature it contains, could result in a passport being passed off as the real article. You could make a perfect clone of the passport." But could you - and what use would my passport be to you? A security feature of the chip ensures that information cannot be added or altered, so you couldn't put your picture on my chip. So is our attack really so impressive? The Home Office thinks not. It correctly points out that the information sucked out of the chip is only the same as that which appears on the page, readable with the human eye. And to obtain the key in the first place, you would need to have access to the passport to read (with the naked eye) its number, expiry date and the date of birth of its holder. "This doesn't matter," says a Home Office spokesman. "By the time you have accessed the information on the chip, you have already seen it on the passport. What use would my biometric image be to you? And even if you had the information, you would still have to counterfeit the new passport - and it has lots of new security features. If you were a criminal, you might as well just steal a passport." However, some computer experts believe the Home Office is being dangerously naive. Several months ago, Lukas Grunwald, founder of DN-Systems Enterprise Solutions in Germany, conducted a similar attack to ours on a German biometric passport and succeeded in cloning its RFID chip. He believes unscrupulous criminals or terrorists would find this technology very useful. "If you can read the chip, then you can clone it," he says. "You could use this to clone a passport that would exploit the system to illegally enter another country." (We did not clone any of our passport chips on the assumption that to do so would be illegal.) Grunwald adds: "The problems could get worse when they put fingerprint biometrics on to the passports. There are established ways of making forged fingerprints. In the future, the authorities would like to have automated border controls, and such forged fingerprints [stuck on to fingers] would probably fool them." But what about facial recognition systems (your biometric passport contains precise measurements of key points on your face and head)? "Yes," says Grunwald, "but they are not yet in operation at airports and the technology throws up between 20 and 25% false negatives or false positives. It isn't reliable." Neither is the human eye, according to research conducted by a team of psychologists from the University of Westminster in 1996. Remember, information - such as a new picture - cannot be added to a cloned chip, so anyone using it to make a counterfeit passport would have to use one that bore a reasonable resemblance to themselves. But during Westminster University's study, which examined whether putting people's images on credit cards might reduce fraud, supermarket staff drafted in for tests had great difficulty matching faces to pictures. The conclusion was that pictures would not improve security and they were never introduced on credit cards. This means that each time you hand over your passport at, say, a hotel reception or car-rental office abroad to be "photocopied", it could be cloned with equipment like ours. This could have been done with an old passport, but since the new biometric passports are supposed to be secure they are more likely to be accepted without question at borders. Given the results of the Westminster study, if a terrorist bore a slight resemblance to you - and grew a beard, perhaps - he would have a good chance of getting through a border. Because his chip is cloned, with the necessary digital signatures, and because you have not reported your passport stolen - you still have it! - his machine-readable travel document will get him wherever he wants to go, using your identity. What about the technical difficulties? The government claims the new biometric passport chips can be read over a distance of just 2cm, but researchers all over the world claim to have read them from further. The physics governing those in British passports says they could be read over a metre, but no one has yet done that. A Dutch team claims to have contacted chips at 30cm. Laurie has, however, rigged up a piece of equipment that can connect to a passport over 7.5cm. That isn't as far as the Dutch 30cm, but it is enough if your target subject is sitting next to you on the London Underground or crushed up against you on the Gatwick Airport monorail, his pocketed passport next to the reader you have hidden in a bag. It takes around four seconds to suck out the information with a reader; then it can be relayed and unscrambled by an accomplice with a laptop up to 1km away. With a Heath Robinson device we built on Tuesday using a Bluetooth antenna connected to an RFID reader, Laurie relayed details of his son's passport over a distance of 10 metres and through two walls to a laptop. Ah, the Home Office will say, but you still need to see the information in the passport that will form the key needed for connection. Well, not necessarily. Consider this scenario: A postman involved with organised crime knows he has a passport to deliver to your home. He already knows your name and address from the envelope. He can get your date of birth by several means, including credit-reference agencies or from the register of births, marriages and deaths (and, let's face it, he delivers all your birthday cards anyway). He knows the expiry date - 10 years from yesterday, give or take a day, when the passport was mailed to you. That leaves the nine-digit passport number. NO2ID says reports from its 30,000 members up and down the country are throwing up a number of similarities in the first four digits of the passport number, so that reduces the number of permutations, potentially leaving five purely random numbers to establish. "If the rogue postman were to take your passport home, without opening the envelope he could put it against a reader and begin a 'brute force' attack in which your computer tries 12 different permutations every second until it has the right access codes," says Laurie. "A five-digit number would take 23 hours to crack at the most. Once all those numbers were established, you could communicate with the RFID chip and steal all the information. And your passport could be delivered to you, unopened and just a day late." But is this really credible? Would criminals or terrorists really go to such lengths? Ross Anderson, professor of security engineering at the University of Cambridge computer laboratory, believes they would. "The point is that once you have extracted the data from the chip you can have a forged passport that contains not just forged physical stuff," he says. "You also have the digital bit-stream so the digital signature of the passport checks out. That makes it possible to travel through borders with it. "What concerns me is that this demonstrates bad design on the part of the Home Office, and we know that government IT projects have a habit of going terribly wrong. There is a lack of security in what we can see - so what about the 90% of the iceberg in the system that we can't see? "There isn't even a defence against the brute-force attack. In much the same way as you are only allowed three attempts to feed in your PIN number at an ATM, the passport chip could have been made to stop allowing repeated incorrect attempts to contact it. As things stand, a computer can keep trying until it gets the numbers right. To say this doesn't matter displays a cavalier lack of concern." The problems we have identified with RFID chips in passports raise all sorts of questions about the UK's proposed ID card scheme, which will use the same technology. The government has not said exactly what will be contained in the ID card's chip, but there will be a National Identity Register that could contain around 50 pieces of information about you, ranging from your name, age, and all your addresses, to your national insurance number and biometric details. Eventually, you may need one to access healthcare. It could even replace the passport. Already, then, criminals and terrorists will have identified just how useful cloned ID cards might be. It would be folly to think their best minds are not on the case. The Home Office insists that UK passports are secure and among the best in the world, but not everyone agrees. Last week, an EU-funded body entitled the Future of Identity in the Information Society (Fidis) issued a declaration on machine-readable travel documents such as RFID-chipped passports and ID cards. It said the technology was "poorly conceived" and added: "European governments have effectively forced citizens to adopt new ... documents which dramatically decrease their security and privacy and increase risk of identity theft." The government is now facing demands from the Liberal Democrats and anti-ID card groups for a recall of the passports so that simple devices such as foil covers can be installed - at enormous cost. Such covers would at least stop chips being scanned remotely, though they wouldn't prevent an unscrupulous hotel receptionist from opening the passport and sucking out its contents the way we did. It may be that at some point in the future the government will accept that putting RFID chips in to passports is ill-conceived and unnecessary. Until then, the only people likely to embrace this kind of technology are those with mischief in mind. From rforno at infowarrior.org Fri Nov 17 19:46:57 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 17 Nov 2006 19:46:57 -0500 Subject: [Infowarrior] - Judge won't halt AT&T wiretapping lawsuit Message-ID: Judge won't halt AT&T wiretapping lawsuit By Declan McCullagh http://news.com.com/Judge+wont+halt+ATT+wiretapping+lawsuit/2100-1036_3-6136 841.html Story last modified Fri Nov 17 15:51:53 PST 2006 SAN FRANCISCO--A federal district judge on Friday rejected the Bush administration's request to halt a lawsuit that alleges AT&T unlawfully cooperated with a broad and unconstitutional government surveillance program. U.S. District Judge Vaughn Walker said the lawsuit could continue while a portion of it was being appealed, despite the U.S. Justice Department's arguments that further hearings and other proceedings would consequently endanger national security. "I do think these are matters we can proceed on," Walker said toward the end of the status conference here, which began at 11 a.m. PST and was attended by around 50 attorneys from the government, nonprofit groups, class action law firms and major telecommunications companies. Friday's ruling represents another preliminary victory for the Electronic Frontier Foundation, which filed its lawsuit against AT&T in January. In its suit, the EFF charged that AT&T has opened its telecommunications facilities up to the National Security Agency and continues to "to assist the government in its secret surveillance of millions of ordinary Americans." The ruling is also a win for attorneys in 47 other cases against numerous large telecommunications providers. The cases are in the process of being consolidated into one mammoth lawsuit in the northern district of California. Last week, the Justice Department filed a 27-page request (click for PDF) saying at the least, the court should halt the AT&T case because any proceeding would "indirectly confirm or deny classified facts and cause harm to the national security." In July, Walker rejected the Justice Department's attempt to have the suit against AT&T dismissed. That prompted federal prosecutors to appeal to the 9th Circuit a few days later. Along with AT&T, Verizon Communications, BellSouth and Comcast, they urged Walker to delay the case in front of him until the appeals courts reached a decision, which could take years, if it goes to the U.S. Supreme Court. The "entire process is fraught with risk," a Justice Department attorney said Friday. Bruce Ericson, an attorney for AT&T at Pillsbury Winthrop Shaw Pittman, said that more proceedings would be useless because all his client could put in "a public answer" would be "a general denial." Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Fri Nov 17 19:54:31 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 17 Nov 2006 19:54:31 -0500 Subject: [Infowarrior] - Universal Music sues MySpace over music copyrights Message-ID: AKA, "how to lose customers but gain publicity...." Universal Music sues MySpace over music copyrights Fri Nov 17, 2006 4:45 PM ET http://tinyurl.com/yyf85a NEW YORK (Reuters) - Universal Music Group, the world's largest music company, said on Friday it filed a lawsuit against popular social networking site MySpace for copyright infringement of thousands of its artists' works. Universal, owned by French media giant Vivendi, filed the suit at the U.S. District Court Central District of California, Western Division. The suit was filed just hours after MySpace, owned by News Corp., said it launched an enhanced copyright protection tool to make it easier for content owners to remove unauthorized material. In the suit, Universal claims MySpace had not only allowed users to upload videos illegally but had also taken part in the infringement by re-formatting the videos for users to play back and to send on to others. The suit claims thousands of links to music from Universal's biggest artists, including Jay-Z and Gwen Stefani, are widely available on MySpace, even ahead of their release to music stores. It estimated maximum statutory damages for each copyrighted work at $150,000. Music and TV companies have been in dispute with sites like MySpace and YouTube in the last year because of the ease with which their millions of users can upload and share songs and videos without having to pay. In the case of YouTube, now owned by Google Inc., Universal Music reached a licensing agreement to give the site and its users access to thousands of music videos. ? Reuters 2006. All rights reserved. Republication or redistribution of Reuters content, including by caching, framing or similar means, is expressly prohibited From rforno at infowarrior.org Fri Nov 17 23:03:19 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 17 Nov 2006 23:03:19 -0500 Subject: [Infowarrior] - 5th Annual Chinese Internet Research conference Message-ID: The 5th Annual Chinese Internet Research conference will be held at the Annenberg Presidential Conference Center at Texas A&M University from May 21-22, 2007.? The conference website is at http://international.tamu.edu/ipa/projects/conference.asp Conference Description: Many have seen within the Internet and related digital media the potential for the widespread transformation of political control and participation, or the foundations for new grassroots movements, or even more simply, a tremendously large market for telecommunication and digital media services. As the Internet and related technologies have grown exponentially in the last several years, this interest has not been limited just to Chinese, but has been equally important in many other nations, either those that hope to facilitate rapid political evolution, or simply to provide markets for national telecommunications infrastructure providers. There are several important facets to China's relationship with information technologies, including governmental priorities and policies, a fear of political and social instability, the creation of a high tech industry, an education infrastructure to support that industry, and the social and political issues that accompany high tech innovation. In addition, the social consequences of information technologies, through phenomenon such as online dating, gambling, and interactive games have been the subject of innumerable press reports, raising the suspicions of political leaders, educators, and community leaders, as well as countless numbers of parents. Previous academic analysis of the Internet in China has focused primarily on governmental control of the internet and the use of the Net by dissident movements and actors. However, as the Internet and related technologies are becoming more fully integrated into a wide spectrum of social life, there is need for a fresh look at digital media in China. Thus, the theme of the Fifth Annual Chinese Internet Conference is "New perspectives on the Internet in China." Participants will seek to move beyond the simplistic portrayals, as well as the "cyberutopianism" of much of the early research. We will reassess first-generation analyses and develop more subtle, grounded theory and empirical research examining the wide range of issues associated with digital media in China. We invite participation from diverse voices, including both younger and senior scholars from Mainland China, Taiwan, and Hong Kong, so as to understand the role of digital media in China in a more realistic perspective. Potential paper topics include a wide variety of issues that examine the role and use of the internet in the Greater Chinese cultural area, including Mainland China, Hong Kong, Taiwan, and the overseas Chinese diaspora. Some potential areas might include: * Rethinking China and the Internet * Bridging the political divide: the Internet and Cross-Straits Relations * "Internet pollution" and social impacts * "Let a billion voices bloom" - e-government, e-democracy * The impact of wireless technologies and the "mobile Internet" * The Internet in Chinese International Relations * Digital media and social identity * The Chinese diaspora and the Internet * China and global Internet governance (ICANN, WSIS etc) * China's role in Asia's Digital Future * Information and Communications Technology for development (ICT4D) in China Submissions: We invite individuals to submit papers that are relevant to the conference themes, and relate to Internet use, policy, and impacts in China, Taiwan, Hong Kong, or elsewhere in the Chinese cultural world. Abstracts should be at least 1500 words in length and references must be in APA style. Abstracts may be in English or Chinese. All abstracts received will be peer reviewed and selected on the basis of quality of submission and relevance to the conference themes. Submissions must be sent via email to Carmen Suen at csuen at ipomail.tamu.edu by February 15, 2007. Authors will be notified of acceptance by March 15, 2007. After acceptance, full and complete papers, written in English, must be submitted by May 1, 2007. Selected papers from the conference may be published in an edited volume or a special symposium issue of an academic journal. Participation in the conference will neither guarantee nor compel publication of a paper. In order to be considered for publication, the full paper must be received by the conference organizers before May 1, 2007. For more information, contact Carmen Suen at csuen at ipomail.tamu.edu, or see the conference webpage at http://international.tamu.edu/ipa/projects/conference.asp Randy Kluver, Ph.D. Director, Institute for Pacific Asia Texas A&M University 204 Coke 3371 TAMU College Station, TX 77843-3371 Phone: (979) 845-3099 Fax: (979) 845-3085 http://international.tamu.edu/ipa/ From rforno at infowarrior.org Sat Nov 18 09:39:56 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 18 Nov 2006 09:39:56 -0500 Subject: [Infowarrior] - Texas Law Review Paper on constititutionality of RIAA damages in file-sharing Message-ID: Abstract: The recent copyright-infringement lawsuits targeting individual file-sharers have in common the following facts: a statutory damage award with a substantial punitive component, a large number of like-kind violations, and fairly low reprehensibility as assessed under the relevant Supreme Court test. The substantive due process principles laid out by the Court in BMW v. Gore provide a roadmap for evaluating whether the aggregated punitive effect of these awards has become unconstitutionally excessive. In this paper, I argue that there is a constitutional right to not have a highly punitive statutory damage award stacked hundreds or thousands of times over for similar, low-reprehensibility misconduct. I point to the rationale behind criminal law's single-larceny doctrine, identify the concept of wholly proportionate reprehensibility, and use this to explain why the massive aggregation of statutory damage awards can violate substantive due process. I conclude that massively aggregated awards of even the minimum statutory damages for illegal file-sharing will impose huge penalties and can be constitutionally infirm like the punitive damage award of Gore itself. Yet practical and institutional reasons will likely make this norm underenforced by the courts, pointing to Congress as the actor that should modify copyright law to remove the possibility of grossly excessive punishment. link: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=660601 