From rforno at infowarrior.org Mon Jan 1 00:17:27 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 01 Jan 2007 00:17:27 -0500 Subject: [Infowarrior] - SAIC to Put Attack-Simulation Tools on the Web Message-ID: SAIC to Put Attack-Simulation Tools on the Web By Doug Beizer Special to The Washington Post Monday, January 1, 2007; D04 http://www.washingtonpost.com/wp-dyn/content/article/2006/12/31/AR2006123100 801_pf.html With the motto "Making the World Safer," the Defense Threat Reduction Agency uses computer models to play out doomsday scenarios, forecasting what might happen if an attack were launched and what could be done to minimize its effects. The models cover biological, chemical, nuclear and other kinds of weapons. San Diego-based Science Applications International Corp. won a contract worth up to $53.9 million from the agency to put modeling and simulation tools on the Web for first responders and government agencies. The system of computer models, called the Integrated Weapons of Mass Destruction Toolset, has been in development since 2004. Making the tools adhere to Web-based standards is a key part of the contract, said Michael Chagnon, a senior vice president with SAIC. "So anybody that has a Web browser, a laptop, connectivity and permission would be able to access these tools to do their job. And those types of users would include war fighters or could include civil first responders as well." The agency builds physics-based models to simulate situations such as particle dispersion. In a nuclear detonation model, for example, conditions such as winds, terrain and the location of the device are taken into account. The model shows how the radiation would spread and indicates how that could affect people. Similar modeling tools would show how a plume of chemicals might disperse. "First responders could use that information to determine exactly what type of medical response would be required and the number of people that might be affected," Chagnon said. "So it's being able to publish data that could be of use to others, as well as being able to subscribe to data -- such as weather data updates -- that would enable the toolset to make more up-to-date calculations as well." War fighters can use the tools to predict the possible effects of various kinds of attacks on U.S. and allied troops and help determine how troops should be moved or what precautions they should take. The tools run on a suite of classified and unclassified servers. The toolset is also available on a laptop in case a potential user does not have connectivity. The data from that laptop can later be synchronized with the servers. Under the new contract, SAIC will further refine standards in the toolset's architecture to make it available to a wider variety of computer systems. "That interoperation with other systems and the ability to share information with other systems is the key to enhancing the value and the utility of the tool suite," Chagnon said. Doug Beizer is a staff writer with Washington Technology. For news on this and other contracts, go towww.washingtontechnology.com. From rforno at infowarrior.org Tue Jan 2 13:51:29 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 02 Jan 2007 13:51:29 -0500 Subject: [Infowarrior] - Ailing music biz set to relax digital restrictions Message-ID: Ailing music biz set to relax digital restrictions By The Hollywood Reporter http://news.com.com/Ailing+music+biz+set+to+relax+digital+restrictions/2100- 1025_3-6146478.html Story last modified Tue Jan 02 05:32:25 PST 2007 The anti-digital rights management bandwagon is getting more crowded by the day. Even some major-label executives are pushing for the right to sell digital downloads as unprotected MP3s. In 2007, the majors will get the message, and the digital-right management (DRM) wall will begin to crumble. Why? Because they'll no longer be able to point to a growing digital marketplace as justification that DRM works. Revenue from digital downloads and mobile content is expected to be flat or, in some cases, decline next year. If the digital market does in fact stall, alternatives to DRM will look much more attractive. Revenue from digital music has yet to offset losses from still-declining CD sales, and digital track sales remain a cause for concern. Month-over-month download figures were largely flat through 2006, even in the face of year-over-year gains. If the expected post-holiday spike in download numbers that has occurred in the past two years is weak, look for the glass on the panic button to break. "People in the industry will have a very different conversation in January when the dust clears and they realize just how bad this year really was," says Eric Garland, CEO of peer-to-peer tracking firm BigChampagne. Even more of a concern is mobile. According to Gartner G2 analyst Mike McGuire, the ringtone market--currently contributing more than half of all digital revenue--will soften during the next 12 to 18 months as it matures. Meanwhile, the music industry wants a strong competitor to the monster it created called iTunes. Forcing would-be competitors to sell music incompatible with the popular iPod is not showing any signs of working. Removing DRM would attract powerful new players to the market, and that--the theory goes--will result in more buyers. "The majors . . . have got to capitulate, or they will continue to have a fractured digital media market that will slow down and stagnate," says Terry McBride, president of Nettwerk Music Group, management home of such acts as Sarah McLachlan and Avril Lavigne. Here are five places to watch this year's DRM developments: Amazon The online retailer reportedly is itching to get into digital downloads but is holding out for a DRM-free service. It sells as many iPods as anybody and is a haven for music that is disappearing from physical retail shelves. "They already have a relationship with our consumer the way that a lot of others don't," Blue Note GM Zach Hochkeppel says. Viewed as the biggest threat to iTunes, Amazon has the power to force a DRM strategy shift. LimeWire Still in the process of settling with the music industry, the P2P file-sharing service wants to start charging its 40 million users $1 per download and share the revenue and user-behavior information with the music industry. But it wants to stay DRM-free. The company hired TAG Strategic consultant Ted Cohen, a former EMI exec, to convince the majors to at least test the idea for six months. MySpace The most popular Internet destination in the world is working with SnoCap to launch a music download service that would let musicians sell music directly from their profiles and that of their fans. But it will only sell files as MP3s. It is moving ahead by focusing on independent and unsigned artists willing to release unprotected music, and a successful showing would make the majors take notice. eMusic The indie-only specialist just surpassed 100 million downloads; it's the second-largest digital music retailer after iTunes, all sans DRM. CEO David Packman says he is not interested in selling major-label fare, but he may have no choice if majors suddenly allow his competitors to sell in MP3 as well. But even if the majors did relent to MP3 sales on eMusic, the company's business model would have to change--no label will agree to 50 downloads for $15 per month. Yahoo Music General Manager David Goldberg has convinced Sony BMG and EMI Music Group to test the DRM-free waters with limited, promotional "experiments" involving Jessica Simpson, Jesse McCartney, Relient K and Norah Jones. The lessons learned from these tests will either speed or slow their path to eliminating DRM. Story Copyright ? 2007 Reuters Limited From rforno at infowarrior.org Tue Jan 2 23:28:18 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 02 Jan 2007 23:28:18 -0500 Subject: [Infowarrior] - Only 6 of 75 communities win highest scores for emergency communications Message-ID: Few areas in U.S. meet safety standards Only 6 of 75 communities win highest scores for emergency communications The Associated Press Updated: 7:41 p.m. ET Jan 2, 2007 http://www.msnbc.msn.com/id/16443053/ WASHINGTON - Only six of 75 U.S. metropolitan areas won the highest grades for their emergency agencies' ability to communicate during a disaster, five years after the Sept. 11 terrorist attacks, according to a federal report obtained Tuesday by The Associated Press. A draft portion of the report, to be released Wednesday, gives the best ratings to Washington, D.C.; San Diego; Minneapolis-St. Paul; Columbus, Ohio; Sioux Falls, S.D.; and Laramie County, Wyo. The lowest scores went to Chicago; Cleveland; Baton Rouge, La.; Mandan, N.D.; and American Samoa. The report included large and small cities and their suburbs, along with U.S. territories. In an overview, the report said all 75 areas surveyed have policies in place for helping their emergency workers communicate. But it cautioned that regular testing and exercises are needed "to effectively link disparate systems." It also said while cooperation among emergency workers is strong, "formalized governance (leadership and planning) across regions has lagged." The study, conducted by the Homeland Security Department, was likely to add fuel to what looms as a battle in Congress this year. Democrats, who take over the majority this week, have promised to try fixing the problem emergency agencies have communicating with each other but have not said specifically what they will do, how much it will cost or how they will pay for it. "Five years after 9/11, we continue to turn a deaf ear to gaps in interoperable communications," the term used for emergency agencies' abilities to talk to each other, said Sen. Charles Schumer, D-N.Y. "If it didn't have such potentially devastating consequences, it would be laughable." Homeland Security spokesman Russ Knocke would not comment on the report, saying only that in releasing it on Wednesday, Homeland Security Secretary Michael Chertoff will "talk about nationwide assessments for interoperable communications." Still room for improvement in New York The attacks of Sept. 11, 2001, revealed major problems in how well emergency agencies were able to talk to each other during a catastrophe. Many firefighters climbing the World Trade Center towers died when they were unable to hear police radio warnings to leave the crumbling buildings. In New York now, the report said, first responders were found to have well-established systems to communicate among each other ? but not the best possible. Thirteen U.S. cities scored better than New York. Just over a year ago, Hurricane Katrina underscored communication problems when radio transmissions were hindered because the storm's winds toppled towers. In the study, communities were judged in three categories: operating procedures in place, use of communications systems and how effectively local governments have coordinated in preparation for a disaster. Overall, 16 percent of the communities were given the highest score for the communications procedures they have in place and 1 percent got the lowest rating. Nineteen percent got the top grade for their plans for coordinating during a disaster and 8 percent received the worst; and 21 percent got the best mark for how well they use their communications equipment while 4 percent got the bottom rating. Most of the areas surveyed included cities and their surrounding communities, based on the assumption that in a major crisis emergency personnel from all local jurisdictions would respond. Los Angeles got advanced grades in procedures and use of emergency communications systems and a well-developed grade in coordination of governance. San Francisco, by comparison, received intermediate grades in governance and procedures, and a well-developed grade in use of systems. Since the Sept. 11 attacks, $2.9 billion in federal grant money has been distributed to state and local first responders for the improvement of their emergency communications systems. TV industry must make changes Congress has also ordered that the television broadcast industry vacate a portion of the radio spectrum to make it available for public safety communications. Lawmakers have also created a new office at the Homeland Security Department to oversee the issue, though they have yet to provide money for it. The areas with the six best scores were judged advanced in all three categories. The cities with the lowest grades had reached the early implementation stage for only one category, and intermediate levels for the other two categories. Chicago, Cleveland and Baton Rouge, for example, were judged to have accomplished the early stage of government coordination. Mandan, N.D., and the territory of American Samoa were both found to have gotten to the early stage of their actual usage of interoperable emergency communications and rated intermediate in governance and procedures. Tammy Lapp, the emergency coordinator for Mandan and Morton County, N.D., said she was not surprised by the low ranking. "We knew with our limited funds, we were going to fall short," she said. ? 