From rforno at infowarrior.org Sun Nov 19 01:03:42 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 19 Nov 2006 01:03:42 -0500 Subject: [Infowarrior] - New Google Service Will Manipulate Caller-ID Message-ID: New Google Service Will Manipulate Caller-ID http://lauren.vortex.com/archive/000200.html Greetings. Google has made available a new "Click-to-Call" service that will automatically connect users to business phone listings found via Google search results. In order for this feature to function, the user must provide their telephone number so that Google can bridge the free call between the business and the user (including long distance calls). An obvious issue with such a service is that there is no reasonable way to validate the user phone number that is provided. Google says that they have mechanisms in place to try avoid repeated prank calls, but the potential for abuse is obvious. Of even greater concern is that Google says that it will manipulate the caller-ID on the calls made to the user-provided number, to match that of the business being called. This is extremely problematic, since it could be used to try to convince a prank target that they were being called directly by the business in question, and so cause that target to direct their anger at the innocent business. In the case of targets who are on do-not-call lists, it is possible to imagine legal action being taken by callers upset that the business in question called them "illegally," though in fact the call had been made by the Google system. Google's explanation for this caller-ID manipulation is that it would be handy to have the called business number in your caller-ID for future calls. That may be true, but the abuse potential is way too high. Caller-ID should never be falsified. I've written many times about how caller-ID can be manipulated to display false or misleading information, why this should be prevented, and how the telcos have shown little interest in fixing caller-ID or informing their customers about the problem (caller-ID is a cash cow for the telcos whether it is accurate or not). Up to now, the typical available avenue for manipulating caller-ID has been pay services that tended to limit the potential for largescale abuse since users are charged for access. Google, by providing a free service that will place calls and manipulate caller-ID, vastly increases the scope of the problem. Scale matters. Google has not vetted this caller-ID feature sufficiently, and I urge its immediate reconsideration. From rforno at infowarrior.org Sun Nov 19 18:29:02 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 19 Nov 2006 18:29:02 -0500 Subject: [Infowarrior] - San Francisco airport officials cheated on security testing Message-ID: San Francisco airport officials cheated on security testing By Michael Hampton Posted: November 19, 2006 3:57 pm http://www.homelandstupidity.us/2006/11/19/san-francisco-airport-officials-c heated-on-security-testing/ Transportation Security Administration officials, along with officials of the contractor which performs passenger screening at San Francisco International Airport, compromised covert security testing by warning checkpoint screeners when a test was about to take place, a government audit found. A report (PDF) by the Homeland Security Office of Inspector General dated October 26 and released Thursday said that TSA workers acting in collusion with employees of Covenant Aviation Security compromised ?covert security testing between August 2003 and May 2004 by tracking testers throughout the airport via surveillance cameras and on foot? and then notifying checkpoint screeners when a tester was about to approach the checkpoint. The report confirms allegations of a CAS employee who said he was fired in 2004 after refusing to participate in the scheme and notifying TSA management. That whistleblower, Gene Bencomo, filed a wrongful termination lawsuit in February 2005. ?TSA and the contractor issued directives in May 2004 to stop all activity that could compromise the integrity of covert security testing,? the report said. ?TSA management at SFO issued another protocol in January 2005 that prohibits any notification to screening checkpoints that covert testing is being conducted.? I guess that was good enough. The TSA asked the inspector general?s office to investigate after it received the whistle-blower?s letter. TSA spokesman Nico Melendez said the agency disciplined some employees but considers the matter closed. . . . The TSA last month awarded Covenant a four-year contract worth more than $300 million to continue screening at the airport. ?We have confidence in their ability to do their job and think they are doing a good job,? Melendez said. ? Associated Press ?How is the public expected to have any confidence in the screening systems when managers game the system?? said Rep. Bennie Thompson (D-Miss.), ranking member of the House Homeland Security Committee. From rforno at infowarrior.org Sun Nov 19 18:30:49 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 19 Nov 2006 18:30:49 -0500 Subject: [Infowarrior] - A New Low For "Breaking News?" Message-ID: Here's a sampling of five hours of "breaking news" coverage, beginning with a "bulletin" at 10:20am: http://tinyurl.com/yck6bm From rforno at infowarrior.org Sun Nov 19 21:19:21 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 19 Nov 2006 21:19:21 -0500 Subject: [Infowarrior] - New Copyright Laws Risk Criminalising Everyday Australians Message-ID: New Copyright Laws Risk Criminalising Everyday Australians PDF http://www.iia.net.au/index.php?option=com_content&task=view&id=517&Itemid=3 2 INTERNET INDUSTRY ASSOCIATION NEWS RELEASE For Immediate Release Wednesday, 8 November 2006 New Copyright Laws Risk Criminalising Everyday Australians The Internet Industry Association today warned that changes to Australia?s copyright laws being rushed through Parliament risked making criminals out of everyday Australians. The IIA which represents a broad range of internet businesses in Australia, in conjunction with the QUT Law Faculty Intellectual Property Research Program, has identified a number of scenarios which could trip up Australians in their everyday use of copyrighted materials. Said IIA chief executive, Peter Coroneos: ?We can?t be sure if this is the government's intent, or whether there has been a terrible oversight in the drafting of this Bill. Either way, the consequences for the average Australian family could be devastating.? ?As an example,? said Mr Coroneos, ?a family who holds a birthday picnic in a place of public entertainment (for example, the grounds of a zoo) and sings ?Happy Birthday? in a manner that can be heard by others, risks an infringement notice carrying a fine of up to $1320. If they make a video recording of the event, they risk a further fine for the possession of a device for the purpose of making an infringing copy of a song. And if they go home and upload the clip to the internet where it can be accessed by others, they risk a further fine of up to $1320 for illegal distribution. All in all, possible fines of up to $3960 for this series of acts ? and the new offences do not require knowledge or improper intent. Just the doing of the acts is enough to ground a legal liability under the new ?strict liability? offences.? The IIA will next week release a series of ?risk matrices? showing how Australians could inadvertently risk heavy fines and even jail under the new copyright regime. On Monday, the IIA will release a risk matrix showing how teenagers from the age of 14 years will risk crippling fines and damage to their employment prospects by engaging in activities which many would today regard as commonplace. On Tuesday, the IIA will release a risk matrix which will exemplify how an average Australian family could sustain massive fines as a consequence of the operation of these laws. On Wednesday, the IIA will show how a small business could inadvertently expose itself to substantial penalties by engaging in activities that to date have not attracted criminal penalties. On Thursday, the IIA will demonstrate the risks to ISPs and the emerging digital economy in Australia and how the new laws will disadvantage us when compared to other ?technology friendly? nations. ?We have gone over and over our legal analysis, with the assistance of legal academics and regulatory experts. Not only can we see no justification for the severity of the penalties, but the complexity of the new laws will make it extremely difficult for everyday Australians to avoid a potential liability ? and when the level of penalties which attach to the new offences is understood, the scenarios are pretty terrifying,? Mr Coroneos said. Professor Brian Fitzgerald, head of the School of Law at QUT added his concern: ?We assume the new broad ranging laws will be enforced. If the Government intends that they are not, then we?d be wanting to know why the provisions have not been more carefully drafted to target commercial scale piracy rather than Australian families.? ?The fact that the Government is intent on pushing these amendments through so fast is very disturbing. The Bill passed the House of Representatives last week and is due to become law in mid December, with commencement on 1 January 2007,? Professor Fitzgerald said. Mr Coroneos underlined the IIA?s position: ?We fully understand the need to protect copyright - our submission to the Senate Committee begins with that proposition. The internet needs content and content creators need incentives to create. But these amendments are overkill and risk delivering a host of unintended consequences at a time when no other country in the world has criminal sanctions for non commercial scale infringements.? ?The US Free Trade Agreement does not require Australia to go down this path, and neither US nor European law contain such far reaching measures. We at a total loss to understand how this policy has developed, who is behind it and why there is such haste in enacting it into law ? with little if any public debate.? Ends. For further comment, please contact: Peter Coroneos Chief Executive Internet Industry Association (IIA) PO Box 3986 MANUKA ACT AUSTRALIA 2603 Phone: +61 2 6232 6900 Fax: +61 2 6232 6513 www.iia.net.au The Internet Industry Association is Australia's national Internet industry organisation. Members include telecommunications carriers; content creators and publishers; web developers; e-commerce traders and solutions providers; hardware vendors; systems integrators; insurance underwriters; Internet law firms, ISPs; educational and training institutions; Internet research analysts; and a range of other businesses providing professional and technical support services. On behalf of its members, the IIA provides policy input to government and advocacy on a range of business and regulatory issues, to promote laws and initiatives which enhance access, equity, reliability and growth of the medium within Australia. From rforno at infowarrior.org Sun Nov 19 21:28:28 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 19 Nov 2006 21:28:28 -0500 Subject: [Infowarrior] - Web censorship law may come out of hibernation Message-ID: Web censorship law may come out of hibernation November 19, 2006 11:59 AM PST http://news.com.com/2061-10796_3-6137051.html?tag=nefd.top In 1998, the U.S. Congress enacted a sweeping Web censorship law that nearly everyone promptly forgot about. Why? The explanation is simple: The American Civil Liberties Union immediately filed a lawsuit to block the U.S. Justice Department, and a federal judge granted an injunction barring prosecutors from enforcing the law. That injunction has been in place ever since. But now that could change. On Monday, U.S. District Judge Lowell A. Reed, Jr. in Philadelphia will hear closing arguments in the Child Online Protection Act case, and a ruling is expected by early 2007. It's unlikely that Reed will lift the injunction, but it is possible. The case has already gone up to the U.S. Supreme Court once, at which point the justices asked Reed to evaluate whether the effectiveness of blocking software had changed in the last few years--a crucial question on which much of the case hinges. (That's because the ACLU argues filterware is a less restrictive means than a Net-censorship law.) If Reed sides with the Bush administration, mainstream Web publishers will have plenty to worry about. COPA makes it a federal crime to knowingly post Web pages that have sexually explicit material that's "harmful to minors." Violators could be fined up to $50,000 and imprisoned for up to six months. That affects far more than just porn producers--even news organizations publishing articles and videos that could be deemed "harmful to minors" might be in trouble. Plaintiffs in the ACLU's forgotten lawsuit include the American Booksellers Foundation for Free Expression, Salon.com, bookstores and a now-mostly-defunct group called the Internet Content Coalition. (Members of the ICC include News.com publisher CNET Networks, MSNBC, Sony Online, The New York Times and Time, Inc.) There's no guarantee that judges will strike down laws like this one (or even keep them on ice indefinitely). Just last week, the Florida Supreme Court upheld a state version of COPA that restricted e-mail that could be deemed "harmful to minors." Web publishers, take note. From rforno at infowarrior.org Mon Nov 20 19:46:31 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 20 Nov 2006 19:46:31 -0500 Subject: [Infowarrior] - Vista's EULA Product Activation Worries Message-ID: Vista's EULA Product Activation Worries Mark Rasch http://www.securityfocus.com/print/columnists/423, Mark Rasch looks at the license agreement for Windows Vista and how its product activation component, which can disable operation of the computer, may be like walking on thin ice. The terms of Microsoft?s End User License Agreement (EULA) for its upcoming Vista operating system raises the conflict between two fundamental principles of contract law. The first, and more familiar, is that parties to a contract can generally agree to just about anything, as long as what they agree to doesn?t violate the law and isn?t ?unconscionable.? The second principle is that the law generally disfavors the remedy of ?self-help.? That is to say that, if there is a violation of the terms of a contract, you usually have to go to court, prove the violation, and then you are entitled to damages or other relief. The terms of the Vista EULA, like the current EULA related to the ?Windows Genuine Advantage,? allows Microsoft to unilaterally decide that you have breached the terms of the agreement, and they can essentially disable the software, and possibly deny you access to critical files on your computer without benefit of proof, hearing, testimony or judicial intervention. In fact, if Microsoft is wrong, and your software is, in fact, properly licensed, you probably will be forced to buy a license to another copy of the operating system from Microsoft just to be able to get access to your files, and then you can sue Microsoft for the original license fee. Even then, you wont be able to get any damages from Microsoft, and may not even be able to get the cost of the first license back. Product activiation in the Vista license Suppose you buy a new computer after January 2007, or purchase an early upgrade for one of the various flavors of Vista. The first problem is, you may think you bought a copy of the operating system. Actually, the OS is still owned by Microsoft. You may own a physical DVD, but what you have ?bought? is the right to use the software subject to any of the terms and conditions of the End User License Agreement (EULA), which you may or may not have access to at the time you buy the computer or disk. Typically, the EULA will be contained in micro-print on the outside of a DVD, or may be on a splash screen that prompts you to unequivically declare, ?I agree..? as a condition precedent to installing or booting the software. Courts have pretty much established that this manner of acquiescence is okay, provided that there is some way for you to get your money back if you don?t agree to the EULA. The Vista EULA informs the licensee that Vista will automatically send information about the version, language and product key of the software, the user's Internet protocol address of the device, and information derived from the hardware configuration of the device. The EULA ominously warns that ?Before you activate, you have the right to use the version of the software installed during the installation process. Your right to use the software after the time specified in the installation process is limited unless it is activated. This is to prevent its unlicensed use. You will not be able to continue using the software after that time if you do not activate it. ? What does this mean? Essentially, if you buy a license to the software from a reputable dealer, but choose not to transmit information to Microsoft, you forfeit your ability to use the licensed software. What is interesting is not whether you have the right to use unactivated-but-properly-purchased software, but how Microsoft enforces its right. What Microsoft says is that the software will simply stop working. So, where is the proof that the software is not activated? Who has the burden of proof? What if you assert that you did activate the product, but Microsoft claims you did not? What if you attempt to activate the product, but Microsoft?s servers are down, or they provide improper information, or their servers are hacked and give you bad activation information? What the contract states is that unless you can activate the product (irrespective of whose fault it is that you cannot activate), you forfeit your right to use the product, and therefore access to any of the information on any computers using the product. The license is also silent on what happens after you fail to activate the product. Is there a mechanism for you to at least open the product to allow you to activate it, or do you get a Blue Screen of Death? Since their objective is to ensure that the product is activated, presumably they will allow you to at least get an Internet connection and take you to an activation screen. Once you activate the product, then you would assume that you are golden to go ahead and use the product, right? Wrong. You see, even after you activate the software it will, according to the EULA, ?from time to time validate the software, update or require download of the validation feature of the software.? It will once again ?send information about the . . . version and product key of the software, and the Internet protocol address of the device.? Here?s where it gets hairy again. If for some reason the software ?phones home? back to Redmond, Washington, and gets or gives the wrong answer - irrespective of the reason - it will automatically disable itself. That's like saying definitively, ?I?m sorry Dave, I?m afraid I can?t do that...? Unless you can prove to the satisfaction of some automoton that the software is ?Genuine,? or more accurately, that under the relevant copyright laws that you have satisfied the requirements of the copyright laws and all of the terms of the End User License Agreement, the software will, on its own, go into a ?protect Microsoft? mode. Besides placing an annoying ?Get Genuine? banner on the screen, and limiting your ability to get upgrades, the EULA warns that ?you may not be able to use or continue to use some of the features of the software.? The EULA itself does not state which features these are, but the website advises that, unless you can show that you are genuine, you won?t be able to use Windows ReadyBoost(tm), whcih lets users use a removable flash memory device; the Windows Aero(tm) 3D visual experince; or the Windows Defender anti-spyware program. But the contract doesn?t limit Microsoft to these disabling attributes. It just says that they have the right to limit your ability to use features - pretty much any features they decide to at any date. And guess what. You agreed to it. EULAs and the legal term ?self help? Now let?s face it: lots of software products contain features that disable themselves upon some condition. For example, trial software will work for a period of time - say 30 days, and then stop. And you agree to that when you download and/or install it. It says so right in the EULA. Spyware contains EULAs where you agree not to disable or delete it. Are you bound by that contract as well? As discussed previously, the answer is not so clear. Sony got into trouble by putting very restrictive EULA terms on its music/data CDs, which gave it a bunch of rights just cause you decided to listen to music - including your agreeing never to listen to the music overseas. As I noted earlier, the terms of an EULA are generally considered to be enforceable even if you didn?t read it, understand it, or have any ability to negotiate it. However, there is another principle in the law. If a contract (for example, an EULA) is breached, then you have to right to sue and to collect damages. Generally, you would have the burden of proving a breach of the contract, and prove the existence of some damages, and then possibly the right to obtain other kinds or relief - like an injunction or other court order. In addition, other statutes, like the U.S. or international copyright laws may give companies like Microsoft other rights and remedies, including access to federal court and statutory damages, and even possible criminal enforcement by the FBI. Now if Microsoft breaches the contract it wrote, the Vista EULA, what are your rights? Well, according to the terms of the agreement you agreed to, ?you can recover from Microsoft and its suppliers only direct damages up to the amount you paid for the software. You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages.? So if your entire network is shut down, and access to all your files permanently wiped out, you get your couple of hundred bucks back - at most. And, as far as I can tell, there are no warranties on the license, no assurance (like the kind you would get on a toaster oven or a lamp) that the thing actually works or does any of the things advertised. What is worse, if you just want to get your money back (assuming Microsoft doesn?t want to give it to you) then you have to file a lawsuit (probably in Redmond, Washington) under the laws of Washington State, and if (and only if) you can prove your case, and your damages, can you get your money back. You aren?t entitled to, upon your belief that there was a breach of contract, simply walk up to the cash register at your local Fry?s or Best Buy and take a couple of hundred bucks from the till. This is called ?self help? (or theft) and is not generally allowed as a contract remedy. But the Microsoft Vista EULA, like many other software license agreements, gives the owner of the software (remember that's Microsoft because you didn?t buy it, you just licensed it) the right of self-help. They have the right to unilaterally decide that you didn?t keep up your end of the contract, for example you didn?t properly register the product, you weren?t able to demonstrate that it was genuine, and so on, and therefore they have the right to shut you off or shut you down. So, what gives them the right? Apparently, the very contract that they now claim you violated. Case law examples of software being disabled after a dispute In the early days of computers, there were several cases where software developers determined that licensees didn?t make appropriate payments and therefore shut down the computer programs. In 1988 in Franks & Sons, Inc. v. Information Solutions, Inc. the software developer installed a ?drop-dead? code in the program. When the customer failed to pay as promised, the developer activated (or allowed to be activated) the drop-dead code, which kept the customer from accessing the software as well as any stored information. The problem was that the customer didn?t know about the drop dead code. Under those circumstances, the court found that it would be ?unconscionable? to allow the software developer to hold the licensee ransom, essentially using self-help to shut down the business until he was paid. The court noted: Public policy favors the non-enforcement of abhorrent contracts. Here, without the knowledge of Plaintiff, Defendants have included a surprise in their product which chills the functioning of any business whose operation is a slave to the computer. If the Plaintiff had known about this device at the time it entered into the contract with the Defendant then the result would be different. Here it would be unconscionable for the Court to give credence to this economic duress. However, it wasn?t clear whether the sole problem in that case was the fact that the ?drop-dead? software was not disclosed, or that the developer, by using the undisclosed code, was holding the licensee hostage. In 1991, in American Computer Trust Leasing v. Jack Farrell Implement Co., 763 F. Supp. 1473 (D. Minn. 1991) the software developer, in a dispute over payment for the software, remotely deactivated the software. The contract provided that the developer, who owned the software, could remotely access the licensee?s computer in order to service the software and that if the licensee defaulted, the agreement was cancelled. When the licensee didn?t pay, the developer told them that they were going to deactivate the program - which they promptly did. The licensee?s lawsuit for damages failed because, the court noted, the deactivation was "merely an exercise of [the developer?s] rights under the software license agreement . . . ." This was true even though the agreement did not specifically state that self-help was a proposed remedy. There were many other cases in the late 80?s and early 90?s involving software developers either putting drop-dead code in their products or remotely disabling code when they thought the other party was in breach. Thus, a Dallas medical device software developer was sued in 1989 (the case was settled) for using a phone line to deactivate software that compiled patients? lab results. In 1990, during a dispute about the performance of a piece of code, the developer simply logged in and removed the code, until the licensee released the developer from any liability. The licensee claimed that the general release was signed under duress, since he was being held economic hostage. This was Art Stone Theatrical Corp. v. Technical Programming & Support Systems, Inc. 549 N.Y.S.2d 789 (App. Div. 1990). In another case widely reported, a small software developer, Logisticon, Inc., installed malware within software delivered to cosmetic company Revlon, which paralyzed Revlon's shipping operations for three days (losses were about $ 20 million U.S.) when the developer claimed that Revlon breached the contract. Logisticon simply claimed that this was an ?electronic reposession.? The case was settled out of court. In the 1991, the case of Clayton X-Ray Co. v. Professional Systems Corp., 812 S.W.2d 565 (Mo. Ct. App. 1991), a company likewise involved in a payment dispute, logged into the licensee?s computer and disabled the software which they owned. When the licensee tried to log on to see their files, all they saw was a copy of the unpaid bill. A jury awarded the licensee damages, partly because the existence of the logic bomb was not disclosed. Finally, in Werner, Zaroff, Slotnick, Stern & Askenazy v. Lewis 588 N.Y.S.2d 960 (Civ. Ct. 1992), a law firm contracted with a company to develop billing and insurance software. When the software reached a certain number of bills (and when the developer decided it had not been paid) it shut down, disabling access to the law firm?s files. The law firm successfully sued, and got punitive damages. So what is the lesson from all of these cases? First, if you exercise ?self help? without telling the purchasor, you may open yourself up to damages. Does the Microsoft EULA adequately tell you what will happen if you don?t activate the product or if you can?t establish that it is genuine? Well, not exactly. It does tell you that some parts of the product won?t work - but it also ambiguously says that the product itself won?t work. Moreover, it allows Microsoft, through fine print in a generally unread and non negotiable agreement, to create an opportunity for economic extortion. Remember, all the cases from the 80?s and 90?s involved sophisticated parties (on both sides) who negotiated individual license agreements - not mass market software. Balancing the rights of all parties After this series of cases, many states considered reforming the Uniform Commercial Code to specifically cover those situations when a software developer can resort to self-help. As a result of these efforts, two states, Maryland and Virginia enacted versions of the Uniform Computer Information Transactions Act (UCITA). The Maryland version of the statute allows the software vendor to obtain a court order that allows it to disable the software, or ?[o]n material breach of an access contract or if the agreement so provides, [to] discontinue all contractual rights of access of the party in breach. . . ? In other words, the software vendor can only terminate access to the software if there has been a material breach, if doing so does not result in a breach of the peace, if there is no foreseeable risk of personal injury or significant physical damage to information or property. The UCITA also provides a procedure for ?electronic self-help? - that is, the termination of access or use of the software without a court order. The first thing to note is that, in Maryland at least, the law expressly notes that, ?electronic self-help is prohibited in mass-market transactions.? Microsoft?s EULA is undoubtedly a mass-market transaction, and therefore Microsoft may be prohibited from exercising self-help in Maryland. Moreover, even in non mass-market transactions, before you can resort to self-help, the contract must provide notice that self help will be used, who will be told about the exercise of self help, and provide other notice. The Maryland law also provides that ?electronic self-help may not be used if the licensor has reason to know that its use will result in substantial injury or harm to the public health or safety or grave harm to the public interest substantially affecting third persons not involved in the dispute.? Thus, the harm to Microsoft (not getting a license fee) may be disproportionate to the harm to the licensee in having their systems completely shut down. This is particularly true if Vista is being used for a system providing medical treatment, controlling a power plant, or other such critical infrastructure. The Maryland law expressly provides that the ?rights or obligations under this section may not be waived or varied by an agreement. . .? Microsoft may have some trouble if it tries to enforce its EULA terms in a court in Washington State - especially if that court is running a computer using Vista. You see, all software license agreements with the courts in Washington State contains a ?no self-help code? warranty where the vendor warrants that there is no ?back door, time bomb, drop dead device, or other software routine designed to disable a computer program automatically with the passage of time or under the positive control of a person other than a licensee of the Software.? Thus, the Vista EULA terms would not apply to the Washington State courts! Now Microsoft will invariably deny that what they are doing is ?self-help.? More likely, they will claim that the disabling provisions of the software are mere ?features? of the software. They will also argue that the licensee controls whether or not the code disables by either registering, or ?getting Genuine.? But what the boys in Redmond are really doing is deciding that you have not followed the terms of a contract (the EULA) and punishing you unless and until you can prove that you have complied. And what if Microsoft is wrong, and they disable your software erroneously? Well, you can keep buying and activating their software until you are successful. And that means more fees to Redmond. Or, following the movie ?Happy Feet,? you can decide to find software with a little penguin on it. From rforno at infowarrior.org Mon Nov 20 19:55:33 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 20 Nov 2006 19:55:33 -0500 Subject: [Infowarrior] - Yes, there is an Office 2007 'kill switch' Message-ID: Yes, there is an Office 2007 'kill switch' Posted by Mary Jo Foley @ 5:20 am http://blogs.zdnet.com/microsoft/?p=111 Buried in a Knowledge Base article that Microsoft published to the Web on November 14 are details of Microsoft?s plans to combat Office 2007 piracy via new Office Genuine Advantage lockdowns. When asked last month whether Microsoft was planning to punish alleged Office 2007 pirates by crippling the functionality of their software in the same way that Microsoft is doing with Vista via reduced-functionality mode, Microsoft officials were noncommittal. But now Microsoft?s intentions are clear: Just as it is doing with Vista, Microsoft plans to incorporate what basically amounts to a ?kill switch? into Office 2007. Office 2007 users who can?t or won?t pass activation muster within a set time period will be moved into ?reduced-functionality mode,? according to Microsoft?s Knowledge Base article. ?When a program runs in reduced-functionality mode, many commands are unavailable (dimmed). Therefore, you cannot access those functionalities,? the article explains. ?Some of the limitations of reduced-functionality mode include the following: ? You cannot create new documents. ? You can view existing documents. However, you cannot edit them. ? You can print documents. However you cannot save them.? In late October, Microsoft officials did acknowledge that its Office Genuine Advantage (OGA) program will become mandatory for Office 2007 users starting in January 2007. But when asked whether Microsoft was planning to make some kind of reduced-functionality mode ? like what it plans to include in Vista ? part of its forthcoming Office release, company officials avoided the question. Ashim Jaidka, Lead Program Manager for Office Genuine Advantage, gave me the following statement on October 31: ?Regarding your question about OGA eventually doing the same thing as WGA with regards to lock-downs into the product, Microsoft is absolutely committed to having Microsoft Office participate in the advantages of Microsoft?s overarching Genuine Software Initiative (GSI) from a long-term, broad perspective as part of upcoming releases, but (we) don?t have anything further to share regarding any plans for building lock-downs at this time.? With Vista, retail customers have 30 days to activate successfully their copies of Vista before Microsoft disables access to the Aero user interface, ReadyBoost and Windows Defender. Additionally, in Vista reduced-functionality mode, the default Web browser will be started and the user will be presented with an option to purchase a new product key. There is no start menu, no desktop icons, and the desktop background is changed to black. The Web browser will fully function and Internet connectivity will not be blocked. After one hour, the system will log the user out without warning. It will not shut down the machine, and the user can log back in. Note: This is different from the Windows XP RFM experience, which limits screen resolution, colors, sounds and other features,? as my blogging colleague Ed Bott explained last month. Office 2007 users who are running the Office 2007 programs under the one-month free trial have no OGA grace period; ?the Office programs run in reduced-functionality mode the first time that the programs start,? the Knowledge Base article says. Users who are licensing Office 2007 under a regular ?perpetual? license may skip product activation 25 times. On the 26th attempt, Office 2007 will start in reduced-functionality mode, according to Microsoft's Knowledge Base article. Update: While some blogs and Web sites are reporting there is no 'kill switch' in Office 2007 (per Microsoft's supposed claim), you be the judge. Here is Microsoft's statement, dated November 20, 2006, courtesy of a Microsoft spokeswoman: "Product Activation technology is not new to Microsoft Office, which has had Product Activation since Microsoft Office 2000 SR1. It is important to note the distinction between activation and validation. Failure to validate your copy of the 2007 Office system as being genuine does not result in moving to reduced functionality mode (RFM) or de-featuring the product. However, if the product is not activated , it will go to RFM (reduced-functionality mode) after starting up a Microsoft Office application 25 times." The URI to TrackBack this entry is: http://blogs.zdnet.com/microsoft/wp-trackback.php?p=111 From rforno at infowarrior.org Mon Nov 20 20:51:46 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 20 Nov 2006 20:51:46 -0500 Subject: [Infowarrior] - The Digital Ice Age Message-ID: The Digital Ice Age The documents of our time are being recorded as bits and bytes with no guarantee of future readability. As technologies change, we may find our files frozen in forgotten formats. Will an entire era of human history be lost? BY Brad Reagan Published in the December, 2006 issue. http://www.popularmechanics.com/technology/industry/4201645.html When the aircraft carrier USS Nimitz takes to sea, it carries more than a half-million files with diagrams of the propulsion, electrical and other systems critical to operation. Because this is the 21st century, these are not unwieldy paper scrolls of engineering drawings, but digital files on the ship's computers. The shift to digital technology, which enables Navy engineers anywhere in the world to access the diagrams, makes maintenance and repair more efficient. In theory. Several years ago, the Navy noticed a problem when older files were opened on newer versions of computer-aided design (CAD) software. "We would open up these drawings and be like, 'Wow, this doesn't look exactly like the drawing did before,'" says Brad Cumming, head of the aircraft carrier planning yard division at Norfolk Navy Shipyard. The changes were subtle ? a dotted line instead of dashes or minor dimension changes ? but significant enough to worry the Navy's engineers. Even the tiniest discrepancy might be mission critical on a ship powered by two nuclear reactors and carrying up to 85 aircraft. The challenge of retrieving digital files isn't an issue just for the U.S. Navy. In fact, the threat of lost or corrupted data faces anyone who relies on digital media to store documents ? and these days, that's practically everyone. Digital information is so simple to create and store, we naturally think it will be easily and accurately preserved for the future. Nothing could be further from the truth. In fact, our digital information ? everything from photos of loved ones to diagrams of Navy ships ? is at risk of degrading, becoming unreadable or disappearing altogether. The problem is both immediately apparent and invisible to the average citizen. It crops up when our hard drive crashes, or our new computer lacks a floppy disk drive, or our online e-mail service goes out of business and takes our correspondence with it. We consider these types of data loss scenarios as personal catastrophes. Writ large, they are symptomatic of a growing crisis. If the software and hardware we use to create and store information are not inherently trustworthy over time, then everything we build using that information is at risk. Large government and academic institutions began grappling with the problem of data loss years ago, with little substantive progress to date. Experts in the field agree that if a solution isn't worked out soon, we could end up leaving behind a blank spot in history. "Quite a bit of this period could conceivably be lost," says Jeff Rothenberg, a computer scientist with the Rand Corp. who has studied digital preservation. Throughout most of our past, preserving information for posterity was mostly a matter of stashing photographs, letters and other documents in a safe place. Personal accounts from the Civil War can still be read today because people took pains to save letters, but how many of the millions of e-mails sent home by U.S. servicemen and servicewomen from the front lines in Iraq will be accessible a century from now? One irony of the Digital Age is that archiving has become a more complex process than it was in the past. You not only have to save the physical discs, tapes and drives that hold your data, but you also need to make sure those media are compatible with the hardware and software of the future. "Most people haven't recognized that digital stuff is encoded in some format that requires software to render it in a form that humans can perceive," Rothenberg says. "Software that knows how to render those bits becomes obsolete. And it runs on computers that become obsolete." In 1986, for example, the British Broadcasting Corp. compiled a modern, interactive version of William the Conqueror's Domesday Book, a survey of life in medieval England. More than a million people submitted photographs, written descriptions and video clips for this new "book." It was stored on laser discs ? considered indestructible at the time ? so future generations of students and scholars could learn about life in the 20th century. But 15 years later, British officials found the information on the discs was practically inaccessible ? not because the discs were corrupted, but because they were no longer compatible with modern computer systems. By contrast, the original Domesday Book, written on parchment in 1086, is still in readable condition in England's National Archives in Kew. (The multimedia version was ultimately salvaged.) Changing computer standards aren't the only threat to digital data. In 2004, Miami-Dade County announced it had lost almost all the electronic voting records from a 2002 election because of a series of computer crashes ? reminding us that many of the failures of digital records ? keeping are attributable to everyday equipment failure (see "Preserving Your Data" at right). Additionally, software companies can go out of business, taking their proprietary codes with them. In 2001, the online photo storage site PhotoPoint shut down and hundreds of people lost the digital photos they stored on the site. But data loss is not always as apparent as a fried hard drive or a disc with no machine to play it. A digital file is just a long string of binary code. Unlike a letter or a photograph, its content is not immediately apparent to the end user. In order to see a photograph that has been saved as a JPEG file or to read a letter composed in a word processing program, we need software that can translate that code for us. Software applications are updated on average every 18 months to two years, according to the Software and Information Industry Association, and newer versions are not always backward compatible with the previous ones. That could be a problem on the USS Nimitz, just as it could make trouble for you if the file in question held your medical records. Likewise, law firms find that metadata?data about the data, such as the date when a file was created?are often not transferred accurately when files are copied. For example, magnetic storage media, such as hard drives, allow for a three-part date storage system (created/accessed/modified), whereas the file architecture of optical media, such as CD-Rs, allows for only one date. This presents a difficulty in litigation, when attorneys must build chronologies of key events in a case. "I see this in almost every single case," says Craig Ball, a computer forensics expert who advises law firms. "It's a complex problem at so many levels. We are losing so much." As Richard Pearce-Moses, past president of the Society of American Archivists, puts it, "We can keep the 0s and 1s alive forever, but can we make sense of them?" I TRAVELED RECENTLY TO Washington, D.C., to meet with Ken Thibodeau, head of the National Archives' Electronic Records Archive (ERA). The National Archives is charged with the daunting task of preserving all historically relevant documents and materials generated by the federal government?everything from White House e-mails to the storage locations of nuclear waste. Ten years ago, Thibodeau's biggest concern was how to handle the 32 million e-mails sent to the archives by the Clinton administration. And that was just the beginning. The Bush White House is expected to produce 100 million e-mails by 2008. Thibodeau long ago realized that simply copying the data to magnetic tapes?the archives' previous means of storing electronic records?was not going to work in the Digital Age. It would take years to copy those e-mails to tape, and that was just a trickle compared to the avalanche of more complex digital files that were coming his way. "The problem is that everything we build, whether it is a highway, tunnel, ship or airplane, is designed using computers," Thibodeau says. "Electronic records are being sent to the archives at 100 times the rate of paper records. We don't know how to prevent the loss of most digital information that's being created today." The National Archives must not only sort through the tremendous volume of data, it must also find a way to make sense of it. Thibodeau hopes to develop a system that preserves any type of document?created on any application and any computing platform, and delivered on any digital media?for as long as the United States remains a republic. Complicating matters further, the archive needs to be searchable. When Thibodeau told the head of a government research lab about his mission, the man replied, "Your problem is so big, it's probably stupid to try and solve it." Last year, the National Archives awarded Lockheed Martin a $308 million contract to develop the system. "We think this is a groundbreaking effort of the Information Age," says Clyde Relick, the project's program director. ?Ken Thibodeau "Everything we build, whether it is a highway, tunnel, ship or airplane, is designed using computers ... we don't know how to prevent the loss of most digital information that's being created today." To date, the ERA has identified more than 4500 file types that need to be accounted for. Each file type essentially requires an independent solution. What type of information needs to be preserved? How does that information need to be presented? As a relatively simple example, let's take an e-mail from the head of a regulatory agency. If the correspondence is pure text, it's a straightforward solution. But what if there is an attachment? What type of file is the attachment? If the attachment is a spreadsheet, does the behavior of the spreadsheet need to be retained? In other words, will it be important for future generations to be able to execute the formulas and play with the data? "That is unlike a challenge we would have with a paper document," Relick says. More complex file formats, such as NASA virtual reality training programs, require more complex solutions. The ERA is working with a number of research partners, including the San Diego Super-computer Center and the National Science Foundation, on some of those more intricate challenges. Lockheed is building what is primarily a "migration" system, in which files are translated into flexible formats such as XML (extensible markup language), so the files can be accessed by technologies of the future. The idea is to make copies without losing essential characteristics of the data. Not everyone agrees with Lockheed's approach. Rothenberg, of the Rand Corp., for example, believes an "emulation" strategy would be more appropriate. Emulation allows a modern computer to mimic an older computer so it can run a certain program. Popular emulation programs in use today are those that allow people to take video games made for Sony PlayStation 2 or Microsoft Xbox and play them on PCs. "It seems to me that migration throws away the original," Rothenberg says. "It doesn't even try to save the original. What you end up with is somebody's idea about what was important about the original." Relick says the cost and technical effort involved in emulation are not feasible for a project the size of the ERA. In addition, he notes that the archives in their entirety will need to be accessible to anyone with a browser, and emulation becomes more difficult when you have to account for users with an infinite variety of hardware and software. The goal for the Lockheed team is to have initial operating capability for the ERA in September 2007, but budget cuts may delay the program's search functionality. The data crisis is by no means limited to the National Archives, or to branches of the military. The Library of Congress is in the midst of its own preservation project, and many universities are scrambling to build systems that capture and retain valuable academic research. But the programs in development for government and academia won't help find the lost e-mail of an individual computer user. Some experts believe that this is the result of simple market forces: Consumers have shown little interest in digital preservation, and corporations are in the business of meeting consumer demand. Others say corporations are only concerned with selling more new products. "Their interest, it seems to me, is creating incompatibilities over time, not compatibilities," Rothenberg says. "Looking at it cynically, they have very little motivation to burden themselves with compatibility because doing so only allows their customers to avoid upgrading." Nevertheless, there have been encouraging developments. In late 2005, Microsoft announced it was opening the file formats of its Office suite, including Word and Excel, to competitors in order to get Office certified as an international standard. By ceding proprietary control of the formats to third-party developers, Microsoft greatly increases the odds that those formats will be accessible for future generations. Meanwhile, the International Organization for Standardization recently certified a modified version of Adobe Systems' popular Portable Document Format (PDF) specifically for long-term archiving. It's called PDF/A. In essence, PDF/A preserves everything contained in a document that can be printed while excluding features that may be useful in the short term but problematic in the long term. For example, the new format does not allow embedded links to external applications, which could become obsolete, and it doesn't allow for passwords, which can be lost or forgotten. "It is all about creating a reliable presentation down the road," says Melonie Warfel, director of worldwide standards for Adobe, who worked on the project. Adobe is also working on archiving standards for engineering documents and digital images. IF HISTORY IS A GUIDE?and that, after all, is the point of preserving history?we know the future will offer the means to manipulate digital information in ways we cannot yet imagine. The trick is to keep moving forward without leaving too much behind. "It goes beyond this notion of 'important records'?it goes to the things that are important to us," says Warfel, the mother of two children. "My mom had shoeboxes full of photographs, but we don't do that anymore. I have hard drives full of photographs." PM From rforno at infowarrior.org Thu Nov 23 16:14:00 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 23 Nov 2006 16:14:00 -0500 Subject: [Infowarrior] - U.S. Copyright Office issues new rights Message-ID: http://news.yahoo.com/s/ap/20061123/ap_on_hi_te/digital_copyright U.S. Copyright Office issues new rights By ANICK JESDANUN, AP Internet Writer Wed Nov 22, 7:24 PM ET NEW YORK - Cell phone owners will be allowed to break software locks on their handsets in order to use them with competing carriers under new copyright rules announced Wednesday. Other copyright exemptions approved by the Library of Congress will let film professors copy snippets from DVDs for educational compilations and let blind people use special software to read copy-protected electronic books. All told, Librarian of Congress James H. Billington approved six exemptions, the most his Copyright Office has ever granted. For the first time, the office exempted groups of users. Previously, Billington took an all-or-nothing approach, making exemptions difficult to justify. "I am very encouraged by the fact that the Copyright Office is willing to recognize exemptions for archivists, cell phone recyclers and computer security experts," said Fred von Lohmann, an attorney with the civil-liberties group Electronic Frontier Foundation. "Frankly I'm surprised and pleased they were granted." But von Lohmann said he was disappointed the Copyright Office rejected a number of exemptions that could have benefited consumers, including one that would have let owners of DVDs legally copy movies for use on Apple Computer Inc.'s iPod and other portable players. The new rules will take effect Monday and expire in three years. In granting the exemption for cell phone users, the Copyright Office determined that consumers aren't able to enjoy full legal use of their handsets because of software locks that wireless providers have been placing to control access to phones' underlying programs. Providers of prepaid phone services, in particular, have been trying to stop entrepreneurs from buying subsidized handsets to resell at a profit. But even customers of regular plans generally can't bring their phones to another carrier, even after their contracts run out. Billington noted that at least one company has filed lawsuits claiming that breaking the software locks violates copyright law, which makes it illegal for people to circumvent copy-protection technologies without an exemption from the Copyright Office. He said the locks appeared in place not to protect the developer of the cell phone software but for third-party interests. Officials with the industry group CTIA-The Wireless Association did not return phone calls for comment Wednesday. The exemption granted to film professors authorizes the breaking of the CSS copy-protection technology found in most DVDs. Programs to do so circulate widely on the Internet, though it has been illegal to use or distribute them. The professors said they need the ability to create compilations of DVD snippets to teach their classes ? for example, taking portions of old and new cartoons to study how animation has evolved. Such compilations are generally permitted under "fair use" provisions of copyright law, but breaking the locks to make the compilations has been illegal. Hollywood studios have argued that educators could turn to videotapes and other versions without the copy protections, but the professors argued that DVDs are of higher quality and may preserve the original colors or dimensions that videotapes lack. "The record did not reveal any alternative means to meet the pedagogical needs of the professors," Billington wrote. Billington also authorized the breaking of locks on electronic books so that blind people can use them with read-aloud software and similar aides. He granted two exemptions dealing with computer obsolescence. For computer software and video games that require machines no longer available, copy-protection controls may be circumvented for archival purposes. Locks on computer programs also may be broken if they require dongles ? small computer attachments ? that are damaged and can't be replaced. The final exemption lets researchers test CD copy-protection technologies for security flaws or vulnerabilities. Researchers had cited Sony BMG Music Entertainment's use of copy-protection systems that installed themselves on personal computers to limit copying. In doing so, critics say, Sony BMG exposed the computers to hacking, and the company has acknowledged problems with one of the technologies used on some 5.7 million CDs. ___ On the Net: http://www.copyright.gov/1201 From rforno at infowarrior.org Sun Nov 26 17:50:30 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 26 Nov 2006 17:50:30 -0500 Subject: [Infowarrior] - UK considers monitoring streetside conversations Message-ID: The Sunday Times November 26, 2006 Word on the street ... they?re listening http://www.timesonline.co.uk/article/0,,2087-2471987,00.html POLICE and councils are considering monitoring conversations in the street using high-powered microphones attached to CCTV cameras, write Steven Swinford and Nicola Smith. The microphones can detect conversations 100 yards away and record aggressive exchanges before they become violent. The devices are used at 300 sites in Holland and police, councils and transport officials in London have shown an interest in installing them before the 2012 Olympics. The interest in the equipment comes amid growing concern that Britain is becoming a ?surveillance society?. It was recently highlighted that there are more than 4.2m CCTV cameras, with the average person being filmed more than 300 times a day. The addition of microphones would take surveillance into uncharted territory. The Association of Chief Police Officers has warned that a full public debate over the microphones? impact on privacy will be needed before they can be introduced. The equipment can pick up aggressive tones on the basis of 12 factors, including decibel level, pitch and the speed at which words are spoken. Background noise is filtered out, enabling the camera to focus on specific conversations in public places. If the aggressive behaviour continues, police can intervene before an incident escalates. Privacy laws in Holland limit the recording of sound to short bursts. Derek van der Vorst, director of Sound Intelligence, the company that created the technology, said: ?It is technically capable of being live 24 hours a day and recording 24 hours a day. It really depends on the privacy laws in a particular country.? Last month Martin Nanninga of VCS Observation, the Dutch company marketing the technology, gave a presentation to officials from Transport for London, the Metropolitan police and the City of London police about the CCTV system. Nanninga is to return next year for further discussions. ?There was a lot of interest in our system, especially with security concerns about the Olympic Games in 2012. We told them about both our intelligent control room and the aggression detection system,? Nanninga said. In Holland more than 300 of the cameras have been fitted in Groningen, Utrecht and Rotterdam. Locations include city centres, benefit offices, jails, and even T-Mobile shops. The sensitivity of the microphones is adjusted to suit the situation. Police and local council officials are still assessing their impact on crime, although in an initial six-week trial in Groningen last year the cameras raised 70 genuine alarms, resulting in four arrests. Harry Hoetjer, head of surveillance at Groningen police headquarters, recalled an incident where the camera had homed in on a gang of four men who were about to attack a passer-by. ?We would not normally have detected it as there was no camera directly viewing it,? he said. Last Friday a Sunday Times reporter visited the office of Sound Intelligence in Groningen to test the system. The reporter stood in the control centre with a view of an empty room on one of a bank of monitors. Van der Vorst entered the room, out of sight of the camera, and began making aggressive noises. The camera swivelled to film him and an alarm went off in the control room, designed to alert police to a possible incident. ?The cameras work on the principle that in an aggressive situation the pitch goes up and the words are spoken faster,? said van der Vorst. ?The voice is not the normal flat tone, but vibrates. It is these subtle changes that our audio cameras can pick up on.? Public prosecution services can use them in court as evidence. The Dutch privacy board has already given its approval to the system. According to a spokesman for Richard Thomas, Britain?s information commissioner, sound recorded by the cameras would be treated under British law in the same way as CCTV footage. Under the commissioner?s code of practice, audio can be recorded for the detection, prevention of crime and apprehension and prosecution of offenders. It cannot be used for recording private conversations. Graeme Gerrard, chairman of the chief police officers? video and CCTV working group, said: ?In the UK this is a new step. Clearly there is somebody or something monitoring people speaking in the street, and before we were to engage in that technology there would be a number of legal obstacles. ?We would need to have a debate as to whether or not this is something the public think would be a reasonable use of the technology. The other issue is around the capacity of the police service to deal with this.? From rforno at infowarrior.org Mon Nov 27 09:24:56 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 27 Nov 2006 09:24:56 -0500 Subject: [Infowarrior] - SANS Top 20 Report - Deja Vu Message-ID: SANS Top 20 Report - Deja Vu http://osvdb.org/blog/?p=148 I previously blogged about the SANS Top 20 List in a pretty negative fashion. The list started off as the ?Top 10 Vulnerabilities? and quickly expanded into the Top 20 Vulnerabilities. Even last year (2005), they were still calling it a ?Top 20 Vulnerabilities? list when it clearly had become anything but that. This year, SANS finally wised up calling the list ?SANS Top-20 Internet Security Attack Targets?. Yes, they are now listing the 20 most attacked ?targets?, not ?exploited vulnerabilities?. With this change, does the list regain some of the value it originally had and quickly lost? Let?s look at the list: Operating Systems W1. Internet Explorer W2. Windows Libraries W3. Microsoft Office W4. Windows Services W5. Windows Configuration Weaknesses M1. Mac OS X U1. UNIX Configuration Weaknesses Cross-Platform Applications C1 Web Applications C2. Database Software C3. P2P File Sharing Applications C4 Instant Messaging C5. Media Players C6. DNS Servers C7. Backup Software C8. Security, Enterprise, and Directory Management Servers Network Devices N1. VoIP Servers and Phones N2. Network and Other Devices Common Configuration Weaknesses Security Policy and Personnel H1. Excessive User Rights and Unauthorized Devices H2. Users (Phishing/Spear Phishing) Special Section Z1. Zero Day Attacks and Prevention Strategies So if you run Windows, Unix or MacOS .. and/or have Web Applications, Database software, allow P2P file sharing, allow IM messaging, have media players (installed by default on most OSs), run DNS servers, run Backup Software, run Security/Enterprise/DM servers .. and/or use VoIP servers/phones or ?network and other devices?.. and/or have weak policy governing user rights or don?t prohibit certain devices and you actually have users.. you have at least one of the ?Top 20 Attack Targets?. Wow, is that ever so helpful. Oh, I forgot, failing all of that, ?Zero Day Attacks? are a top 20 attack vector. Hey SANS, could you make a more overly vague and general security list next time? Maybe for 2007 you could shorten it from the ?Top 20? to the ?Top 1? and just list ?C1: Have a computer type device?. That would save your analysts a lot of time and be just as helpful to the masses. Seriously, ditch the list or go back to the basics. From rforno at infowarrior.org Mon Nov 27 09:26:54 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 27 Nov 2006 09:26:54 -0500 Subject: [Infowarrior] - Web censorship 'bypass' unveiled Message-ID: Web censorship 'bypass' unveiled A tool has been created capable of circumventing government censorship of the web, according to researchers. The free program has been constructed to let citizens of countries with restricted web access retrieve and display web pages from anywhere. The University of Toronto's Citizen Lab software, called psiphon, will be released on 1 December. Net censorship is a growing issue, and several countries have come under fire for blocking online access Human rights organisation Reporters Without Borders recently released a list of 13 countries it believed were suppressing freedom of expression on the net, including Syria, China and Vietnam. But the Citizen Lab, which is based at the Munk Centre for International Studies at the University of Toronto, believes its program will allow surfers to bypass web censorship. Psiphon works through social networks. A net user in an uncensored country can download the program to their computer, which transforms it into an access point. They can then give contacts in censored countries a unique web address, login and password, which enables the restricted users to freely browse the web through an encrypted connection to the proxy server. 