2006 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. URL: http://www.msnbc.msn.com/id/16443053/ From rforno at infowarrior.org Tue Jan 2 23:31:55 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 02 Jan 2007 23:31:55 -0500 Subject: [Infowarrior] - The Private Arm of the Law Message-ID: The Private Arm of the Law By Amy Goldstein The Washington Post Tuesday 02 January 2007 http://www.truthout.org/docs_2006/010207S.shtml Some question the granting of police power to security firms. Raleigh, North Carolina - Kevin Watt crouched down to search the rusted Cadillac he had stopped for cruising the parking lot of a Raleigh apartment complex with a broken light. He pulled out two open Bud Light cans, an empty Corona bottle, rolling papers, a knife, a hammer, a stereo speaker, and a car radio with wires sprouting out. "Who's this belong to, man?" Watt asked the six young Latino men he had frisked and lined up behind the car. Five were too young to drink. None had a driver's license. One had under his hooded sweat shirt the tattoo of a Hispanic gang across his back. A gang initiation, Watt thought. With the sleeve patch on his black shirt, the 9mm gun on his hip and the blue light on his patrol car, he looked like an ordinary police officer as he stopped the car on a Friday night last month. Watt works, though, for a business called Capitol Special Police. It is one of dozens of private security companies given police powers by the state of North Carolina - and part of a pattern across the United States in which public safety is shifting into private hands. Private firms with outright police powers have been proliferating in some places - and trying to expand their terrain. The "company police agencies," as businesses such as Capitol Special Police are called here, are lobbying the state legislature to broaden their jurisdiction, currently limited to the private property of those who hire them, to adjacent streets. Elsewhere - including wealthy gated communities in South Florida and the Tri-Rail commuter trains between Miami and West Palm Beach - private security patrols without police authority carry weapons, sometimes dress like SWAT teams and make citizen's arrests. Private security guards have outnumbered police officers since the 1980s, predating the heightened concern about security brought on by the Sept. 11, 2001, attacks. What is new is that police forces, including the Durham Police Department here in North Carolina's Research Triangle, are increasingly turning to private companies for help. Moreover, private-sector security is expanding into spheres - complex criminal investigations and patrols of downtown districts and residential neighborhoods - that used to be the province of law enforcement agencies alone. The more than 1 million contract security officers, and an equal number of guards estimated to work directly for U.S. corporations, dwarf the nearly 700,000 sworn law enforcement officers in the United States. The enormous Wackenhut Corp. guards the Liberty Bell in Philadelphia and screens visitors to the Statue of Liberty. "You can see the public police becoming like the public health system," said Thomas M. Seamon, a former deputy police commissioner for Philadelphia who is president of Hallcrest Systems Inc., a leading security consultant. "It's basically, the government provides a certain base level. If you want more than that, you pay for it yourself." The trend is triggering debate over whether the privatization of public safety is wise. Some police and many security officials say communities benefit from the extra eyes and ears. Yet civil libertarians, academics, tenants rights organizations and even a trade group that represents the nation's large security firms say some private security officers are not adequately trained or regulated. Ten states in the South and West do not regulate them at all. Some warn, too, that the constitutional safeguards that cover police questioning and searches do not apply in the private sector. In Boston, tenants groups have complained that "special police," hired by property managers to keep low-income apartment complexes orderly, were overstepping their bounds, arresting young men who lived there for trespassing. In 2005, three of the private officers were charged with assault after they approached a man talking on a cellphone outside his front door. They asked for identification and, when he refused, followed him inside and beat him in front of his wife and three children. Lisa Thurau-Gray, director of the Juvenile Justice Center at Suffolk University Law School in Boston, said private police "are focusing on the priority of their employer, rather than the priority of public safety and individual rights." But Boston police Sgt. Raymond Mosher, who oversees licensing of special police, says such instances are rare. Private police officers "do some tremendously good things," Mosher said, recalling one who chased down a teenager running with a loaded gun. In Durham, after shootings on city buses, the transit authority hired Wackenhut Corp. police to work in the main terminal in tandem with city police officers stationed on buses. "There is a limit to the amount of law enforcement you can expect taxpayers to support," said Ron Hodge, Durham's deputy police chief, who said some of his requests for additional officers have been turned down in recent years. Although, as in most cities, some Durham police work privately while they are off-duty, Hodge said the demand for off-duty police outstrips the supply. In one of the country's most ambitious collaborations, the Minneapolis Police Department three years ago started a project called "SafeZone" with private security officers downtown, estimated to outnumber the police there 13 to 1. Target Corp. and other local companies paid for a wireless video camera system in downtown office buildings that is shared with the police. The police department created a shared radio frequency. So far, the department has trained 600 security officers on elements of an arrest, how to write incident reports and how to testify in court. When a bank was robbed in the fall, a police dispatcher broadcast the suspect's description over the radio. Within five minutes, a security officer spotted the man, bag of cash in hand, and helped arrest him. Private police officers work across the Washington area, although their numbers have not been growing sharply. According to the D.C. police department, any private security employee who is armed must be licensed as a "special police" officer with arrest powers; the city has more than 4,000 of them, including at universities and some hospitals. Maryland and Virginia, which have different criteria, each have several hundred private police, according to law enforcement and regulatory officials. In Virginia, the Wintergreen Resort has a private police department with 11 sworn officers. They include an investigator who last year helped solve a string of break-ins along the Appalachian Trail, identifying the burglar with images from the department's video camera when he drove out of the resort with a stolen car. The Virginia Department of Criminal Justice Services is also trying to foster closer ties between security companies without police powers and the police and sheriff's departments. The agency has begun training and certifying "Private Crime Prevention Practitioners" and soon plans to send security companies e-mails with unclassified homeland security threats and crime alerts. Maryland has no similar collaboration, according to the Maryland State Police, which licenses security officers. The District is strengthening its supervision of security and private police, with new requirements for training and background checks having been adopted by the D.C. Council. Some of the most sophisticated private security operations have expanded in part because of shrinking local and federal resources. The nation's largest bank, Bank of America, hired Chris Swecker as its corporate security executive last year when he retired as assistant director of the FBI. Even as identity theft and other fraud schemes have been booming, Swecker said, fewer federal investigators are devoted to solving such crimes, and many U.S. attorney's offices will not prosecute them unless their value reaches $100,000. As a result, he said, federal officials now ask the bank's own investigators to do the work, including a three-year probe that helped police and the FBI piece together an identity-theft ring that defrauded 800 bank customers of $11 million. In North Carolina, the state Department of Justice requires company police to go through the same basic training as public officers. They have full police powers on the property they are hired to protect. Capitol Special Police's owner, Roy G. Taylor, was chief of three small nearby police departments and held state law enforcement jobs before starting the company in 2002. As Hispanic gangs were increasing, he said, "I saw a niche." The company has eight officers, some of whom are part time while working for area police departments. They have used batons and pepper spray but have not fired a service weapon, Taylor said. Once, in an apartment complex where they worked in nearby Carrboro, Capt. Nicole Howard, Taylor's wife, dressed in plain clothes to attract a convicted rapist who had been peering in windows and stalking women. Then she arrested him for trespassing. Today, charging $35 per hour, the firm has contracts with four apartment complexes, a bowling alley, two shopping centers and a pair of private nightclubs. A few weeks ago, two of the Taylors' employees, Capt. Kenny Mangum and Officer Matt Saylors, walked over to a car at the nightclub Black Tie to warn the men inside not to loiter in the parking lot. Catching a whiff of marijuana, they found seven rocks of crack cocaine in the ashtray and two handguns under the seat of the driver, who was a convicted felon. They called the Raleigh police to handle the arrest. Because they are part of a private company, Taylor and his officers are mindful that customers are billed for the time they spend testifying in court. "I try to make arrests only when absolutely necessary," said Watt, the officer who stopped the six men with the open beer cans. The company's marked patrol cars, he said, do not have radios to call for backup help or computers to check immediately for outstanding warrants or criminal records. After satisfying himself that the six young men, lined up nervously and shivering in the cold night air, had no drugs, Watt let them go. From rforno at infowarrior.org Tue Jan 2 23:54:47 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 02 Jan 2007 23:54:47 -0500 Subject: [Infowarrior] - Wired Profiles SA Jim Christy & comp crime investigatons Message-ID: CSI: TCP/IP Keep your friends close and your enemies closer. Why the Pentagon's toughest Internet crime fighter likes hanging out with blackhat hackers. By Robin Mejia http://www.wired.com/wired/archive/15.01/cybercop_pr.html LOCATED ON THE LESS FASHIONABLE north end of the Las Vegas strip, the Riviera Hotel and Casino has seen better days. Even the girls in posters for the hotel's topless revue could use a makeover. But hey, it's cheap. Which is why 6,000 hackers have descended upon it for DefCon, billed as the "largest underground hacking event in the world." So while the hotel is no doubt happy for the business, it's also ? in classic Vegas fashion ? hedging its bet. Employees received a memo warning them to be on the lookout for people skimming guests' card numbers. Credit card processing has been suspended in the food court. The Riviera doesn't need the grief. Yet the Riviera's conference facilities are strangely tranquil. In the "chill-out room," a bored-looking cashier is selling burgers, chicken sandwiches, and salads to people too focused or too lazy to walk across the hotel to the Quizno's. On the wall next to the bar, someone is projecting usernames and the first few letters of the associated passwords ? noobs sent that info unencrypted over the conference's wireless network. At the front of the room, a middle-aged man in khaki shorts sits with a small group having a beer. He's graying, a little thick around the middle. Across the back of his polo shirt are the words dod cyber crime response team ? as in US Department of Defense. A big guy with a shaved head walks up. "You're Jim Christy," he says, smiling. He has a hint of an accent. Christy smiles back: "What's your handle?" "Oh, I don't really have a handle." All hackers