'E-avesdropping' The Citizen Lab said the system provides strong protection against "electronic eavesdropping" because censors or ISPs can only see that end users are connected to another computer and not view the sites that are being visited. It added that using small trusted networks as a delivery mechanism made it more difficult for censors to find and shut down psiphon. However, it also warned potential users that bypassing censorship could violate laws, and urge them to consider potential consequences of doing so. Ronald Deibert, director of the Citizen Lab, told the New York Times: "Governments have militarized their censorship efforts to an incredible extent so we're trying to reverse some of that and restore that promise that the internet once had for unfettered access and communication." Beta testing of the system began over the summer, and the free program will be launched on 1 December. Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/6187486.stm Published: 2006/11/27 12:20:08 GMT From rforno at infowarrior.org Mon Nov 27 09:52:01 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 27 Nov 2006 09:52:01 -0500 Subject: [Infowarrior] - Army Game Proves U.S. Can't Lose Message-ID: Army Game Proves U.S. Can't Lose By Marty Graham| 02:00 AM Nov, 27, 2006 http://www.wired.com/news/technology/0,72156-0.html?tw=wn_index_2 A new video game commissioned by the U.S. Army as a recruiting tool portrays the nation's military in 2015 as an invulnerable high-tech machine. The new PC title, Future Force Company Commander, or F2C2, is a nifty God-game that puts players in the driver's seat of 18 systems at the heart of the military's new net-centric warfare approach. The Army added the game to its recruiting tool kit last month as a high-tech follow-up to its successful America's Army shooter. It's an impressive game, simulating weaponry the military is actually using or building, gamers say. But the gameplay is designed so it's hard to lose: The equipment holds up awfully well and the enemy doesn't learn from experience. "They didn't ask for hole punchers," says Mark Long, co-CEO of Zombie, where the game was built under contract. "High tech has all kinds of low-tech vulnerabilities and they didn't want the vulnerabilities programmed in." Defense contractor Science Applications International commissioned the game for $1.5 million. So far, more than 24,000 copies have been handed out on disk or downloaded from the websites of the Army and game builder Zombie. Missions include planning and executing a night raid on a populated area, and protecting a border and an airstrip in a notional country having problems with its notional neighbor. The game provides terrain maps and data about the strength of the equipment. Gamers on Battlefront.com give the title good reviews, but complain about the game being paid for with their taxes and offering an overly optimistic view of America's tactical superiority over fictitious enemies. Susan Nash, an e-learning expert and associate dean at Excelsior College in Albany, New York, has played F2C2 and the Army's first recruiting game. She gives both high marks for fun and for the learning experience. But she agrees with Long that the new game presents an artificially rosy view of warfare. "It's a great game and a really good training tool that creates conditions for learning, teaches strategic thinking and tactical thinking, and it's got really cool weapons," Nash says. "But ethical issues loom." For example, there's no consideration that military power or technology could fail or be jammed, she says. And the enemy doesn't learn, in contrast to a certain real-life conflict where the hallmark of insurgents is their ability to rapidly gain knowledge and evolve. "All their use of technology is so off-label, so future-forward," Nash says. "And you've got to figure the enemy is playing the game too." Long wanted to see the enemy evolve, based on his own experience in the Army and defense contracting. "The first time a UGV toddles in for reconnaissance, insurgents will stare at it until the air strike follows," he says. "The second time, they'll throw a blanket over it and run. The third time, they'll immobilize it and plant an IED because they'll have figured out someone has to recover that million-dollar piece of equipment." More than anything else, Nash is bothered by the fantasy the potential recruits may have that they'll end up the commander riding a joystick rather than understanding what military life means. "You don't see the day-to-day boredom, you don't see broken legs and equipment failure," she says. "You don't see that the military is mostly grunts and only the grunts on the ground die." From rforno at infowarrior.org Tue Nov 28 01:29:53 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Nov 2006 01:29:53 -0500 Subject: [Infowarrior] - Justice Department eyes spy program Message-ID: Justice Department eyes spy program http://news.yahoo.com/s/ap/20061128/ap_on_go_ca_st_pe/domestic_spying By LARA JAKES JORDAN, Associated Press Writer 22 minutes ago WASHINGTON - The Justice Department has begun an internal investigation into its handling of information gathered in the government's domestic spying program. However, Democrats criticized the review as too narrow to determine whether the program violated federal law. The inquiry by Glenn A. Fine, the department's inspector general, will focus on the role of Justice prosecutors and agents in carrying out the warrantless surveillance program run by the National Security Agency. Fine's investigation is not expected to address whether the controversial program is an unconstitutional expansion of presidential power, as its critics and a federal judge in Detroit have charged. "After conducting initial inquiries into the program, we have decided to open a program review that will examine the department's controls and use of information related to the program," Fine wrote in a letter dated Monday to House Judiciary Committee leaders. The four-paragraph letter was obtained by The Associated Press. Justice Department spokesman Brian Roehrkasse said the agency welcomes the review: "We expect that this review will assist Justice Department personnel in ensuring that the department's activities comply with the legal requirements that govern the operation of the program." In January, Fine's office rejected a request by more than three dozen Democrats to investigate the secret program, which monitors phone calls and e-mails between people in the U.S. and abroad when a link to terrorism is suspected. Fine's letter outlining his review was welcomed by congressional Democrats. At the same time, they said it falls short of examining issues at the heart of the debate ? how the spying program evolved, and whether its creation violated any laws. "A full investigation into the program as a whole, not just the DOJ's involvement, will be necessary," said Rep. Zoe Lofgren (news, bio, voting record), D-Calif. The review could include whether the spying program complies with the Foreign Intelligence Surveillance Act, which requires judicial authorization for electronic surveillance and physical searches of people suspected of espionage or international terrorism on behalf of a foreign power. The Justice Department requests surveillance approval from the FISA court. Democrats also questioned the timing of the review. Fine's letter noted that his office asked the White House on Oct. 20 for additional security clearances that were approved just last week ? following the Nov. 7 elections that gave Democrats control of Congress. Noting Democrats' renewed power to subpoena Bush administration officials next year, Rep. Maurice Hinchey (news, bio, voting record), D-N.Y., questioned that Fine's investigation "is only coming now after the election as an attempt to appease Democrats" who have been critical of the NSA program. The letter was sent to House Judiciary Chairman James Sensenbrenner, R-Wis., and the panel's top Democrat and incoming chairman, Rep. John Conyers (news, bio, voting record), D-Mich. Sensenbrenner had no comment. Conyers called the review "a long overdue investigation of a highly controversial program." The Justice Department has called the program a necessary tool in the fight against terrorism, and Attorney General Alberto Gonzales is pushing congressional Republicans to authorize it by law before they cede power at the year's end ? a prospect with at best a slim shot of approval. Former Reagan administration national security official Robert F. Turner, now associate director at the Center for National Security Law at the University of Virginia, said congressional demands for sensitive information about the program puts them at odds with long-standing presidential powers over the collection of foreign intelligence. "It's good that the executive branch, on its own, is making sure that someone's not abusing this power," Turner said. "But when Congress usurps power vested in the president by the people through the Constitution, then it becomes the lawbreaker." Countering, Caroline Fredrickson, the director of the ACLU's office in Washington, urged Fine "to seek the hidden truth about this program. ... No one, not even the president, is above the law." ___ On the Net: Justice Department: http://www.usdoj.gov/ From rforno at infowarrior.org Tue Nov 28 09:41:50 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Nov 2006 09:41:50 -0500 Subject: [Infowarrior] - New US-Russia "hotline" for.....copyrights? Message-ID: So does this run from Kremlin to the WH? And what happens if one party picks up the wrong hotline phone? :) -rf Original URL: http://www.theregister.co.uk/2006/11/28/us_russia_copyright_hotline/ Russia and US set up copyright hotline By OUT-LAW.COM Published Tuesday 28th November 2006 10:29 GMT The US and Russia will set up a copyright hotline so that information about copyright infringement can be swapped between the two nations. The US says that it will train Russia in how to battle copyright theft. These are just two elements of the an emerging agreement between Russia and the US which Russia hopes will pave the way for its entry into the World Trade Organisation (WTO). The US is thought to have blocked Russia's entry on several grounds, one of which was its record on copyright abuse. Russia's copyright protection laws are weaker than those in the US and many European countries, as evidenced by the fact that controversial music website Allofmp3.com claims to operate legally in Russia but would be shut down by now in many other countries. Russia has recently undertaken partial reform of its copyright laws in a bid to have the US back its entry into the WTO. It is the largest economy in the world not already a member of the body. OUT-LAW has seen an agreement between the US and Russia which outlines action to be taken by Russia to comply with copyright protection in the US/European mould. In the agreement, between US Trade Representative Susan Schwab and Russian Minister of Trade and Economic Development German Gref, Russia agrees to conduct surprise raids at any time of the day or night, to ban its military facilities from duplicating copyrighted material, and to investigate Russia-based web companies distributing copyright-protected music. "I am pleased that we have concluded this important agreement in connection with Russia's WTO accession negotiations," said Schwab. "This is a strong and far-reaching commercial agreement that meets the high standards of President Bush?s market-opening trade agenda and moves Russia closer to full integration into the global, rules-based trading system." Intellectual property rights have been seen as a major stumbling block to US support for Russia's entry into the WTO. The US is home to many of the world's major entertainment companies. Agricultural tariffs have also played a vital role in negotiations. The deal was struck in time for US President George Bush's meeting with Russian President Vladimir Putin at the Asia Pacific Economic Cooperation meeting last week. "Today, Vladimir and I are pleased to report that after a long set of negotiations, Representative Gref and Ambassador Schwab have signed agreements that will be good for the United States and good for Russia ? and that is we support Russia's accession into the WTO," said Bush at that meeting. The agreement will also allow for the duty free importing into Russia of IT equipment such as computers and semiconductors, a major piece of tariff reform that will open up the Russian market for US manufacturers. See: The agreement (http://www.ustr.gov/assets/World_Regions/Europe_Middle_East/Russia_the_NIS/ asset_upload_file148_10011.pdf) (6 page/309KB PDF) Copyright ? 2006, OUT-LAW.com (http://www.out-law.com/) From rforno at infowarrior.org Tue Nov 28 09:58:24 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Nov 2006 09:58:24 -0500 Subject: [Infowarrior] - Oversight Board Briefed on NSA Spy Program Message-ID: Oversight Board Briefed on NSA Spy Program http://www.guardian.co.uk/uslatest/story/0,,-6244089,00.html Tuesday November 28, 2006 8:46 AM By JOHN SOLOMON Associated Press Writer WASHINGTON (AP) - Several members of a government board appointed to guard privacy and civil liberties during the war on terror say they're impressed with the protections built into the Bush administration's electronic eavesdropping program. The Privacy and Civil Liberties Oversight Board received a long-awaited briefing on the secret program last week by senior members of the National Security Agency. Two of the five board members told The Associated Press on Monday they were impressed by the safeguards the government has built into the NSA's monitoring of phone calls and computer transmissions and wished the administration could tell the public more about them to ease distrust. ``If the American public, especially civil libertarians like myself, could be more informed about how careful the government is to protect our privacy while still protecting us from attacks, we'd be more reassured,'' said Lanny Davis, a former Clinton White House lawyer. Alan Raul, a former Reagan White House lawyer and the board's vice chairman, said the group ``found there was a great appreciation inside government, both at the political and career levels, for protections on privacy and civil liberties.'' ``In fact, I think the public may have an underappreciation for the degree of seriousness the government is giving these protections.'' said Raul, author of a book on privacy and civil liberties in the digital age. The briefing had been delayed for over a year because President Bush was concerned - after several press leaks - about widening the circle of people who knew the exact details of the eavesdropping program. A breakthrough was reached in recent days and the five board members were briefed during Thanksgiving week. The board members are prohibited from discussing any specific protections or tactics because the NSA program remains classified. But Davis said he believes the administration could tell the public more about the program's protections without compromising national security. The board was created as a compromise between Congress and the White House amid growing public and congressional concerns about the government's tactics in the war on terror and their impact on civil rights. Those concerns were fueled in part by news leaks that divulged the existence of the NSA's eavesdropping program, a similar terrorist finance tracking system and secret CIA prisons where high-value targets have been interrogated. Democrats, who are about to take over Congress in January, have been concerned the board doesn't have enough independence because the political compromise struck in late 2004 left the board under the authority of the president. Some have discussed elevating the board to an independent body like the Sept. 11 review commission. After meeting in private 16 times over the last year to discuss classified matters and to be briefed by every major U.S. intelligence agency, the board has scheduled its first public hearing Dec. 5 to solicit testimony from nongovernment privacy experts. The forum, to be held at Georgetown University, will hear from some of the administration's privacy critics, including the American Civil Liberties Union and the Electronic Privacy Information Center, as well as conservative and academic voices. From rforno at infowarrior.org Tue Nov 28 12:08:54 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Nov 2006 12:08:54 -0500 Subject: [Infowarrior] - Boarding Pass Hacker Breaks Silence Message-ID: Boarding Pass Hacker Breaks Silence http://blog.washingtonpost.com/securityfix/2006/11/boarding_pass_hacker_brea ks_si.html#more Chris Soghoian, the Indiana University doctoral student whose online demonstration of serious flaws in airport security prompted an FBI investigation, broke his silence this week after the government terminated its investigation into the matter. Soghoian had refused to talk to the media ever since the FBI visited his home in Bloomington, Ind., on Oct. 27 and carted away computers and other equipment. The federal action came in response to Soghoian's decision to post a tool on his Web site that would allow someone to print a fake boarding pass that could be used to evade the "no-fly" list -- a key government tool in keeping suspected terrorists off of airplanes. In an interview with Security Fix on Saturday, Soghoian said he was ready to set the record straight now that the FBI had ended its investigation and the local U.S. attorney had declined to press charges. A spokesperson for the FBI's Indianapolis field office confirmed that the investigation was closed on Nov. 14. Soghoian's boarding pass generator highlighted a loophole in the Transportation Security Administration's policy for screening passengers against the no-fly list. The problem is that boarding passes are compared to a person's ID only at initial airport security checkpoints, not at the gates where passengers board planes. And the boarding passes are scanned and verified only at departure gates, not security checkpoints. In discussing the tool that he created, Soghoian said that even if the TSA plugged the security loophole -- by requiring ticket readers at the initial terminal security checkpoint and integrating the no-fly list with every airlines' computer systems -- the current legal status of the TSA's policy allows anyone to refuse to show ID at check-in if they consent to additional screening. "Everyone focused on this issue of fake boarding passes, but no one touched on the issue of a person [telling airline security screeners] that they don't have any ID on them," Soghoian said. To help put Soghoian's point in perspective, consider the case of John Gilmore, co-founder the Electronic Frontier Foundation. In 2002, Gilmore refused to show his ID while checking in for a cross-country flight. He was told he could fly if he agreed to a "secondary screening," which he also refused. Gilmore said he was told that there were security directives that mandated the showing of ID, but that he was not allowed to view said rules. Gilmore later sued the government to gain access to the rules. The case wound its way up to the 9th Circuit Court of Appeals, which privately viewed the rules and decided that airline passengers could either present identification OR opt to be subjected to a more extensive search. This summer, Gilmore challenged members of the Department of Homeland Security's privacy advisory committee to test the court's ruling -- i.e. to see if it's possible to fly domestically without an ID. Committee member Jim Harper, director information policy studies at the CATO Institute, a libertarian think tank, accepted the challenge. After a thorough screening that involved a slew of tests for traces of explosive materials, Harper made it through screening and was allowed to fly without showing ID. And he believes he made it through security faster than he would have had he showed an ID. In a phone interview Monday, Harper said the whole ordeal demonstrates the ineffectiveness of identity-based screening at airports. "You could fix all these holes in airline security screening and you still wouldn't have a secure, identity-based system," Harper said. "Identity doesn't tell you what someone plans to do, especially a person who has newly-adopted terrorist plans or who has just joined some terror-related organization recently. The 9/11 operation -- with two exceptions -- was carried out by people who weren't known to U.S. authorities and were already operating in a mode to defeat the watch list we've since put in place. So the current system merely requires al Qaeda to continue using techniques they were using in the past. So this -- like so many other security systems that we have post-9/11 -- start[s] from such a level of abstraction that they end up being total surveillance systems." Indeed, Soghoian himself said he successfully tested the no-ID policy on four different flights over the past four months. The experience, he said, left him scratching his head as to why the government bothers with the no-fly list at all. "There's the ability to get on a plane and do bad things and the ability to get on a plane to avoid the government knowing who you are. We as citizens have given up some of our rights to fly safely, and that takes care of the first issue," Soghoian said. "The question is whether we're willing to be searched and inconvenienced solely to protect the government's no-fly list, which doesn't make us any safer." So what lessons should other people take away from this before they try to publicize loopholes in U.S. security checks? One of Soghoian's attorneys, Stephen L. Braga, a partner with the Washington, D.C., law firm Baker & Botts, said doing the research to find such loopholes is fine. It's what you do with the information that matters. "I think the clear takeaway from this is for people to go ahead and do their research, develop a thesis of what the flaw is and bring it to the attention of the authorities if it has any potential for misuse, but don't post it online," Braga said. "People really need to think twice about whether putting things like this out there might fall into the wrong hands and be used for illegal purposes." Soghoian said that when he met with officials from the U.S. Attorney's office in Indianapolis to retrieve his computer equipment, he was told that the crisis might have been averted if he had pasted some sort of "SAMPLE" or "NOT FOR BOARDING" disclaimer watermark on his boarding pass generator -- to better illustrate that the tool was created merely to make a point, not to abet anyone trying to evade the no-fly list. But Soghoian said he believes that the issue would not have garnered the national attention that it did if he had included those disclaimers. "The fact is that [the government] has been told about these vulnerabilities time and time again. When a U.S. Senator puts step-by-step instructions on how to fake boarding passes on his Web site and the problem isn't fixed, we have to ask ourselves what more will it take?" he said. "My hope is things will get fixed but my worry is they won't and this will all get get swept under the carpet again." From rforno at infowarrior.org Tue Nov 28 19:24:07 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Nov 2006 19:24:07 -0500 Subject: [Infowarrior] - TSA Follies - a more appropriate color code scheme Message-ID: (scroll down in the article.......rf) In fact, I think it?s time to take a good hard look at that color-coded homeland security advisory system and find out what those alert levels really mean. < - > http://www.homelandstupidity.us/2006/11/27/the-tsa-follies-4/ From rforno at infowarrior.org Tue Nov 28 19:25:05 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Nov 2006 19:25:05 -0500 Subject: [Infowarrior] - Students Struggle with Information Literacy Message-ID: Students Struggle with Information Literacy >From eSchool News, November 28, 2006 By Justin Appel http://www.freepress.net/news/print/19369 We often think of today?s students as technology-savvy?and while that might be true, to a certain extent, when it comes to using hardware and software devices, a recently published report shows how little know-how students display when it comes to information literacy, or the ability to use technology to find the information they?re looking for. The report, from Princeton, N.J.-based ETS, found that the majority of high school and college students lack the proper critical thinking skills when it comes to researching online and using sources. The report comes from an evaluation of the responses of 6,300 students from 63 institutions around the country to ETS?s new ICT (Information and Communications Technology) Literacy Assessment. Students were given scenario-based items that were presented to them in 75-minute test environments. These information literacy tests included extracting information from a database, developing a spreadsheet, or composing eMail summaries of research findings. The tests are meant to measure students? abilities to overcome three challenges they typically have: ?The ability to identify trustworthy and useful information; ?The ability to manage overabundant information; and ?The ability to communicate information effectively The study found that 52 percent of those tested could correctly judge the objectivity of a web site, and 65 percent could correctly judge that web site?s authoritativeness. But only 40 percent of students entered multiple search terms when researching a topic, and only 44 percent properly identified a statement that captured the demands of the assignment. ?We have a kind of wake-up call that?s being presented to all of us at this time,? said Mary Ann Zaborowski, executive director of product management with ETS. ?When we think about students today, they?re the millennium children. They?ve grown up around technology. They?ve been automated with all kinds of computers, cell phones, digital cameras, music. They?re more well-versed than any of us who preceded them in terms of how to use these devices. But where there?s a startling gap is in their ability to cognitively apply this technology in meaningful ways.? The results might be surprising to those outside the educational world, who might think that students who grew up with the internet in their homes and schools are naturally adept at navigating their way around the World Wide Web; but to those in education, it is something they have either suspected or known for quite some time. ?I?m not surprised. I think it?s not just a problem specific to a region,? says Della Curtis, coordinator of library information services for Baltimore County, Md., Public Schools. ?I think it?s a national issue, for which there have been many organizations that have prepared reports on 21st-century literacy, from way back.? One of the problems, Zaborowski points out, is students? over-reliance on search engines such as Google when it comes to researching topics. The study found that students typically will type in a search keyword, then simply go to the first search result and use it as an authoritative source. The problem with this approach is that a number of top search results on Google are often slanted or biased. Through a process known as ?Googlebombing,? people can alter the top results for a search term. For example, when you type the word ?failure? into Google?s search engine, the top result that appears is the White House biographical page for President George Bush. ETS hopes educators can learn from its report. School leaders ?can use the results to identify the misconceptions that faculty might have about the competency of their students,? said Zaborowski. Then, she said, educators can ?build a consensus on revisions to their curriculum to address those gaps.? Many school districts, such as Baltimore County, are already aware of the information-literacy challenge. To address the problem, Baltimore County has been producing a web-based curriculum that, according to Curtis, ?raises the bar on student research and problem solving.? Through this web-based curriculum, Baltimore County has put together a number of research models for elementary, middle, and high school levels. Each research model has a different scenario and task that students must complete. Students are directed to resources the school system has evaluated, which will help them answer key questions. These resources point students in the right direction when it comes to search methods. ?We feel that this is an effective strategy in integrating information literacy ? within the context of the curriculum,? said Curtis. Although schools strive to improve their students? information literacy skills, educators must take concrete measures to ensure students have the critical thinking skills they need to find information online, according to the report. ?Access to information is becoming a goldmine or landfill,? said Curtis. ?We need to develop strategies to integrate information and communications literacy skills within the context of the curriculum.? Links: ETS http://www.ets.org Findings from ETS?s report http://www.ets.org/ictliteracy/prelimfindings.html ICT Literacy Assessment http://www.ets.org/ictliteracy Baltimore County Public Schools http://www.bcps.org This article is from eSchool News. If you found it informative and valuable, we strongly encourage you to visit their website and register an account to view all their articles on the web. Support quality journalism. From rforno at infowarrior.org Tue Nov 28 22:45:47 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Nov 2006 22:45:47 -0500 Subject: [Infowarrior] - 10 Minute Mail: Self-Destructing Email accounts Message-ID: Need a valid e-mail address to register but don't want the spam? Try this Seam-based Web app By Paul McNamara on Tue, 11/28/2006 - 10:28am http://www.networkworld.com/community/?q=node/9381 Here's yet another way to dodge the irksome requirement of presenting a valid e-mail address to register for a Web site: 10 Minute Mail, a Seam-based Web application that fills the bill just long enough to get you onto the site ? and then disappears. No fuss, no muss, and best of all, no spam. Reminds me of Anonymizer Nyms, a somewhat controversial product that debuted at our DEMOfall 2006 conference. However, unlike that $20-a-year offering, 10 Minute Mail is free. It's also reminiscent of PrefPass, another Demo debut that aims to ease registration pains. Here's what 10 Minute Mail developer Devon Hillard has to say about it on his Digital Sanctuary Tech blog. "My first Web application built using Seam is now live. It is called 10MinuteMail and you can see it at www.10MinuteMail.com." "It gives you a temporary e-mail address, and lets you receive and reply to e-mail sent to that address. The e-mail address expires in 10 minutes (or more, you can extend it as you need more time). Basically I created it to learn Seam, and to provide an easy way to avoid giving your real e-mail address to Web sites which require an e-mail from you to sign up. Think of it as spam avoidance." The site has been an instant hit, too, with the help of bloggers -- which Hillard clearly digs. "Anyhow, I?m proud," he writes. "Check it out, click on a Google ad or two if you would, and let me know what you think!" Obviously, the utility here is extremely limited and the cloak-and-dagger crowd will have fun conjuring up all manner of nefarious uses for such a transient communications vehicle. Bottom line, though, is I think I'll wind up using it. From rforno at infowarrior.org Tue Nov 28 22:50:34 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 28 Nov 2006 22:50:34 -0500 Subject: [Infowarrior] - Judge Strikes Down Bush on Terror Groups Message-ID: Judge Strikes Down Bush on Terror Groups Judge strikes President Bush's authority to designate terrorist groups, LOS ANGELES, Nov. 29, 2006 By LINDA DEUTSCH AP Special Correspondent (AP) A federal judge struck down President Bush's authority to designate groups as terrorists, saying his post-Sept. 11 executive order was unconstitutionally vague, according to a ruling released Tuesday. The Humanitarian Law Project had challenged Bush's order, which blocked all the assets of groups or individuals he named as "specially designated global terrorists" after the 2001 terrorist attacks. "This law gave the president unfettered authority to create blacklists," said David Cole, a lawyer for the Washington, D.C.-based Center for Constitutional Rights that represented the group. "It was reminiscent of the McCarthy era." The case centered on two groups, the Liberation Tigers, which seeks a separate homeland for the Tamil people in Sri Lanka, and Partiya Karkeran Kurdistan, a political organization representing the interests of Kurds in Turkey. < - > http://www.cbsnews.com/stories/2006/11/29/ap/national/mainD8LMFCG01.shtml From rforno at infowarrior.org Wed Nov 29 10:08:47 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 29 Nov 2006 10:08:47 -0500 Subject: [Infowarrior] - BitTorrent Partners with TV and Movie Companies Message-ID: http://torrentfreak.com/bittorrent-partners-with-tv-and-movie-companies/ BitTorrent Partners with TV and Movie Companies BitTorrent Inc just announced that they have teamed up with several TV and movie companies. The new list of partners includes 20th Century Fox, Paramount Pictures, G4, Kadokawa Pictures USA, Lionsgate, MTV Networks (Comedy Central, MTV etc.), Palm Pictures and Starz Media. bittorrent These deals will add a great deal of content to the BitTorrent Video Store, including popular movies like Mission: Impossible III and X-Men The Last Standand, and popular TV shows such as ?Prison Break? and ?South Park?. The official launch of the BitTorrent video store was delayed, but it is expected to go live in early 2007 ?We?re thrilled to be partnering with world-renowned entertainment companies and TV networks,? said Ashwin Navin, President and co-founder of BitTorrent. ?This is a true testament to the value of our community, technology and the position we aspire to play in the world of entertainment and content distribution. Our audience has a voracious appetite for digital content and by offering the titles they want with a solid user experience; it?s a win-win situation for both content providers as well as our users.? Earlier this year BitTorrent Inc announced deals with several other movie and TV companies including Warner Bros. Update: We?ve just got word that BitTorrent Inc is going to be getting a massive amount of funding from Accel Partners and Doll Capital Management to the tune of $15-25 million. This is still unconfirmed, but two separate and reliable sources have provided us with the same information. We contacted Ashwin Navin regarding the matter. He told us that there were no fundraising announcements at this point. What?s worth taking note of is the timing of this rumour. It wouldn?t be highly unexpected for BitTorrent to receive a large amount of funding at this point. They have just signed deals with high-profile content companies and their future suddenly looks bright. It is very possible that the venture capitalists knew of the deal in advance and were waiting for it to fall through to confirm their investments. Another rumour that has arisen once again is the resignation (or firing) of one of BitTorrent?s co-foudners, and inventor of the technology. According to Giga OM, BitTorrent Inc is replacing Bram Cohen with a more experienced manager. The Silicon Valley-based blog is reporting that a head hunter has been hired and that the company is already on the lookout for someone to take his place. ?There is talk about founder and CEO Bram Cohen being replaced by a more seasoned manager, and apparently have hired a head hunter, to lead the search,? writes Om Malik. He then goes on to say, ?We have confirmed this information.? From rforno at infowarrior.org Wed Nov 29 10:09:59 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 29 Nov 2006 10:09:59 -0500 Subject: [Infowarrior] - FCC's new Public Safety and Homeland Security Bureau Message-ID: http://cryptome.org/fcc112906.htm SUMMARY: On March 17, 2006, the Commission adopted an Order revising its rules to establish the Public Safety and Homeland Security Bureau. By establishing this bureau the Commission believes it will be better able to address and promote public safety and homeland security. From rforno at infowarrior.org Wed Nov 29 10:12:59 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 29 Nov 2006 10:12:59 -0500 Subject: [Infowarrior] - US and Russia strike deal to close AllofMP3.com Message-ID: US and Russia strike deal to close AllofMP3.com Jeroen Doorn, WebWereld Netherlands - IDG News Service 2 hours, 27 minutes ago http://news.yahoo.com/s/macworld/20061129/tc_macworld/allofmp320061129 Russia has agreed to U.S. demands to close the popular music website Allofmp3.com. The U.S. wants the site closed to fight music piracy, and Russia has agreed to improve its chance of gaining membership of the World Trade Organization (WTO). Russia is also intending to close down other websites that infringe copyrights, according to a document on the website of the U.S. Trade Representative. The U.S. and Russia have agreed to combat piracy by closing down several websites that infringe copyrights, according to the document, which cites Allofmp3.com as a prime example of such a website. The popular site has been subject to criticism for some time now. Organizations such as the International Federation of the Phonographic Industry (IFPI) have accused Allofmp3.com several times of being a prime source of music piracy. A U.S. Trade Representative, Susan Schwab, has stated previously that Russia can never be a member of the WTO as long as the county hosts sites such as Allofmp3.com. The team behind Allofmp3.com has always denied running an illegal website. They pay fees to the Russian Multimedia and Internet Society (ROMS) which supposedly represents artists and copyright holders in Russia. Artists themselves state they have never received any money from ROMS. There is fierce international pressure on the Russian government to close down Allofmp3.com. Prices of songs on the website are about one-tenth the price in other music stores such as Apple?s iTunes store. From rforno at infowarrior.org Wed Nov 29 18:40:56 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 29 Nov 2006 18:40:56 -0500 Subject: [Infowarrior] - U.S. Apologizes to Mistaken Terrorism Suspect Message-ID: U.S. Apologizes to Mistaken Terrorism Suspect By Dan Eggen Washington Post Staff Writer Wednesday, November 