have handles. Christy pushes it. "But really," he says, "what's your handle?" "Most guys go through that phase for a while, but for me, it was really just a couple of days. Not enough time for a handle." They're both smiling. Neither has broken eye contact. Christy points out a pulsing vein in the guy's neck ? suggesting it's a sign he is lying. The guy calls Christy an old man. He hints that maybe he might have some small connection to Mossad. As he finally sits down, Christy passes him a business card. "You know, sometimes I become aware of botnets running on DOD networks," the maybe-ex-intelligence agent says. "It would be nice to have someone to contact." Christy says he'd be happy to oblige. Bingo: another node in the Jim Christy network. That's why he comes to DefCon, to extend his already vast informal intelligence web of hackers, security professionals, and computer geeks. He's also here to pick up tips, of course. And to try to recruit a few of the blackhats to the side of justice ? or at least to scare them straight. "We're appealing to their patriotism," he says. "And if that doesn't work, then fear works, too." Fifteen years ago, Christy founded the Pentagon's first digital forensics lab. Back then, most cops didn't even bother to seize computers when they executed a search warrant. Ten years ago, he was the guy they tapped to explain computer security to senators and the White House. Now Christy has built his shop into the world's largest center for pulling evidence off damaged or encrypted hard drives, tracking hackers across networks, reconstructing terrorists' computers, and training a new generation of law enforcement. He's the government's original geek with a gun. JIM CHRISTY was 19 when he joined the military. It was 1971; he was barely passing his classes at a Baltimore-area junior college and working full time at a car wash to help support his parents. Christy knew he wouldn't qualify for a student deferment. He figured that if he had to go in, he'd choose how. He enlisted in the Air Force. But Christy didn't end up in Vietnam. He became a computer operator, eventually landing on the night shift at the Pentagon. He stayed on after his discharge, and in 1986 he heard the Air Force Office of Special Investigations was looking for a computer crime investigator. "I read the job announcement and said, 'Wow, I get to stay with technology and carry a gun and be a cop ? play cops and robbers for real?'" Apparently, his experience writing Cobol and Fortran algorithms to organize how people paid for parking at the Pentagon gave him an edge; Christy was hired as the assistant chief of the 16-person unit. About the same time, Cliff Stoll, a UC Berkeley astronomer turned computer security guru, found hackers on his network. In The Cuckoo's Egg, Stoll's now-classic account of the story, he says that local police had no idea what he was talking about, and the FBI dismissed it as small-potatoes fraud. They told him to call back when he'd lost half a million dollars. Stoll finally found Christy. Though Stoll's hackers had accessed only unclassified military computers, Christy thought it was espionage. "I realized the guy was searching for 'SDI,' which was the old Star Wars Strategic Defense Initiative, or 'nuclear,' or 'chemical,' or 'biological,'" Christy says. Stoll turned out to be a good teacher, full of tricks for tracking bad guys online. Together with a like-minded FBI agent, the pair traced the hackers back to West Germany. They sent police there to pick up five men, in their late teens to early twenties, selling US military documents to the KGB. The bust made his reputation. As DefCon founder Jeff Moss (handle: the Dark Tangent) tells it, in the late '80s and early '90s there were only three people hackers worried about. Christy was one of them. "It was like, be fearful, there's Jim Christy. Holy crap, stay out of his way." As computers and networks became common, Christy's caseload grew. In 1991, a murder suspect on an Air Force base chopped up two floppy disks. Investigators found 23 pieces, which Christy took to forensic specialists in law enforcement and intelligence. They said they couldn't help. Eventually, he and a deputy put the fragments together with tape and a magnifying glass; he recovered about 95 percent of the data, practically handing the military prosecutor a conviction. (Will he reveal who said it couldn't be done? "No way," Christy says. "I have to work with those agencies.") That same year, Christy founded his digital forensics lab, which was really just him and another guy reading confiscated hard drives with scavenged equipment at Bolling Air Force Base in DC. But the Pentagon started to see their value, and in 1998, Christy's lab was moved from the Air Force to the Department of Defense. The team became known for recovering ungettable evidence. Once, the Naval Safety Center sent them a mass of unspooled black recording tape, the remains of a flight data recorder destroyed in a collision of two F?18s. One of the pilots had died in the crash, and the Navy thought the blame lay with the surviving pilot. Christy's group cleaned the firefighting foam off the tape, reconstructed and respooled it, and salvaged most of the data. The safety board used it to determine that the dead pilot was actually at fault. In another case, the wife of an airman thought her husband was trying to kill her. Office of Special Investigations agents taped her confronting him over the phone. When the suspect got wind of the recording, he set fire to the office where the tape was stored. The team found the charred and melted remains of the cartridge, but they realized that the tape was wound so tightly inside that only its edges were burned. Christy's team recovered the audio and the Air Force charged and convicted the airman with conspiracy to commit murder ? and arson. Meanwhile, Christy was putting in time on Capitol Hill. He'd get up early, do a few hours at the lab, then go coordinate cybersecurity hearings for the Senate or work on the President's Task Force on Infrastructure Protection. "We'd send him to see a senator," says Dan Gelber, a Florida state representative and former staff director for the US Senate Investigations subcommittee. "He'd go in there and explain not only how the Internet worked, but how it was breached." Other staffers started calling Gelber to find Christy ? their bosses wanted his briefings. "They finally had someone explain to them what happened on a computer and why it was important." That's when Christy started hanging out with hackers. His superiors didn't quite understand why he was going to DefCon; why not just send undercover agents? But Christy knew that if he talked to hackers, hackers would talk to him. One former blackhat says that meeting Christy and his fellow government operatives at DefCon over the years convinced him to switch sides. "When you realize that all the hackers in other countries, especially China, are ganging up on America, it doesn't take a rocket scientist to decide what side you want to be on," he says. After a couple of years working undercover "with, not for" various agencies with three-letter initialisms, he enlisted in the Army. He plans to try for Special Forces and hopes to get a job in law enforcement when he's done. THE DEFENSE Cyber Crime Center, or DC3, occupies a low unmarked brick building just off Highway 295, the Baltimore-Washington Parkway. Christy now heads its research lab, the Defense Cyber Crime Institute, on the top floor. It's tasked with ensuring that the tools and technologies used by the guys downstairs actually perform as advertised, a process called validation. Digital forensics is still a relatively young field; most of the applications Christy used in the 1980s were written by two really smart IRS agents at home in their off hours. "We'd say, 'We need stuff that does X,' and they'd go develop it," Christy says. But these days the institute spends months evaluating everything ? homegrown or not ? before deployment. "You need to make sure that the tool doesn't create evidence," Christy says. One piece of software reported that a cell phone had sent a text message when it hadn't ? not cool if you're trying to figure out when two suspects were in contact. The rest of the team works on problems that commercial software can't yet handle, like decoding information hidden inside images or audio files. It's called steganography, and there are more than 100 free tools that can do it. The trouble is, pedophile rings are increasingly relying on steganography to hide child pornography. And while some commercial software can sniff out a steganographically concealed file, it can't decrypt it. Christy's institute is working on software that can reveal the contents of a steg file. "It could be like a virus scan," Christy says. But even with 38 staffers, Christy has more problems than time. So this summer, he decided to get outside help. At DefCon, Christy announced the DC3 Forensics Challenge: 12 problems covering everything from recognizing faked images to cracking passwords ? Christy had answers to only 10. Whoever solved the most first (or best) would win a free trip to Christy's annual DOD Cyber Crime Conference. More than 130 teams signed up. Of course, Christy will never keep pace with every tool the bad guys ? or the good guys, for that matter ? can come up with. "One of the big things we're struggling with is gonna be Vista and BitLocker," he says. Microsoft's BitLocker Drive Encryption locks down an entire hard drive if the startup information is changed or a particular chip is removed. Microsoft has pledged never to create a BitLocker backdoor, and Christy worries about what that means for his team. "Right now, a dead box comes to us, and with the tools we have, we can exploit it," he says. "With Vista, we're gonna get dead boxes and they're gonna stay dead." Maybe it's a good problem for next year's Forensics Challenge. Or maybe he won't have to wait that long for help. The contest has introduced Christy to universities and research groups across the country that, before last August, had no idea DC3 existed. Now many want to be his partner. AT 7 O'CLOCK on the opening night of DefCon, Christy and 10 other middle-aged, casually dressed white guys settle into their seats at the front of the Riviera's grand ballroom. Most have the short hair and perfect posture that come from long stints in the military or law enforcement. They're all old friends of Christy's. One is an assistant secretary of defense, another is ex-NSA. The title of the panel is Meet the Fed, an oddity at a conference where the badges have no names on them and registration is cash-only to preclude the creation of an attendee roster. In fact, any registered conference attendee who outs an undercover agent gets a T-shirt that reads i spotted the fed. So Christy decides to have some fun. "We're gonna play a little game here," he says. "It's gonna be called 'Spot the Lamer.'" He sends two of his programmers out into the room to pick six candidates. The unlucky six line up, and panel members start in with questions. "Number two, have you ever participated in a Star Trek marathon?" "No sir, I'm a Star Wars fan." "Number four, have you compiled your kernel yet today?" He did it yesterday. "Number three, have you ever been caught playing with a 3-inch floppy?" It's hard to hear the answer over the laughter. The winner, by audience acclaim, turns out to be number three, who apparently speaks fluent hexadecimal. Christy wraps things up with a pitch. "It's a lot harder to defend a network than it is to break into one," he says. "And we could use a lot of talented people. So if you haven't crossed that line yet, don't. Come to work for us." The hackers start to ask questions of their own. One guy says he's in a band called Preteen Porn Star, and he wants to know what to do with the creepy inquiries that come in through its Web site. Others want to talk about the government's support of open source. But the paycheck Christy hinted at is what really gets their attention. "So," says an attendee in de rigueur black, "a few youthful indiscretions ? will they disqualify you from jobs at a federal agency?" "Not forever," Christy says. "But if you were doing it last week, you'd probably be ineligible." A long line of fans trails Christy out the door, hackers and script kiddies queued up to ask advice and hand over tidbits of information. One tells Christy about a way he's discovered to strip information off of RFID chips. Another wants a business card so he can email about future employment. So does Christy have undercover informants at DefCon? He shrugs. Of course. Then why go himself? "We not only find out what's happening," he says, "we find out who's doing it." Even better, a few months after the conference, he got a call from one of the organizers, a fixture in the hacker community. The guy wanted advice on how to get a job doing digital forensics. Another node in the Jim Christy network. Robin Mejia (mejia at nasw.org) wrote about computer surveillance and the movie Enemy of the State in issue 14.06. Copyright ?1993-2007 The Cond? Nast Publications Inc. All rights reserved. From rforno at infowarrior.org Wed Jan 3 00:58:56 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 03 Jan 2007 00:58:56 -0500 Subject: [Infowarrior] - From Monitoring Teens to Minding Terrorists Message-ID: >From Monitoring Teens to Minding Terrorists Mall Security Guards to Receive New Training, but Feasibility Is Questioned http://www.washingtonpost.com/wp-dyn/content/article/2007/01/02/AR2007010201 094_pf.html By Ylan Q. Mui Washington Post Staff Writer Wednesday, January 3, 2007; D01 The job of a shopping mall security guard normally involves controlling rowdy teenagers, finding lost children and patrolling parking lots. But starting this month, malls across the country will begin training guards for another task: fighting terrorism. The 14-hour program is being developed by the International Council of Shopping Centers, a trade group, and the Homeland Security Policy Institute at George Washington University at a cost of $2 million. It is the first standardized anti-terrorism curriculum written for the nation's estimated 20,000 mall security guards. Developers of the program say it is crucial to safeguarding shopping centers, which have significant economic import -- as evidenced by the billions of dollars spent at malls during the holiday season -- and have emerged as modern-day town centers, with movie theaters, restaurants, and now grocery stores and gyms. "Many different facets of our society since September 11 have had to take the stark realization that bad people might try to do bad things," said Paul M. Maniscalco, a senior research scientist at GW who helped create the program. "Security is really paramount in large enclosed malls. . . . . These events, when you respond to them, you make or break it in the first 20 minutes." Not everyone agrees, however, that America's malls face a serious threat of terrorism. And some critics question the effectiveness of the training when the private security industry suffers from high turnover -- most guards leave the job within a year and some in as little as four months, according to estimates from the Service Employees International Union. "There is no justification for this," said Ian S. Lustick, a professor at the University of Pennsylvania and author of "Trapped in the War on Terror." "It's too diffuse a problem. There's a security problem in any public place. . . . The retail industry and shopping malls is just one little part of that." The training focuses on making guards more aware of the effects of terrorist attacks and helping them recognize potential attackers. It ranges from the understanding the characteristics of the nerve agent sarin (especially dangerous in enclosed spaces because it vaporizes quickly) to spotting suicide bombers (look for unusual dress, like a heavy coat in the middle of summer). The program is being tested at a handful of shopping centers, including the Mall in Columbia, and is planned to be rolled out over the next six months. The Department of Homeland Security categorizes shopping centers, along with other easily accessible public places, as "soft targets." Since the 2001 attacks, the Smithsonian museums and national monuments have been among those increasing security, and the Washington Convention Center recently said it was beefing up emergency preparedness training for some workers. Yet the retail industry has treaded warily. Customers expect shopping centers to be free and open, and malls are loath to introduce stringent security measures, as airports have done, that might limit shoppers' access -- or scare them off altogether. Though security officers are usually uniformed, they are not intended to appear threatening. "Their job is to be welcoming," said Robert Rowe, director of development for the American Society for Industrial Security, an advocacy group for private security officers. "The shopping mall doesn't survive unless people come." General Growth Properties Inc., which owns Tysons Galleria and the Mall in Columbia, has already restricted access to the roofs of its buildings, said David Levenberg, vice president of security and risk management. The Columbia shopping center recently installed a video surveillance system, a wall of 16 monitors and eight video recorders filling a tiny security office. "You want to see the sales slip?" said Bill Burley IV, director of public safety and security at the mall, as he directed one of the more than 100 cameras to zoom in on a shopper looking at jewelry. But a report released early in 2006 under leadership of the Police Foundation, a District think tank, found that although some malls have made changes, they have not been enough. The study, funded by the Justice Department, cited lack of coordination with local law and emergency forces and financing for new technology. It highlighted poor training of mall officers in terrorism awareness and response as one of the industry's main challenges. That thinking broadens the responsibility of security guards: Mall security directors surveyed in the report put loitering kids as their top concern, with terrorism second. Only 2.5 percent required guards to have some college education. Less than 1 percent mandated a degree in criminal justice. Robert C. Davis, lead author of the study who now is senior research analyst at Rand Corp., said it is not feasible to teach mall guards the complex skills needed to identify potential terrorists, who are tracked through highly developed intelligence networks. He contends there is little malls can do to prevent an attack -- they can only react to one. "The biggest things malls can do is have really well-developed, detailed emergency response plans and rehearse them," Davis said. "The best thing they can do is respond effectively." Maniscalco said the curriculum focuses on awareness and response and was developed with the same materials used in training courses for emergency responders and law enforcement, tailored for mall security officers. The instructional DVD was shot at the Boulevard Mall in Las Vegas. One lesson shows a man dressed as a janitor with a hose who seems to be watering plants in the food court. But there is no badge on his uniform and his eyes are scanning the crowd rather than looking at the plants. Actually, he is spraying dangerous chemicals into the air, Maniscalco said. And instead of following an instinct to rush to the scene -- and possibly exposing themselves to the chemical -- guards should block off the area and call police, he said. The DVD also has live footage of terrorist attacks from New York to Russia, including the carnage following a suicide bombing in Israel. "This is all real-world, everyday stuff that the security officer will encounter," Maniscalco said. In fact, a man was arrested in December for plotting to use hand grenades and a pistol to disrupt Christmas shopping at a Rockford, Ill., mall. Two years ago in Columbus, Ohio, a man with alleged ties to al-Qaeda was indicted for wanting to shoot up a local mall. He is awaiting trial. Still, there has been never been a terrorist attack against a U.S. shopping center. William Flynn, director of risk management for Homeland Security, said there was no intelligence to suggest shopping centers were in danger. The handful of reported threats seem to have come from lone wolves rather than organized cells, skeptics say. "I wouldn't say let's classify every shopping mall in the country as critical infrastructure and start handing out federal grants" said James Carafano, a homeland security expert with the Heritage Foundation. "Putting a lot of money in this doesn't make much sense." The initial rollout of the curriculum is being funded by the International Council of Shopping Centers, and companies that provide the private security for the country's shopping centers have agreed to participate, council spokesman Malachy Kavanagh said. Financing for the future has yet to be determined, but Kavanagh said the group plans to apply for federal grants. Flynn said he supports the program and that Homeland Security has conducted risk assessments at several shopping centers across the country. One of the first guards to go through the new training program was Lt. Al Pineiro, who has worked at the Mall in Columbia for the past 10 years, starting part-time and recently going full-time. A former Army recruiter, he was at the National Guard facility in Silver Spring on Sept. 11, 2001. He recalled watching one of the World Trade Center towers crumble on a big-screen television with his fellow soldiers. "I was shocked that it happened so close to home," he said. Pineiro said the anti-terrorism training recalled the lessons he learned in the months following the attacks. It took him several days to complete the course, and he aced the final exam. "It just reminds us that we have to stay alert," he said. "We can't afford to get complacent." From rforno at infowarrior.org Wed Jan 3 15:15:07 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 03 Jan 2007 15:15:07 -0500 Subject: [Infowarrior] - Justice Dept. Rebuffs Leahy Request for Secret Docs Message-ID: Justice Dept. Rebuffs Leahy Request for Secret Docs By Justin Rood - January 2, 2007, 4:54 PM http://www.tpmmuckraker.com/archives/002262.php The Justice Department has declined to provide documents on the CIA's detention and interrogation of terror suspects that were requested by a Democratic Senator. In a letter to incoming Senate Judiciary Committee chairman Patrick Leahy (D-VT), the Justice Department said it "was not in a position" to give him copies of the the two documents he had requested in November. "We remain committed to continuing these discussions," the Dec. 22 letter stated. "We must do so, however, in a manner that protects classified information and the confidentiality of legal advice and internal deliberations within the Executive Branch." In a statement e-mailed to reporters, Leahy said he was disappointed by the administration's decision to "brush off" his request, but wasn't dropping the matter. "I have advised the Attorney General that I plan to pursue this matter further at the Committee?s first oversight hearing of the Department of Justice." Leahy's full statement, after the jump. Comments Of Senator Patrick Leahy (D-Vt.), Incoming Chairman, Senate Judiciary Committee On Department Of Justice?s Response To Request For Documents Relating To Bush Administration?s Interrogation Policies January 2, 2007 "It is disappointing that the Department of Justice and the White House have squandered another opportunity to work cooperatively with Congress. The Department?s decision to brush off my request for information about the Administration?s troubling interrogation policies is not the constructive step toward bipartisanship that I had hoped for, given President Bush?s promise to work with us. ?I requested two documents concerning CIA interrogation methods, which the Administration recently acknowledged in a lawsuit, and other relevant information. The Administration?s refusal to provide any of this information other than forwarding a couple of public documents suggests that the President?s offer to work with us may have been only political lip service. I have advised the Attorney General that I plan to pursue this matter further at the Committee?s first oversight hearing of the Department of Justice.? ?I hope the Department and the White House will reconsider their response and work with the Judiciary Committee to promptly share this information, with any appropriate confidentiality safeguards. The Committee will continue its efforts to obtain the information that it needs for meaningful oversight and accountability on this and other issues of importance to the American people.? From rforno at infowarrior.org Thu Jan 4 00:18:41 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 04 Jan 2007 00:18:41 -0500 Subject: [Infowarrior] - U.S. Bars Lab From Testing Electronic Voting Message-ID: January 4, 2007 U.S. Bars Lab From Testing Electronic Voting By CHRISTOPHER DREW http://www.nytimes.com/2007/01/04/washington/04voting.html?ei=5094&en=02b1a2 cf02dc5f00&hp=&ex=1167973200&partner=homepage&pagewanted=print A laboratory that has tested most of the nation?s electronic voting systems has been temporarily barred from approving new machines after federal officials found that it was not following its quality-control procedures and could not document that it was conducting all the required tests. The company, Ciber Inc. of Greenwood