29, 2006; 3:08 PM http://www.washingtonpost.com/wp-dyn/content/article/2006/11/29/AR2006112901 179_pf.html The U.S. government has agreed to pay $2 million to an Oregon lawyer who was wrongfully arrested as a terrorism suspect because of a bungled fingerprint match and has issued an apology for the "suffering" inflicted on the attorney and his family. Under the terms of the settlement announced today, Brandon Mayfield of Portland, Ore., will also be able to continue to pursue a lawsuit challenging the constitutionality of the USA Patriot Act antiterrorism law, which played a role in Mayfield's case. The monetary payment amounts to an embarrassing admission of wrongdoing by the FBI, which arrested and detained Mayfield as a material witness in May 2004 after FBI examiners wrongly linked him to a portion of a fingerprint found on a bag of detonators during the investigation of the Madrid commuter train bombings. Subsequent investigations have also found that the FBI compounded its error by failing to adhere to its own rules for handling evidence and by resisting the conclusions of the Spanish National Police, which quickly determined that the fingerprint belonged to someone else. Mayfield--who was held for two weeks and who was subjected to surveillance and secret searches of his home and office--said in a statement issued by his attorneys that he was threatened with the death penalty while in custody and that he and his family were targeted "because of our Muslim religion." "The power of the government to secretly search your home or business without probable cause, under the guise of an alleged terrorist investigation, must be stopped," Mayfield said. "I look forward to the day when the Patriot Act is declared unconstitutional, and all citizens are safe from unwarranted arrest and searches by the Federal Government." Mayfield and his attorneys, including celebrity defense lawyer Gerry Spence of Jackson Hole, Wyo., are scheduled to hold a news conference later today in Portland, Ore. Justice Department spokeswoman Tasia Scolinos issued a statement emphasizing that the FBI was not aware of Mayfield's Muslim faith when he was first identified as part of the fingerprint match, and that the FBI "did not misuse any provisions of the USA Patriot Act." Scolinos also said the FBI has implemented reforms to avoid a similar mistake in the future. According to a press release from Mayfield and his attorneys, the government has agreed to destroy all material obtained during electronic surveillance of him and from clandestine searches of his home and office. The government also issued a formal apology to Mayfield, his wife and his three children for "the suffering caused by the FBI's misidentification of Mr. Mayfield's fingerprint and the resulting investigation of Mr. Mayfield, including his arrest as a material witness in connection with the 2004 Madrid train bombings and the execution of search warrants and other court orders in the Mayfield family home and in Mr. Mayfield's law office." The apology also "acknowledges that the investigation and arrest were deeply upsetting" to Mayfield and his family and that the U.S. government "regrets that it mistakenly linked Mr. Mayfield to this terrorist attack." Mayfield filed a lawsuit against the Justice Department, the FBI and several FBI employees in October 2004 alleging civil rights violations, including a charge that he was arrested because he is a Muslim who had represented some defendants with alleged terrorism ties. A report issued in March 2006 by Justice Department Inspector General Glenn A. Fine found that although Mayfield's religion "was not the sole or primary cause" of the initial identification, it contributed to the FBI's reluctance to reexamine the case after it was challenged by the Spanish police. That same report also found that the FBI used expanded powers under the Patriot Act to demand personal information about Mayfield from banks and other companies, and that the law "amplified the consequences" of the FBI's mistakes by allowing numerous government agencies to share the flawed conclusions. The FBI and Justice Department--while acknowledging some mistakes in the case--have said repeatedly that there were unusual similarities between Mayfield's fingerprints and the one found on the bag of detonators, which was eventually identified as belonging to an Algerian national named Ouhnane Daoud. Officials have also denied that Mayfield's status as a Muslim convert influenced the FBI's treatment of him. On March 11, 2004, terrorists later linked to al-Qaeda detonated bombs on several commuter trains in Madrid, killing 191 people. The FBI assisted Spanish police by comparing latent prints found on a bag of detonators nearby against its massive fingerprint database, which includes prints from former U.S. soldiers. On March 19, the FBI lab identified 20 possible matches for one of the prints; two FBI examiners and a unit chief narrowed the match down to Mayfield. Spanish police conducted their own fingerprint analysis and informed the FBI on April 13, 2004, that its result was negative for Mayfield. The FBI disputed that finding, even dispatching an examiner to Madrid to press its case. Fine's report concluded that FBI examiners made a number of errors, including using "circular reasoning" to firm up their conclusion and ignoring rules that an identification must be ruled out if there is an unexplained discrepancy between the prints. FBI examiners had no way of knowing Mayfield's religion or occupation when they first identified him as a suspect, Fine's report said, but those factors likely influenced their conclusions in the weeks that followed. From rforno at infowarrior.org Thu Nov 30 09:06:47 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Nov 2006 09:06:47 -0500 Subject: [Infowarrior] - Child-Modeling Site Owners Indicted Message-ID: These types of cases are going to be ugly, I think.......particularly in the "where do you cross the line" sort of thing....but I agree 100% this is an area ripe for abuse and exploitive potential. -rf Child-Modeling Site Owners Indicted By Roy Mark http://www.internetnews.com/bus-news/article.php/3646251 Two Florida men and a Web site corporation are facing multiple federal charges of conspiring to use a child-modeling site as a front for posing minors engaged in sexually explicit conduct. The 80-count indictment, unsealed Tuesday, charges Marc Evan Greenberg, 42; Jeffrey Robert Libman, 39; and Webe Web Corp., all of the Ft. Lauderdale, Fla., area. An additional two-count criminal information indictment was unsealed charging Jeff Pierson, 43, of Brookwood, Ala., with conspiring to transport child pornography in interstate commerce using a computer. According to the indictment, Greenberg and Libman established a child-modeling site business under the name Webe Web Corp. The business operated using three kinds of Internet sites: a central site, an advertising site and sites for each individual child model. The indictment claims Pierson was a photographer who produced visual depictions of minors engaged in sexually explicit conduct in Alabama and transmitted those images by computer to Greenberg, Libman, and Webe Web in Florida. They then posted the images to the individual Web sites. "The indictment alleges that these defendants conspired to produce pornographic images of underage girls posing in lascivious positions for profit, under the pretense of offering professional modeling services," Assistant Attorney General Alice S. Fisher said in a statement. The defendants' central Web site claimed to be a "Web site to promote models ages seven thru 16 and their photographers." The site contained a gallery of 15 to 21 photographs of various underage females that could be viewed for free. Users could view additional photographs by joining the site for a $25 subscription fee and $20 per month. Webe Web promoted subscriptions to these individual sites through its free advertising Web site. Members also used discussion boards to post comments, which included those on specific images, poses and clothing they liked. Some members posted poetry and other expressions of fondness and devotion for a photograph. According to the Department of Justice, most members were adult men who were not affiliated with the modeling industry. "The images charged are not legitimate child modeling, but rather lascivious poses one would expect to see in an adult magazine. Here lewd has met lucrative, and exploitation of a child's innocence equals profits," U.S. Attorney Alice H. Martin said in the statement. If convicted on the conspiracy charges, Greenberg and Libman face a penalty of 15 to 30 years in jail and a maximum fine of $250,000. Webe Web Corp. faces a fine of $500,000. On the criminal information indictment Pierson faces a jail term of five to 20 years for each of the two counts and a $250,000 fine for each count. The indictment also seeks forfeiture of proceeds of not less than $600,000, real property and the Internet domain names and content associated with Webe Web Corp. From rforno at infowarrior.org Thu Nov 30 09:55:12 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Nov 2006 09:55:12 -0500 Subject: [Infowarrior] - FW: Homeland security buffoons blow up data logging device (via BoingBoing) In-Reply-To: <20061130145139.GA26624@gsp.org> Message-ID: (c/o RK........rf) [ It's appalling that people this incredibly stupid are allowed to even handle weapons, let alone that they're *paid* to handle weapons. --- ] Link: http://www.boingboing.net/2006/11/28/homeland_security_bu.html Excerpt: Over at "Notes from the Technology Underground," Bill Gurstelle writes about a university geoscience researcher who accidentally left a temperature logging device in the trunk of her rental car when she dropped it off at the rental agency. When she and her husband arrived at the airport gate, "five uniformed airport police with flak jackets and guns" were waiting to interrogate her. But they employed a "blow up first, ask questions later approach," because the equipment had been destroyed by Bloomington Police Department bomb squad before giving her a chance to explain. Links to: Blowing Up Scientific Equipment in the Name of Security http://nfttu.blogspot.com/2006/11/blowing-up-scientific-equipment-in-name.h tml From rforno at infowarrior.org Thu Nov 30 14:00:24 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Nov 2006 14:00:24 -0500 Subject: [Infowarrior] - Peter Junger, encryption law warrior, R.I.P. [fs] In-Reply-To: <456F2592.70705@well.com> Message-ID: ------ Forwarded Message From: Declan McCullagh Date: Thu, 30 Nov 2006 10:40:18 -0800 To: Politech Subject: [Politech] Peter Junger, encryption law warrior, R.I.P. [fs] I just learned from Case Western's law school that Peter Junger died at 73 last week. The Plain Dealer's obituary is here: http://cleveland.com/news/plaindealer/index.ssf?/base/news/1164360994108030. xml&coll=2 I first encountered Peter during his courageous First Amendment lawsuit against the federal government over the constitutionality of anti-encryption regulations. When I taught a class at Case Western a few years ago, Peter was kind enough to be a guest lecturer. When CyberPatrol made legal threats over software that decrypted the "secret" blacklist, Peter said on Politech that the software was "seriously useful" and "educational" and that the DMCA was a threat: http://www.politechbot.com/p-01015.html In addition to being a law professor (and, more recently, a professor of law emeritus), Peter was an active blogger, Buddhist, and system administrator. I recall Peter telling me he gave up his office (which he would be otherwise be entitled to) at the law school in exchange for being able to colocate his samsara.law.cwru.edu Red Hat Linux server at the law school instead. Up until his death Peter was working on an article with the typically blunt title of "You Can't Patent Software; Patenting Software is Wrong." A draft is here: http://samsara.law.cwru.edu/patart/index.html And an excerpt: "As I argue in this article at what most of you will consider excessive length, the Supreme Court was right in holding that computer programs are no more patentable than are mathematical inventions like the calculus or logical truths like De Morgan's law that ``NOT (A AND B)'' equals ``NOT A OR NOT B''. Computer programs are texts, not machines as some lawyers have confused themselves into believing, and thus they may be copyrighted and protected by the First Amendment, but they are not patentable as machines. Computer programs are indeed processes, but they are not patentable processes because what they process is information and what they produce is information, not some modification of material goods or articles of commerce. The simple fact is---though the reasons for it may be hard for most lawyers to grasp---that, as the title of this article puts it: ``You can't patent software: patenting software is wrong.''" I'm told the Cleveland Buddhist Temple is holding a memorial service for Peter on Saturday and that the law school is planning one soon. -Declan From rforno at infowarrior.org Thu Nov 30 17:11:04 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Nov 2006 17:11:04 -0500 Subject: [Infowarrior] - VeriSign Still .Com Master Message-ID: November 30, 2006 VeriSign Still .Com Master By Sean Michael Kerner http://www.internetnews.com/xSP/article.php/3646471 VeriSign has emerged again as the .com master nine months after submitting its revised deal to the U.S. Department of Commerce (DoC). Under the terms of the agreement, negotiated between ICANN and VeriSign, VeriSign will continue to manage the .com registry until 2012. It also allows VeriSign to increase domain prices, which was a provision that many in the domain registry business opposed. The DoC's National Telecommunications and Information Administration (NTIA) listened to the opposition, holding a number of hearings looking into the deal. As a result of testimony, the final agreement imposes a number of conditions on VeriSign that the original deal with ICANN did not. "Under this amendment, the Department retains oversight over any changes to the pricing provisions of, or renewals of, the new .com registry agreement," reads a statement from the NTIA. "Department approval of any renewal will occur only if it concludes that the approval will serve the public interest in the continued security and stability of the Internet domain name system and the operation of the .com registry, and the provision of registry services at reasonable prices, terms and conditions." Opponents to the original deal had argued that the ICANN/VeriSign deal could leave VeriSign with control of the .com registry for near perpetuity. They had also argued against the fact that the pricing changes would yield over $3 billion in revenue for VeriSign. VeriSign has managed the .com registry since 1999 with what VeriSign claims to be 100 percent uptime. "The registry operator framework ICANN has adopted and embodied in the .com agreement strengthens the security and stability of the Internet relied on by hundreds of millions of people around the globe," Mark McLaughlin, executive vice president and general manager of VeriSign Information Services, said in a statement. "This framework holds operators accountable for their performance, promotes the continued investment of tens of millions of dollars in the infrastructure and provides important safeguards for consumers." From rforno at infowarrior.org Thu Nov 30 21:53:48 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Nov 2006 21:53:48 -0500 Subject: [Infowarrior] - Registered Traveler Program Is Fake Security Message-ID: Registered Traveler Program Is Fake Security -- UPDATED The Registered Traveler program, which was just cleared for deployment the nation's airports, has nothing to do with security and is simply a way to pay $100 to cut to the front of the line. While $28 out of the approximately $100 fee goes to a security check performed by the Department of Homeland Security, there's actually no rational reason to do the check other than to make the program look like it's security-related. More, including why Registered Travelers will still get caught by terrorism watchlists and comment from a vendor, after the jump... < - > http://blog.wired.com/27bstroke6/2006/11/registered_trav.html From rforno at infowarrior.org Thu Nov 30 22:26:37 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Nov 2006 22:26:37 -0500 Subject: [Infowarrior] - ATM system called unsafe Message-ID: ATM system called unsafe Posted: Thursday, November 30 at 03:22 pm CT by Bob Sullivan http://redtape.msnbc.com/2006/11/researchers_who.html A U.S. Secret Service memo obtained by MSNBC.com indicates that organized criminals are systematically attempting to subvert the ATM system and unscramble encrypted PIN codes. (Will Burgess / Reuters file) Researchers who work for an Israeli computer security company say they have discovered a fundamental weakness in the system that banks use to keep debit card PIN codes secret while they are transported across bank networks ? a flaw that they say could undermine the entire debit card system. The U.S. Secret Service is investigating the matter, and MSNBC.com obtained a memo compiled by the agency that indicates that organized criminals are systematically attempting to subvert the ATM system and unscramble encrypted PIN traffic. The report has ignited a debate within the banking industry, with many financial industry experts downplaying the seriousness of the flaw and outside experts divided on its implications. But there is no disputing the impact that such a hack would have if successful. Using the methods outlined by the researchers, a hacker could siphon off thousands of PIN codes and compromise hundreds of banks, said Odelia Moshe Ostrovsky, the report?s principal author. Criminals could then print phony debit cards and simultaneously withdraw vast amounts of cash using ATMs around the world, she said. Automated Teller Machines and point of sale debit card sales are a massive part of the global economy. In the U.S. alone, ATMs perform about 8 billion transactions every year and dispense $600 billion in cash, according to a study released earlier this year by Dove Consulting. Volume of retail store PIN-based debit card transactions is even higher. Word of the apparent security flaw first surfaced two weeks ago, when Ostrovsky and other researchers at Algorithmic Research (ARX) published a paper stating that it would be possible for someone with access to the ATM network to attack the special computers that transmit bank account numbers and PIN codes, called hardware security modules. When consumers enter their personal identification numbers, or PINs, into an ATM, the PIN and account number must travel through several computers on a special network before they arrive at their home bank for verification. The data is encrypted immediately after it?s entered at the ATM into what is known as a PIN block, then sent on its way. Rarely does the transmission go directly to a consumer?s bank. Instead, it is handed off several times on a banking network run by several third parties. Each time a bank passes the data along, it goes through a switch that contains the hardware security module and the PIN block is unscrambled and then rescrambled. It is at these intermediate points where hackers could trick the machines into divulging PINs, the ARX researchers said. ?We show in these attacks that using only (a single) function we can reveal the content of every PIN block as if it?s not encrypted,? said Ostrovsky. PINs thought to be unassailable in transit The attack theory is significant because it has long been considered impossible to access PINs as they are traveling through the ATM network without the encryption key used by the card-issuing bank. But the ARX report said issuer keys are not necessary because computers along the network can be tricked into revealing PINs through a series of electronic queries that would enable criminals to make educated guesses about ? and possibly break -- the encryption code. ARX sells hardware security modules to ATM networks, but Ostrovsky said its machines also are vulnerable to the attacks because they must communicate with other ATM network computers using the flawed protocols. Ostrovsky said her company shared the research with the Visa credit card association?s risk management team and other U.S. financial industry security experts six months ago, and recommended systemwide ATM network changes. But U.S. banks weren?t reacting fast enough to the risk, she said, so ARX decided to go public with its information and two weeks ago published a paper titled ?The Unbearable