Village, Colo., has also come under fire from analysts hired by New York State over its plans to test new voting machines for the state. New York could eventually spend $200 million to replace its aging lever devices. Experts on voting systems say the Ciber problems underscore longstanding worries about lax inspections in the secretive world of voting-machine testing. The action by the federal Election Assistance Commission seems certain to fan growing concerns about the reliability and security of the devices. The commission acted last summer, but the problem was not disclosed then. Officials at the commission and Ciber confirmed the action in recent interviews. Ciber, the largest tester of the nation?s voting machine software, says it is fixing its problems and expects to gain certification soon. Experts say the deficiencies of the laboratory suggest that crucial features like the vote-counting software and security against hacking may not have been thoroughly tested on many machines now in use. ?What?s scary is that we?ve been using systems in elections that Ciber had certified, and this calls into question those systems that they tested,? said Aviel D. Rubin, a computer science professor at Johns Hopkins. Professor Rubin said that although some software bugs had shown up quickly, in other instances ?you might have to use the systems for a while before something happens.? Officials at the commission and other election experts said it was essential for a laboratory to follow its quality-control procedures and document all its testing processes to instill confidence in the results. Commission officials said that they were evaluating the overall diligence of the laboratory and that they did not try to determine whether its weaknesses had contributed to problems with specific machines. Computer scientists have shown that some electronic machines now in use are vulnerable to hacking. Some scientists caution that even a simple software error could affect thousands of votes. In various places, elections have been complicated by machines that did not start, flipped votes from one candidate to another or had trouble tallying the votes. Until recently, the laboratories that test voting software and hardware have operated without federal scrutiny. Even though Washington and the states have spent billions to install the new technologies, the machine manufacturers have always paid for the tests that assess how well they work, and little has been disclosed about any flaws that were discovered. As soon as federal officials began a new oversight program in July, they detected the problems with Ciber. The commission held up its application for interim accreditation, thus barring Ciber from approving new voting systems in most states. Ciber, a large information technology company, also has a $3 million contract to help New York test proposed systems from six manufacturers. Nystec, a consulting firm in Rome, N.Y., that the state hired, filed a report in late September criticizing Ciber for creating a plan to test the software security that ?did not specify any test methods or procedures for the majority of the requirements.? The report said the plan did not detail how Ciber would look for bugs in the computer code or check hacking defenses. A spokeswoman for Ciber, Diane C. Stoner, said that the company believed that it had addressed all the problems and that it expected to receive its initial federal accreditation this month. Federal officials said they were evaluating the changes the company had made. Ms. Stoner said in a statement that although the Election Assistance Commission had found deficiencies, they ?were not because Ciber provided incomplete, inaccurate or flawed testing, but because we did not document to the E.A.C.?s liking all of the testing that we were performing.? She added that the test plan cited in New York was just a draft and that Ciber had been working with Nystec to ensure additional security testing. The co-chairman of the New York State Board of Elections, Douglas A. Kellner, said Ciber had tightened its testing. But Mr. Kellner said yesterday that Nystec and Ciber continued to haggle over the scope of the security testing. New York is one of the last states to upgrade its machines, and it also has created some of the strictest standards for them. Mr. Kellner said only two of the six bidders, Diebold Election Systems and Liberty Election Systems, seemed close to meeting all the requirements. Besides Ciber, two other companies, SysTest Labs of Denver and Wyle Laboratories, in El Segundo, Calif., test electronic voting machines. Ciber, which has been testing the machines since 1997, checks just software. Wyle examines hardware, and SysTest can look at both. The chairman of the Election Assistance Commission, Paul S. DeGregorio, said SysTest and Wyle received interim accreditations last summer. Mr. DeGregorio said two other laboratories had also applied to enter the field. Congress required greater federal oversight when it passed the Help America Vote Act of 2002. Since then, the government also put up more than $3 billion to help states and localities buy electronic machines, to avoid a repeat of the hanging punch-card chads that caused such confusion in the 2000 presidential election. The commission was never given a substantial budget, and it did not finish creating the oversight program until last month. Until then, the laboratories had been at the heart of the system to evaluate voting machines, a system that seemed oddly cobbled together. While the federal government created standards for the machines, most of the states enacted laws to make them binding. The states also monitored the testing, and much of that work was left to a handful of current and former state election officials who volunteered their time. As a result, voting rights advocates and other critics have long been concerned about potential conflicts of interest, because the manufacturers hire the laboratories and largely try to ensure confidentiality. Michael I. Shamos, a computer scientist who examines voting machines for Pennsylvania, said about half had significant defects that the laboratories should have caught. Besides certifying the laboratories, the Election Assistance Commission will have three staff members and eight part-time technicians to approve test plans for each system and check the results. The manufacturers will be required to report mechanical breakdowns and botched tallies, and Mr. DeGregorio said those reports would be on the agency?s Web site. Dr. Shamos said, ?This is not the sea change that was needed.? He said he was disappointed that the commission had hired some of the same people involved in the states? monitoring program and that it never announced it had found problems with Ciber operations. Dr. Rubin of Johns Hopkins said the laboratories should be required to hire teams of hackers to ferret out software vulnerabilities. And the laboratories will still be paid by the voting machine companies, though a bill now in Congress could change that to government financing. A recent appearance in Sarasota, Fla., by the SysTest Labs president, Brian T. Phillips, also raised eyebrows. After a Congressional election in the Sarasota area ended in a recount last month, the victorious Republican candidate hired Mr. Phillips as a consultant to monitor the state?s examination of whether there had been a malfunction in the voting machines. Several critics questioned whether Mr. Phillips should have taken such work, either because of its partisan nature or because it represented such a public defense of the industry. Mr. Phillips said he did not see any conflict because his laboratory had not tested the software used in Sarasota. And the project does not appear to have violated the ethics rules of the election commission. Ian Urbina contributed reporting. From rforno at infowarrior.org Thu Jan 4 15:03:15 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 04 Jan 2007 15:03:15 -0500 Subject: [Infowarrior] - New postal law lets gov peek through your mail Message-ID: W pushes envelope on U.S. spying http://nydailynews.com/front/story/485561p-408789c.html New postal law lets Bush peek through your mail Daily News Exclusive BY JAMES GORDON MEEK DAILY NEWS WASHINGTON BUREAU President Bush added a "signing statement" in recently passed postal reform bill that may give him new powers to pry into your mail - without a warrant. WASHINGTON - President Bush has quietly claimed sweeping new powers to open Americans' mail without a judge's warrant, the Daily News has learned. The President asserted his new authority when he signed a postal reform bill into law on Dec. 20. Bush then issued a "signing statement" that declared his right to open people's mail under emergency conditions. That claim is contrary to existing law and contradicted the bill he had just signed, say experts who have reviewed it. Bush's move came during the winter congressional recess and a year after his secret domestic electronic eavesdropping program was first revealed. It caught Capitol Hill by surprise. "Despite the President's statement that he may be able to circumvent a basic privacy protection, the new postal law continues to prohibit the government from snooping into people's mail without a warrant," said Rep. Henry Waxman (D-Calif.), the incoming House Government Reform Committee chairman, who co-sponsored the bill. Experts said the new powers could be easily abused and used to vacuum up large amounts of mail. "The [Bush] signing statement claims authority to open domestic mail without a warrant, and that would be new and quite alarming," said Kate Martin, director of the Center for National Security Studies in Washington. "The danger is they're reading Americans' mail," she said. "You have to be concerned," agreed a career senior U.S. official who reviewed the legal underpinnings of Bush's claim. "It takes Executive Branch authority beyond anything we've ever known." A top Senate Intelligence Committee aide promised, "It's something we're going to look into." Most of the Postal Accountability and Enhancement Act deals with mundane reform measures. But it also explicitly reinforced protections of first-class mail from searches without a court's approval. Yet in his statement Bush said he will "construe" an exception, "which provides for opening of an item of a class of mail otherwise sealed against inspection in a manner consistent ... with the need to conduct searches in exigent circumstances." Bush cited as examples the need to "protect human life and safety against hazardous materials and the need for physical searches specifically authorized by law for foreign intelligence collection." White House spokeswoman Emily Lawrimore denied Bush was claiming any new authority. "In certain circumstances - such as with the proverbial 'ticking bomb' - the Constitution does not require warrants for reasonable searches," she said. Bush, however, cited "exigent circumstances" which could refer to an imminent danger or a longstanding state of emergency. Critics point out the administration could quickly get a warrant from a criminal court or a Foreign Intelligence Surveillance Court judge to search targeted mail, and the Postal Service could block delivery in the meantime. But the Bush White House appears to be taking no chances on a judge saying no while a terror attack is looming, national security experts agreed. Martin said that Bush is "using the same legal reasoning to justify warrantless opening of domestic mail" as he did with warrantless eavesdropping. Originally published on January 4, 2007 From rforno at infowarrior.org Thu Jan 4 19:34:21 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 04 Jan 2007 19:34:21 -0500 Subject: [Infowarrior] - Nuclear security director forced to resign over lapses Message-ID: Nuclear security director forced to resign over lapses WASHINGTON (CNN) -- The head of the U.S. nuclear security agency has been forced to resign over management and security issues, Secretary of Energy Samuel Bodman said Thursday. Bodman said he asked for the resignation of Linton Brooks, administrator of the National Nuclear Security Administration, because of issues including a "serious security breach" at the Los Alamos National Laboratory. "The deputy secretary and I repeatedly have stressed to NNSA and laboratory management the importance of these issues being addressed, rectified and prevented in the future," said a statement issued by Bodman. "While I believe that the current NNSA management has done its best to address these concerns, I do not believe that progress in correcting these issues has been adequate." Bodman said he decided "it is time for new leadership" at the NNSA. "I repeatedly have told [Department of Energy] and laboratory employees, and in particular senior managers, we must be accountable to the president and the American people not just for efforts, but for results." Brooks issued a statement to NNSA employees saying he will tender his resignation to President Bush "shortly" and depart within two to three weeks. "One reason for forming NNSA was to prevent such management problems from occurring," Brooks said. "We have not yet done so in over five years. For much of that time I was in charge of NNSA. Therefore, the secretary believes new leadership is needed. "This is not a decision that I would have preferred, but it was made by a thoughtful and honorable man and is based on the principle of accountability that should govern all public service," Brooks said. "I accept the decision and you need to do likewise." On October 17 police in Los Alamos, New Mexico, found materials from the top-secret nuclear facility while searching a home during a drug raid. An Office of Inspector General report on the incident said police found a computer flash drive that "contained apparent images of classified documents from the laboratory. Also found were several hundred pages of what appeared to be laboratory documents with classified markings." (Full story) The home belonged to a former employee of the laboratory. "We found that the security framework relating to this incident ... was seriously flawed," the OIG said. "In a number of key areas, security policy was non-existent, applied inconsistently or not followed." Security problems at Los Alamos first came to light in 1995, when researcher Wen Ho Lee was accused of giving nuclear warhead data to China. After a five-year investigation Lee pleaded guilty to a single count of mishandling classified information. (Full story) In July 2004, 19 workers were placed on investigative leave after two computer disks containing classified information was thought to be missing. The security breach brought the lab to a standstill, and all employees were ordered to attend retraining sessions on facility security regulations. Two months later four employees were fired and another resigned after it was discovered that classified electronic data had been removed from the facility. Find this article at: http://www.cnn.com/2007/POLITICS/01/04/nuclear.dismissal From rforno at infowarrior.org Thu Jan 4 19:47:05 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 04 Jan 2007 19:47:05 -0500 Subject: [Infowarrior] - Rift Widens Over Bug Disclosure Message-ID: Rift Widens Over Bug Disclosure http://www.darkreading.com/document.asp?doc_id=113737&WT.svl=news1_2 JANUARY 3, 2007 | There's a growing rift among the research community over whether the Month-of-Bugs initiatives are helping security or hurting it. (See Buggin' Out? and Apple Bug Bites OS X, Windows.) There's even now a little pushback from one researcher to the current Month of Apple Bugs (MOAB): Landon Fuller, a former engineer for Apple and currently with Three Rings, an online gaming developer, is answering each MOAB bug with a fix of his own. This dueling banjos of bug reports and fixes is an example of how researchers aren't all on the same page when it comes to how new vulnerabilities get disclosed. There's always been a clear line between the bad guys and the good, and the underlying argument is not really new -- vendors have traditionally maintained a "responsible disclosure" stance. But now some of the good-guy researchers are more openly questioning just what constitutes proper disclosure of bugs and exploits. And the MOAB has become the lightning rod for the debate. At the heart of the dispute is whether the risk of releasing an unpatched bug or exploit is worth the potential improvements in long-term security. The point of the MOAB project, according to its founders, is to release bugs and exploits without notifying the vendor. "I think there's a growing consensus that these 'month of XXX' things are hurting way more than they're helping," says Thomas Ptacek, a researcher with Matasano Security. Ptacek says most researchers have had to hold back a vulnerability find for months, "because of a recalcitrant vendor." But for other researchers, there's more of a grey area in the disclosure argument. RSnake, a self-described "greyhat" hacker who releases discovered vulnerablities, and does a little subversive work, says the month-of-bugs projects hasn't run its course. "It definitely has legs, but it's for the greyhat folks who haven't yet been burnt" by disclosures, he says. Greyhats, he explains, "may do good, but they also do bad for either profit or because they think it serves a greater good," says RSnake, who works via the ha.ckers.org and sla.ckers.org groups he founded. "They don't fit in either the good or bad category exactly." RSnake says there are two types of disclosures, one that's difficult to exploit and/or won't cause much damage, such as a cross-site scripting flaw, and another that's easy to exploit or could do lots of damage or is hard to patch, such as zero-day browser exploits that give an attacker higher privileges, or some Oracle exploits. "I opt for corporate [vendor] disclosure very rarely. The only time I think it is better for consumers to not know they are vulnerable before companies do is if the patch is very simple but the damage would be huge if released," he says, such as with OS bugs. "Frankly, I am tired of how companies deal with disclosure," says RSnake, who this summer experienced the fallout of an XSS flaw on Google's site he reported via ha.ckers.org. Other researchers say releasing a bug before a vendor can respond should be the exception, not the rule. "I've never found it to be a good thing to release bugs or exploits without giving a vendor a chance to patch it and do the right thing," says Marc Maiffret, CTO of eEye Security Research. "There are rare exceptions where if a vendor is completely lacking any care for doing the right thing that you might need to release a bug without a patch -- to make the vendor pay attention and do something." Matasano's Ptacek worries the month of bugs approach will hurt the credibility of researchers with vendors. "The most important problem researchers have is being ptaken seriously by vendors," he says. "Before the 'MOXB' thing, the story could credibly be, 'vendors are shipping software that isn't safe to deploy.' Now the story is, 'researchers are behaving irresponsibly.' How can they [the MOAB creators] not see that this is a win for the vendors?" But all of the debate hasn't deterred researcher LMH, who heads up the MOAB research project and also ran the Month of Kernel Bugs project in November. The split among researchers over disclosure, he says, has to do with those who have consulting deals with vendors. "If you look closely at the parties that do such 'responsible disclosure,' you'll be able to draw a red line which separates those who [make] a living out of it, and those who stay on the top, far above from the business boundaries," he says. eEye's Maiffret, meanwhile, says plenty of researchers operate based on morals, not money. "The reality is you can still be good to business while also having ethics in handling vulnerabilities," he says. "There are no laws one way or another, and debating people's morals seems to never really go anywhere for anyone." HD Moore, who created the first of these projects, the popular Month of Browser Bugs, admits the downside to the Month of Bugs-style disclosure is vendors don't get a headstart on patching. But the approach has more upsides, according to Moore. "The awareness piece is still there and it's an effective way of drawing attention to a class of vulnerabilities," he says, noting that whether to disclose an unpatched or unknown bug or exploit is more of a case-by-case situation. "Apple is still getting free security research performed on their products. It's an expensive service if you have to pay for it," he notes. ? Kelly Jackson Higgins, Senior Editor, Dark Reading From rforno at infowarrior.org Thu Jan 4 20:41:09 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 04 Jan 2007 20:41:09 -0500 Subject: [Infowarrior] - Studios OK Movie Downloads Technology Message-ID: Jan 4, 7:04 PM EST Studios OK Movie Downloads Technology By GARY GENTILE AP Business Writer http://hosted.ap.org/dynamic/stories/M/MOVIE_DOWNLOADING?SITE=1010WINS&SECTI ON=HOME&TEMPLATE=DEFAULT LOS ANGELES (AP) -- Hollywood studios have approved a new technology and licensing arrangement that should remove a major obstacle consumers now face with burning movies they buy digitally over the Internet onto a DVD that will play everywhere. Sonic Solutions Inc. is introducing on Thursday the Qflix system for adding a standard digital lock to DVDs burned in a computer or a retail kiosk. The lock, known as "content scrambling system," or CSS, is backed by the studios, TV networks and other content creators and comes standard on prerecorded DVDs today. All DVD players come equipped with a key that fits the lock and allows for playback. But movie download services such as Movielink, CinemaNow and Amazon.com's Unbox haven't been able to use CSS because studios fear widespread DVD burning could lead to piracy. Studios have experimented with an alternative to CSS used by movie downloading service CinemaNow, but only a small number of titles are available for such burning and some users have complained of problems with playback. With Qflix - and its studio-backed copy-protection system - consumers should have more options. But they'll need new blank DVDs and compatible DVD burners to use it. The system can also be used in retail kiosks, which could hold hundreds of thousands of older films and TV shows for which studios don't see a huge market. Customers could pick a film, TV episode or an entire season's worth of shows and have them transferred to DVD on the spot. Burning a DVD will take anywhere from 10 to 15 minutes using Sonic's technology, the company said. Consumers still would be subject to restrictions placed by the movie service and studios. For instance, using the copy-protection technology in Microsoft Corp.'s Windows Media system, a service could specify that a given title can be burned no more than two times. Sonic has been working for three years to develop the technology and get studios to agree to amend the CSS license to allow a "download to burn" option. "We are pleased and encouraged to see efforts like Sonic's creation of Qflix that addresses the need for industry standard protection," Chris Cookson, chief technology officer at Warner Bros. said in a statement. The initial companies participating in Qflix include Verbatim Corp., which makes blank discs, the movie download service Movielink, video-on-demand provider Akimbo Systems Inc. and the Walgreen Co. chain of drug stores. Studios must still figure out pricing schemes that appeal to consumers and protect its lucrative retail business. Some retailers, such as Wal-Mart, have talked about starting their own online downloading services or installing kiosks to burn DVDs in the store. Also, most consumers will need a new DVD burner that includes the latest software. Some burners can be updated, Sonic said, and companies such as Plextor, a Qflix partner, are expected to market Qflix-enabled DVD burners that connect with a USB cable. ? 