Lightness of PIN cracking,? which is now available on the Internet (in Adobe Acrobat format). Kim Bruce, a spokeswoman for the Secret Service, confirmed that the agency had been in contact with ARX to discuss the paper?s findings, but declined to provide additional detail. Visa: Attack 'highly unlikely' A spokeswoman for Visa, which owns part of the ATM network and helps write security standards for it, confirmed that the flaws described in the paper are real, but said the threats they pose are minimal. ?This research paper addresses an area that has been known for some time to the payments industry,? said Rosetta Jones. ?There are a range of standard security measures in place within member institutions and processors -- including limited access to databases and segregation of duties ? that make this kind of attack highly unlikely. Through these layers of security, Visa and our member financial institutions are working to prevent the kinds of attacks theorized in the paper.? She also said there is no evidence the attacks outlined by ARX have been attempted by criminals. ?We are not aware of any instance where this kind of attack has actually occurred, and there is no link between the attack outlined in this paper and any recent data compromises,? she said. It is clear, however, that organized criminals are systematically attempting to subvert the ATM system and unscramble encrypted PIN traffic. Russian Web sites indicate organized attacks Russian-language Web sites are abuzz with discussions about ATM network attacks, including discussion of the Israeli report, according to data gathered by the Secret Service and viewed by MSNBC.com. ?In the fall of 2005 work for everyone was so successful because an employee of one of America's processors sold a database of material that went through its processing center,? wrote a hacker who belongs to an online gang called Mazafaka, according to an English translation of a Russian Web site compiled by the Secret Service. ?This material was then successfully exploited by our carder friends. The consequences of this deal could even be monitored on CNN, as well as in our own work (this applies to cashers). You may have noticed that after this event, ATMs more and more frequently give ?transaction declined? notices or give a small sum on the first transaction and then block the card.? In another exchange cited in the Secret Service memo, a hacker offers to pay for databases of encrypted PINs, which theoretically should be useless someone had discovered a way to translate the data into valid PINs. In still another post, one claims to have recovered account data by ?hijacking? hardware security modules. Industry downplays the threat Nessa Feddis, a spokeswoman for the American Bankers Association, also downplayed the scenario outlined by the Israelis and the overall hacking threat, saying that while PINs ?are always going to be a target,? the ABA is ?not aware of any ability to undo the encryption.? A spokesman for First Data Corp., which owns the STAR network, one of the largest ATM processing networks, said the company would not comment on the research paper. Other bank security groups also downplayed the threat. Catherine Allen CEO of the Financial Services Roundtable?s BITS organization, a consortium of security experts from the nation?s top 100 financial institutions, said the risk suggested by the ARX paper is minimal because U.S. banks have already addressed the security concerns. But banking analyst Avivah Litan, an industry consultant with security firm Gartner, said banks aren?t reacting strongly enough to the report. ?This is nothing short of startling,? she said. ?No one is paying attention to this and I don?t know why. It undermines the whole premise of ATM security.? How the attacks would work The attacks described in the ARX paper could not be conducted remotely over the Internet. They would require a criminal to be on the same local network as the hardware security module. Because ATM switches are heavily guarded and monitored, such access is unlikely, argued a BITS representative, who spoke on condition of anonymity. But such ATM switches can be located anywhere in the world, Ostrovsky countered. That creates a ?weakest link? vulnerability in which one poorly guarded switch could theoretically be used to compromise every bank whose debit cards have flowed through that switch, she said. Each switch contains a hardware security module, which is a simple computer in a tamper-proof box designed to perform a few PIN-related functions, beginning with decrypting and encrypting. But the boxes also contain other small programs, or functions, which allow the machines to change a customer?s PIN or calculate other PIN-related values. Most ATM switches don?t need these tools; however, they are often available by default. This unnecessary software is exploited in some of the attacks described by ARX, which recommends that switch operators turn off the unnecessary functions. But even that?s not enough, Ostrovsky said. The one essential function of a switch -- encrypting and decrypting, a process known as ?translate? -- is all an attacker needs to trick the machine into divulging PINs, a hack that would put nearly every ATM switch at risk, she said. ?This is not an attack on a certain configuration or installation. This is an attack on the protocol itself. It must be updated,? Ostrovsky said. There are competing protocols, or PIN block formats, in use in the ATM network, and each machine must support all those formats, she explained. In one version, the 16-digit PIN block contains two formatting characters, four PIN characters, and 10 additional slots with information about the customer?s account number. That?s the standard used in the U.S. Another standard combines the formatting characters and PIN characters with random digits, and sends the account number separately. The translate function not only assists in encrypting ? it also allows the machine to translate the PIN block from one format to another. This allows an attacker to take advantage of the weaknesses of both, creating?least-common denominator? vulnerability, Ostrovsky said. The BITS representative who spoke on condition of anonymity conceded such attacks are feasible, but called the risk ?very, very, very, very remote.? He added that bank robbers have much easier ways of stealing money than complicated PIN prediction tactics. Litan is not so sure. She said the research paper undermines the basic premise of ATM network security ? the idea that only a computer loaded with the encryption key created by the issuing bank can reveal a PIN. ?The premise was ?It doesn't matter what happens along the path,? so even people who could access the PIN blocks couldn?t do anything with them,? she said. ?This blows that out of the water.? 'A worrisome thing' Michael McKay, an independent consultant who helped design Hewlett Packard?s hardware security module, called Atalla, described the ARX attack was ?a worrisome thing, a real concern.? ?It's commonly thought that there are some organized crime groups have made concerted efforts on this,? he said. ?So we believe there have been people who've cracked parts of the system.? Ross Anderson, a cryptologist expert at the University of Cambridge in the United Kingdom who has written several papers on ATM security, called the ARX paper ?a fairly big deal.? But he noted that previous research also has demonstrated widespread vulnerabilities in the ATM PIN system. He cited a paper he co-wrote with student Mike Bond in 2001 that showed that many supposedly tamper-proof cryptographic systems can be fooled into divulging information by sending them confusing commands. (Acrobat). Another paper authored by Bond, showed that a would-be ATM hacker could use flaws in the way banks generate PINs that could reduce the number of average guesses required to mathematically discover a PIN from 5,000 to as few as 15. (Acrobat) ?Customers can't rely on bank assurances that 'our systems are secure,?? Anderson said. Banks hit by a successful attack like the one described by the Israeli researchers may not even know the origin of the theft, Ostrovsky said. An insider would simply steal the PINs, create associated fake debit account cards, and steal money from ATMs around the world. Consumers who complained that money was missing from their accounts might be met with skepticism, she said. Consumers should watch their accounts for any signs of suspicious activity, but other than that there isn?t much they can do in response to this research, McKay said. Bank industry officials point out that the attacks must be carried out by someone with direct access to an ATM switch, limiting the potential for abuse. But Litan said the limitation is hardly reassuring. ?It?s not much comfort that they have to be on the inside,? she said. ?As we?ve already seen, it?s easy for criminals to open up their own ATM network. And banks do have insiders with flaws.? From rforno at infowarrior.org Thu Nov 30 22:32:25 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Nov 2006 22:32:25 -0500 Subject: [Infowarrior] - AP: Feds rate travelers for terrorism Message-ID: AP: Feds rate travelers for terrorism By MICHAEL J. SNIFFEN, Associated Press Writer 14 minutes ago http://news.yahoo.com/s/ap/20061201/ap_on_go_ca_st_pe/traveler_screening_9&p rinter=1 Without notifying the public, federal agents for the past four years have assigned millions of international travelers, including Americans, computer-generated scores rating the risk they pose of being terrorists or criminals. The travelers are not allowed to see or directly challenge these risk assessments, which the government intends to keep on file for 40 years. The scores are assigned to people entering and leaving the United States after computers assess their travel records, including where they are from, how they paid for tickets, their motor vehicle records, past one-way travel, seating preference and what kind of meal they ordered. The program's existence was quietly disclosed earlier in November when the government put an announcement detailing the Automated Targeting System, or ATS, for the first time in the Federal Register, a fine-print compendium of federal rules. Privacy and civil liberties lawyers, congressional aides and even law enforcement officers said they thought this system had been applied only to cargo. The Homeland Security Department notice called its program "one of the most advanced targeting systems in the world." The department said the nation's ability to spot criminals and other security threats "would be critically impaired without access to this data." Still, privacy advocates view ATS with alarm. "It's probably the most invasive system the government has yet deployed in terms of the number of people affected," David Sobel, a lawyer at the Electronic Frontier Foundation, a civil liberties group devoted to electronic data issues, said in an interview. Government officials could not say whether ATS has apprehended any terrorists. Customs and Border Protection spokesman Bill Anthony said agents refuse entry to about 45 foreign criminals every day based on all the information they have. He could not say how many were spotted by ATS. A similar Homeland Security data-mining project, for domestic air travelers ? now known as Secure Flight ? caused a furor two years ago in Congress. Lawmakers barred its implementation until it can pass 10 tests for accuracy and privacy protection. In comments to the Homeland Security Department about ATS, Sobel said, "Some individuals will be denied the right to travel and many the right to travel free of unwarranted interference as a result of the maintenance of such material." Sobel said in the interview the government notice also raises the possibility that faulty risk assessments could cost innocent people jobs in shipping or travel, government contracts, licenses or other benefits. The government notice says ATS data may be shared with state, local and foreign governments for use in hiring decisions and in granting licenses, security clearances, contracts or other benefits. In some cases, the data may be shared with courts, Congress and even private contractors. "Everybody else can see it, but you can't," Stephen Yale-Loehr, an immigration lawyer who teaches at Cornell Law school, said in an interview. But Jayson P. Ahern, an assistant commissioner of Homeland Security's Customs and Border Protection agency, said the ATS ratings simply allow agents at the border to pick out people not previously identified by law enforcement as potential terrorists or criminals and send them for additional searches and interviews. "It does not replace the judgments of officers," Ahern said in an interview Thursday. This targeting system goes beyond traditional border watch lists, Ahern said. Border agents compare arrival names with watch lists separately from the ATS analysis. In a privacy impact assessment posted on its Web site this week, Homeland Security said ATS is aimed at discovering high-risk individuals who "may not have been previously associated with a law enforcement action or otherwise be noted as a person of concern to law enforcement." Ahern said ATS does this by applying rules derived from the government's knowledge of terrorists and criminals to the passenger's travel patterns and records. For security reasons, Ahern declined to disclose any of the rules, but a Homeland Security document on data-mining gave an innocuous example of a risk assessment rule: "If an individual sponsors more than one fiancee for immigration at the same time, there is likelihood of immigration fraud." In the Federal Register, the department exempted ATS from many provisions of the Privacy Act designed to protect people from secret, possibly inaccurate government dossiers. As a result, it said travelers cannot learn whether the system has assessed them. Nor can they see the records "for the purpose of contesting the content." Toby Levin, senior adviser in Homeland Security's Privacy Office, noted that the department pledged to review the exemptions over the next 90 days based on the public comment received. As of Thursday, all 15 public comments received opposed the system outright or criticized its redress procedures. The Homeland Security privacy impact statement added that "an individual might not be aware of the reason additional scrutiny is taking place, nor should he or she" because that might compromise the ATS' methods. Nevertheless, Ahern said any traveler who objected to additional searches or interviews could ask to speak to a supervisor to complain. Homeland Security's privacy impact statement said that if asked, border agents would hand complaining passengers a one-page document that describes some, but not all, of the records that agents check and refers complaints to Custom and Border Protection's Customer Satisfaction Unit. Homeland Security's statement said travelers can use this office to obtain corrections to the underlying data sources that the risk assessment is based on. "There is no procedure to correct the risk assessment and associated rules stored in ATS as the assessment ... will change when the data from the source system(s) is amended." "I don't buy that at all," said Jim Malmberg, executive director of American Consumer Credit Education Support Services, a private credit education group. Malmberg noted how hard it has been for citizens, including members of Congress and even infants, to stop being misidentified as terrorists because their names match those on anti-terrorism watch lists. Homeland Security, however, is nearing an announcement of a new effort to improve redress programs and the public's awareness of them, according to a department privacy official, who requested anonymity because the formal announcement has not been made. The department says that 87 million people a year enter the country by air and 309 million enter by land or sea. The government gets advance passenger and crew lists for all flights and ships entering and leaving and all those names are entered into the system for an ATS analysis, Ahern said. He also said the names of vehicle drivers and passengers are entered when they cross the border and Amtrak is voluntarily supplying passenger data for trains to and from Canada. Ahern said that border agents concentrate on arrivals more than on departures because their resources are limited. "If this catches one potential terrorist, this is a success," Ahern said. ___ On the Net: DHS privacy impact statement: http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_cbp_ats.pdf ___ Associated Press writer Leslie Miller contributed to this report. From rforno at infowarrior.org Thu Nov 30 23:05:58 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 30 Nov 2006 23:05:58 -0500 Subject: [Infowarrior] - Feds to Toughen E-Voting Standards? Message-ID: November 29, 2006 Feds to Toughen E-Voting Standards? By Michael Hickins http://www.internetnews.com/bus-news/article.php/3646231 A federal agency is set to recommend significant changes to specifications for electronic-voting machines next week, internetnews.com has learned. The National Institute of Standards and Technology (NIST) is recommending that the 2007 version of the Voluntary Voting Systems Guidelines (VVSG) decertify direct record electronic (DRE) machines. DREs are currently used by more than 30 percent of jurisdictions across the U.S. and are the exclusive voting technology in Delaware, Georgia, Louisiana, Maryland and South Carolina. According to an NIST paper to be discussed at a meeting of election regulators at NIST headquarters in Gaithersburg, Md., on Dec. 4 and 5, DRE vote totals cannot be audited because the machines are not software independent. In other words, there is no means of verifying vote tallies other than by relying on the software that tabulated the results to begin with. The machines currently in use are "more vulnerable to undetected programming errors or malicious code," according to the paper. The NIST paper also noted that, "potentially, a single programmer could 'rig' a major election." It recommends "requiring SI [software independent] voting systems in VVSG 2007." The NIST is also going to recommend changes to the design of machines equipped with paper rolls that provide audit trails. Currently, the paper rolls produce records that are illegible or otherwise unusable, and NIST is recommending that "paper rolls should not be used in new voting systems." The lack of software independence has reared its ugly head in Sarasota's Congressional race, where 18,000 fewer votes were cast than in other races on the same ballot. A recount was futile in that election because Sarasota uses a DRE-type machine. This has provoked concerns that someone tampered with that election. County officials told internetnews.com that the machines themselves are now being examined by a team of computer security experts and that they will finish their work by Friday. Congress has also been on the case. Hearings were held throughout the summer and fall, and legislation was introduced that would require the use of some form of voter-verified paper audit trail (VVPAT). These efforts have gathered steam in response to reported machine malfunctions during the March 2006 primaries, as well as studies by the Brennan Center and Princeton University professor Ed Felten, as well as pressure from advocacy groups such as VotersUnite.org. But evidence is emerging to the effect that paper trails may not be of much help. For instance, a study of the 2006 primaries in Ohio commissioned by Cuyahoga County, Ohio, showed that the results of that election could not be verified despite the presence of VVPAT. The study concluded that "the election system, in its entirety, exhibits shortcomings with extremely serious consequences, especially in the event of a close election." Many former advocates of VVPAT, including John Gideon, executive director of VotersUnite, now favor requiring that all votes be recorded on paper ballots. "DREs are unacceptable as voting devices and ... the addition of a VVPAT on a DRE is only a placebo to make some voters feel more comfortable," Gideon said in an e-mail. Computer scientists and election experts such as Roy Saltman disagree with the idea of going back to paper ballots. "If you insist on paper you're tying elections to an old technology," he told internetnews.com. Doug Jones of the University of Iowa suggested that election officials consider implementing new technologies that enable independent auditing of votes. He pointed to a system devised by Ted Selker, co-director of the CalTech-MIT Voting Technology Project. "The state of the art systems aren't even on the market."