2007 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. Learn more about our Privacy Policy. Purchase this AP story for reprint. From rforno at infowarrior.org Thu Jan 4 21:38:17 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 04 Jan 2007 21:38:17 -0500 Subject: [Infowarrior] - U.S. Government to Refund Telephone Taxes Message-ID: U.S. Government to Refund Telephone Taxes Marcus Yam (Blog) - January 4, 2007 6:25 PM http://www.dailytech.com/article.aspx?newsid=5552 The Internal Revenue Service today began a busy 2007 filing season that features a new refund deposit feature and, perhaps more interestingly, a telephone excise tax refund that could put at least $30 into your pocket. Individual taxpayers will be able to request a refund if they paid the federal excise tax on long-distance or bundled service on landlines, wireless and even VoIP. The U.S. government stopped collecting the federal excise tax on long-distance service in August and announced plans to provide refunds of these taxes billed after Feb. 28, 2003, and before Aug. 1, 2006. More than 146 million individual taxpayers are expected to request the refund, according to the IRS. Individual taxpayers can request the refund by using the standard amounts, which are based on the total number of exemptions claimed on the 2006 federal income tax return. Choosing the standard amount saves taxpayers the time and trouble of digging through 41 months of old phone bills. The standard amounts are $30 for a person filing a return with one exemption, $40 for two exemptions, $50 for three exemptions and $60 for four or more exemptions. For example, a married couple filing a joint return with two dependent children (for a total of four exemptions) will be eligible for the maximum standard amount of $60. To get the standard amount, eligible individual taxpayers will fill out an additional line on their regular 2006 1040 return. (Line 71 on Form 1040; Line 42 on Form 1040A; Line 9 on Form 1040EZ.) Alternatively, individual taxpayers who want to request a refund of the actual amount of tax paid should figure that amount using Form 8913 and report it on their income tax return. Businesses and tax-exempt organizations can also request a refund under a different procedure detailed by the IRS. Find more information in the IRS FAQ here. While the federal telephone excise tax on long distance has met its end, taxes on local calling services are still applicable. The only exception is if local calling is bundled with long-distance and the contract does not separately state the charge for the local telephone service, which applies to many various landline and wireless plans, VoIP services and prepaid phone cards. The U.S. telephone excise tax was enacted first in 1898 to help fund the Spanish-American war. Since then, the tax has been repealed and reinstated several times, usually in connection to times of war. From rforno at infowarrior.org Thu Jan 4 23:20:54 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 04 Jan 2007 23:20:54 -0500 Subject: [Infowarrior] - Bush administration defends emergency mail inspection Message-ID: Bush administration defends emergency mail inspection Posted 1/4/2007 10:39 PM ET By Mimi Hall and David Jackson, USA TODAY http://www.usatoday.com/news/washington/2007-01-04-mail-inspection_x.htm WASHINGTON ? The White House on Thursday defended a policy allowing the government to open mail without a warrant, despite criticism that the crime-fighting tactic might lead to privacy breaches. Bush administration and Postal Service officials said citizens' mail remains constitutionally protected from unreasonable search and seizure. But White House spokesman Tony Snow said the United States needs to have the power to inspect mail in emergencies. The mail controversy erupted Wednesday after a report in the New York Daily News that President Bush on Dec. 20 attached a so-called signing statement to a new postal law. The statement grants the government the authority during emergencies to bypass a law forbidding mail to be opened without a warrant. Snow said Bush was simply reiterating authority the government already has under the law. U.S. Postal Service spokesman Thomas Day concurred. "The president is not exerting any new authority," he said. Snow did not say what emergency circumstances might warrant inspections of the mail. Brian Walsh, a lawyer at the conservative Heritage Foundation, said the authority likely would only be used in extreme cases, such as if police learned a bomb or an envelope containing anthrax or another biohazard was in the mail. If the government didn't have the authority for prompt inspections, the mail ? particularly overnight delivery ? could become "a courier service for drug dealers or terrorists," Walsh said. Privacy rights advocates expressed concern that the administration could loosely define emergency situations to include looking at mail sent by or delivered to people who might wrongly be included on the government's terrorist watch lists. The American Civil Liberties Union said such "deliberate ambiguity" was troublesome. It "raises a red flag because of President Bush's history of asserting broad powers to spy on Americans," ACLU Director Anthony Romero said. Others accused Bush of making an end-run around the Constitution and Congress. "This opens the door into the government prying into private communications," said Jonathan Hafetz, a lawyer with the Brennan Center for Justice. "It's something we associate with a totalitarian or police state." In Congress, where Democrats took control of both houses Thursday for the first time in 12 years, some lawmakers expressed unease about the practice. "Every American wants foolproof protection against terrorism," Sen. Charles Schumer, D-N.Y., said. "But history has shown it can and should be done within the confines of the Constitution. This last-minute, irregular and unauthorized reinterpretation of a duly passed law is the exact type of maneuver that voters so resoundingly rejected in November." From rforno at infowarrior.org Fri Jan 5 14:35:43 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 05 Jan 2007 14:35:43 -0500 Subject: [Infowarrior] - Clever parody: "Strangers on My Flight" Message-ID: (c/o Schneier's blog) "Strangers on My Flight" http://www.animatronics.org/strangers/strangers.htm ...with apologies to Ol' Blue Eyes, of course! -rf From rforno at infowarrior.org Fri Jan 5 19:16:57 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 05 Jan 2007 19:16:57 -0500 Subject: [Infowarrior] - Fingerprinting the World's Mail Servers Message-ID: Fingerprinting the World's Mail Servers by Ken Simpson and Stas Bekman 01/05/2007 http://www.oreillynet.com/lpt/a/6849 From rforno at infowarrior.org Fri Jan 5 19:19:45 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 05 Jan 2007 19:19:45 -0500 Subject: [Infowarrior] - Designing Cyberinfrastructure for Collaboration and Innovation In-Reply-To: <9A3A2149-31F3-4DFC-AEC6-284F472A4DE9@farber.net> Message-ID: (c/o IP) Designing Cyberinfrastructure for Collaboration and Innovation National Academy of Sciences, 21st and C Sts., NW Washington, DC, January 29-30 This interdisciplinary conference examines the vision, design, and policy implications of cyberinfrastructure in the context of open innovation, the growing importance of collaboration, and the increased presence of intellectual property and other controls on the creation, management, and use of knowledge. As publicly supported advanced infrastructure, cyberinfrastructure invites learning from the history of the Internet and the explosion of Internet-enabled innovation, but there are important technological, institutional, and contextual differences. The conference is co-sponsored by the National Science Foundation, the University of Michigan, Science Commons, the Council on Competitiveness, and the Committee for Economic Development. A detailed program is now available, please see the conference website: http://cyberinfrastructure.us [There are few hotel rooms from a block reserved for speakers at the nearby State Plaza Hotel for $150, but this expires today, Jan 5; see "accommodations" on the website for details.] From rforno at infowarrior.org Fri Jan 5 19:27:00 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 05 Jan 2007 19:27:00 -0500 Subject: [Infowarrior] - DHS Traveller's Redress Inquiry Program (watchlists) Message-ID: [Federal Register: January 5, 2007 (Volume 72, Number 3)] [Notices] [Page 576-577] >From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr05ja07-48] ----------------------------------------------------------------------- DEPARTMENT OF HOMELAND SECURITY Transportation Security Administration Intent To Request Approval From OMB of One New Public Collection of Information: Department of Homeland Security Traveler Redress Inquiry Program (DHS TRIP) AGENCY: Transportation Security Administration, DHS. ACTION: Notice. ----------------------------------------------------------------------- SUMMARY: The Transportation Security Administration (TSA), as lead for DHS, invites public comment on a new information collection requirement abstracted below that we will submit to the Office of Management and Budget (OMB) for approval in compliance with the Paperwork Reduction Act. DATES: Send your comments by March 6, 2007. ADDRESSES: Comments may be mailed or delivered to Katrina Kletzly, Attorney-Advisor, Office of the Chief Counsel, TSA-2, Transportation Security Administration, 601 South 12th Street, Arlington, VA 22202- 4220. FOR FURTHER INFORMATION CONTACT: Katrina Kletzly at the above address, or by telephone (571) 227-1995 or facsimile (571) 227-1381. SUPPLEMENTARY INFORMATION: Comments Invited In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.), an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a valid OMB control number. Therefore, in preparation for OMB review and approval of the following information collection, TSA, on behalf of DHS, is soliciting comments to-- (1) Evaluate whether the proposed information requirement is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility; (2) Evaluate the accuracy of the agency's estimate of the burden; (3) Enhance the quality, utility, and clarity of the information to be collected; and (4) Minimize the burden of the collection of information on those who are to respond, including using appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology. Information Collection Requirement Purpose of Data Collection The Rice-Chertoff Initiative (RCI) Department of Homeland Security Traveler Redress Inquiry Program (DHS TRIP) was developed as a voluntary program by DHS to provide a one-stop mechanism for individuals to request redress who believe they have been: (1) Denied or delayed boarding; (2) denied or delayed entry into or departure from the United States at a port of entry; or (3) identified for additional (secondary) screening at our Nation's transportation [[Page 577]] hubs, including airports, seaports, train stations and land borders. The DHS TRIP office will be located at, and managed by, TSA. In order for individuals to request redress, they are asked to provide identifying information, as well as details of the travel experience. Description of Data Collection The Traveler Inquiry Form (TIF) is an online form used to collect requests for redress by the DHS TRIP office, which will serve as a centralized intake office for traveler requests to have their personal information reviewed. DHS TRIP then passes the information to the relevant DHS component to process the request, as appropriate (e.g., DHS TRIP passes the form to DHS to initiate the Watch List Clearance Procedure). This collection serves to distinguish individuals from an actual individual on any watch list used by DHS, and it helps streamline and expedite future check-in or border crossing experiences. DHS estimates completing the form, and gathering and submitting the information will take approximately one hour. The annual respondent population was derived from data compiled across all participating components (TSA, U.S. Customs and Border Protection (CBP), U.S. Immigration and Customs Enforcement (ICE), US-VISIT, DHS Office of Civil Rights and Civil Liberties (CRCL), and the DHS Privacy Office). Thus, the total estimated annual number of burden hours for passengers seeking redress, based on an estimated 31,980 annual respondents, is 31,980 hours (31,980 x 1). Use of Results The DHS TRIP office will use this information to conduct redress procedures for individuals who believe they have been (1) denied or delayed boarding, (2) denied or delayed entry into or departure from the United States at a port of entry, or (3) identified for additional screening at our Nation's transportation hubs, including airports, seaports, train stations and land borders. Issued in Arlington, Virginia, on December 28, 2006. Lisa S. Dean, Privacy Officer. [FR Doc. E6-22611 Filed 1-4-07; 8:45 am] BILLING CODE 9110-05-P From rforno at infowarrior.org Fri Jan 5 22:37:09 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 05 Jan 2007 22:37:09 -0500 Subject: [Infowarrior] - TSA Pilot Would Offer Ads at Airport Security Checkpoints Message-ID: TSA Pilot Would Offer Ads at Airport Security Checkpoints By Benet Wilson/Aviation Daily 01/04/2007 09:14:16 AM http://aviationnow.com/avnow/news/channel_comm_story.jsp?id=news/ADS01047.xm l Advertising in security checkpoints will be coming to an airport near you under a proposed Transportation Security Administration pilot program. Under the one-year pilot program, TSA will allow commercial advertising at passenger screening checkpoints in select airports throughout the U.S. and its territories. "Interested parties will have to partner with airport operators to develop a proposal for TSA review. Only airport operators can submit proposals for use of the checkpoints for advertising," according to a Dec. 21, 2006, posting on the Federal Business Opportunities web site. "TSA plans to launch a one-year pilot program where airport operators may enter into an agreement with vendors, who will provide divestiture bins, divestiture and composure tables, and metal-free bin return carts at no cost to TSA," said spokeswoman Amy Kudwa. "In return for the equipment, TSA will allow airport operator-approved advertisements to be displayed on the bottom of the inside of the bins." An initial test at Los Angeles began in July 2006, said Kudwa. TSA is holding an Industry Day Jan. 11 at its headquarters in Arlington, Va., for those interested in participating in the program. "Any airport operator is allowed to submit a proposal by Feb. 16, 2007, to TSA outlining how they will fulfill TSA's requirements," said Kudwa. "If the proposal is accepted by TSA, a memorandum of agreement will be executed between TSA and the airport operator." As long as the advertising does not distract passengers from security, it's a great opportunity, said Scott Montgomery, principal at Indianapolis-based Bradley and Montgomery Advertising (BaM). BaM created a campaign for Chase Bank to sponsor electrical outlets at Indianapolis International Airport (The DAILY, May 30, 2006). From rforno at infowarrior.org Sun Jan 7 14:08:31 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 07 Jan 2007 14:08:31 -0500 Subject: [Infowarrior] - Why blurring sensitive information is a bad idea Message-ID: Why blurring sensitive information is a bad idea http://dheera.net/projects/blur.php From rforno at infowarrior.org Sun Jan 7 14:12:10 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 07 Jan 2007 14:12:10 -0500 Subject: [Infowarrior] - Just Cancel the @#%$* Account! (Tom Spring at PCWorld) In-Reply-To: <20070107180559.GA2360@gsp.org> Message-ID: (c/o RSK) ------ Forwarded Message Just Cancel the @#%$* Account! http://www.pcworld.com/printable/article/id,128206/printable.html It's hard to find a Web service that doesn't offer a free trial. But just try canceling. We did, and the results weren't always pretty. Two quick observations: First, any service that offers an easy sign-up via the Internet should also offer an easy sign-off via the Internet -- it should never be necessary to pick up the phone. Second, if the general principle behind the first point isn't enough, then re-read Tom's article and consider how it would have played out if he couldn't use a phone. From rforno at infowarrior.org Sun Jan 7 15:56:38 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 07 Jan 2007 15:56:38 -0500 Subject: [Infowarrior] - Feds pushing for Internet records Message-ID: Feds pushing for Internet records BY JOHN REINAN McClatchy Newspapers http://www.grandhaventribune.com/paid/317067006680886.bsp MINNEAPOLIS ? The federal government wants your Internet provider to keep track of every Web site you visit. For more than a year, the U.S. Justice Department has been in discussions with Internet companies and privacy rights advocates, trying to come up with a plan that would make it easier for investigators to check records of Web traffic. The idea is to help law enforcement track down child pornographers. But some see it as another step toward total surveillance of citizens, joining warrantless wiretapping, secret scrutiny of library records and unfettered access to e-mail as another power that could be abused. "I don't think it's realistic to think that we would create this enormous honeypot of information and then say to the FBI, 'You can only use it for this narrow purpose,'" said Leslie Harris, executive director of the Center for Democracy & Technology, a Washington, D.C.-based group that promotes free speech and privacy in communication. "We have an environment in which we're collecting more and more information on the personal lives of Americans, and our laws are completely inadequate to protect us." So far, no concrete proposal has emerged, but U.S. Attorney General Alberto Gonzales has made it clear that he'd like to see quick action. In September testimony before a Senate committee, Gonzales painted a graphic and disturbing picture of child pornography on the Web, which he called an urgent threat to children. The production and consumption of child pornography has exploded as the Internet makes it easier to exchange images, Gonzales said. But federal agents and prosecutors are hampered in their investigations because Internet companies don't routinely keep records of their traffic, he told the committee. Gonzales also pushed for Internet records tracking in an April speech at the National Center for Missing and Exploited Children. "Privacy rights must always be accommodated and protected as we conduct our investigations," he said. "(But) the investigation and prosecution of child predators depends critically on the availability of evidence that is often in the hands of Internet service providers. "This evidence will be available for us to use only if the providers retain the records for a reasonable amount of time," he said. "Unfortunately, the failure of some Internet service providers to keep records has hampered our ability to conduct investigations in this area." Internet service providers typically keep records of Web traffic only for short periods, usually 30 to 90 days, as a way to trace technical glitches. Many ISPs, along with privacy advocates, say that it's already easy for government agents to get the information they need to investigate crimes. The FBI, without a court order, can send a letter to any Internet provider ordering it to maintain records for an investigation, said Kevin Bankston, an attorney for the Electronic Frontier Foundation, a San Francisco-based group that promotes free speech and privacy on the Web. "There's been no showing that mass surveillance of all Internet users, mandated by the government, is necessary for law enforcement," Bankston said. "If this passes, there would be a chilling effect on free speech if everyone knew that everything they did on the Internet could be tracked back to them." The government has offered differing rationales for its data-retention plan, said Harris, the privacy advocate. "I've been in discussions at the Department of Justice where someone would say, 'We want this for child protection. And someone else would say 'National security,' and someone else would say, 'Computer crimes,'" Harris said. "We're operating in the wild, wild West here." From rforno at infowarrior.org Sun Jan 7 21:27:02 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 07 Jan 2007 21:27:02 -0500 Subject: [Infowarrior] - Pew Releases Report: Social Networking Websites and Teens: An Overview Message-ID: (report URL: http://www.pewinternet.org/pdfs/PIP_SNS_Data_Memo_Jan_2007.pdf) http://www.pewinternet.org/PPF/r/134/press_release.asp Washington-- More than half (55%) of all of online American youths ages 12-17 use online social networking sites, according to a new national survey of teenagers conducted by the Pew Internet & American Life Project. The survey also finds that older teens, particularly girls, are more likely to use these sites. For girls, social networking sites are primarily places to reinforce pre-existing friendships; for boys, the networks also provide opportunities for flirting and making new friends. A social networking site is an online place where a user can create a profile and build a personal network that connects him or her to other users. In the past five years, such sites have rocketed from a niche activity into a phenomenon that engages tens of millions of internet users. The explosive growth in the popularity of these sites has generated concerns among some parents, school officials, and government leaders about the potential risks posed to young people when personal information is made available in such a public setting. The data memo, written by Senior Research Specialists Amanda Lenhart and Mary Madden, is based on a survey conducted by telephone from October 23 through November 19, 2006 among a national sample of 935 youths ages 12 to 17. The survey asked about the ways that teenagers use social networking sites and their reasons for doing so. Among the key findings: # 55% of online teens have created a personal profile online, and 55% have used social networking sites like MySpace or Facebook. # 66% of teens who have created a profile say that their profile is not visible to all internet users. # 48% of teens visit social networking websites daily or more often; 26% visit once a day, 22% visit several times a day. # Older girls ages 15-17 are more likely to have used social networking sites and created online profiles; 70% of older girls have used an online social network compared with 54% of older boys, and 70% of older girls have created an online profile, while only 57% of older boys have done so. "There is a widespread notion that every American teenager is using social networks, and that they?re plastering personal information over their profiles for anyone and everyone to read," says Amanda Lenhart. "These findings add nuance to that story ? not every teenager is using a social networking website, and of those that do, more than half of them have in some way restricted access to their profile." Teens say social networking sites help them manage their friendships # 91% of all social networking teens say they use the sites to stay in touch with friends they see frequently, while 82% use the sites to stay in touch with friends they rarely see in person. # 72% of all social networking teens use the sites to make plans with friends; 49% use the sites to make new friends. # Older boys who use social networking sites (ages 15-17) are more likely than girls of the same age to say that they use social networking sites to make new friends (60% vs. 46%). # Just 17% of all social networking teens say they use the sites to flirt. # Older boys who use social networking sites are more than twice as likely as older girls to say they use the sites to flirt; 29% report this compared with just 13% of older girls. "Both boys and girls rely on social networks to keep close tabs on their current friends, but older boys are much more likely to use them to meet new friends and flirt in the comfort of an online environment," says Mary Madden. "Older boys are really the ones taking advantage of the true 'networking' features afforded by the sites." The Pew Internet Project survey was conducted from October 23 to November 19, 2006 and has a margin of error in the overall sample of plus or minus 3 percentage points. The Pew Internet Project is a non-profit, non-partisan initiative of the Pew Research Center that produces reports exploring the impact of the internet on children, families, communities, the work place, schools, health care, and civic/political life. Support for the non-profit Pew Internet Project is provided by The Pew Charitable Trusts. From rforno at infowarrior.org Sun Jan 7 21:33:01 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 07 Jan 2007 21:33:01 -0500 Subject: [Infowarrior] - =?iso-8859-1?q?Schiff=2C_Flake_Introduce_=B3_NSA_?= =?iso-8859-1?q?Oversight_Act_=B2?= Message-ID: (c/o pogowasright.org) Schiff, Flake Introduce ?NSA Oversight Act? Congressional Desk http://www.californiachronicle.com/articles/viewArticle.asp?articleID=18752 Congressional Desk January 7, 2007 Bipartisan bill modernizes electronic surveillance authority to prevent attacks and clarifies that FISA maintains exclusive means to conduct domestic surveillance. WASHINGTON, D.C. ? On the first day of the 110th Congress, Reps. Adam Schiff (D-CA) and Jeff Flake (R-AZ) offered a bipartisan measure that will modernize the Foreign Intelligence Surveillance Act (FISA) to respond to changes in technology and new threats, but that will retain court supervision over domestic electronic surveillance. The ?NSA Oversight Act? directly addresses the President's domestic surveillance program. ?Electronic surveillance of those seeking to harm our country must be targeted and aggressive. It must also be constitutional and respect the privacy of law-abiding Americans,? Schiff said. ?When Congress passed FISA and Title III, it intended to provide the sole authority for surveillance of Americans on American soil. Those acts require court approval for such surveillance, and the FISA court has proved capable of acting expeditiously.? ?Updates and improvements in FISA need to be codified in law to ensure that they survive the present administration,? said Flake. The Schiff-Flake legislation responds to the issues that have been raised by officials at the National Security Agency (NSA) and the Department of Justice last year in testimony to Congress. The bipartisan measure on NSA oversight: 1. Extends Emergency Electronic Surveillance Authority to Prevent Attacks - extends from 72 hours to 7 days the amount of time allowed to initiate surveillance in an urgent situation before going to the FISA court for a warrant. This authority can be used to thwart imminent attacks. 2. Enhances Electronic Surveillance Authority after an Attack - provides that in addition to a ?declaration of war by the Congress,? an ?authorization for the use of military force (AUFM)? can also trigger the FISA ?wartime exception? for purposes of allowing 15 days of warrantless surveillance. 3. Clarifies that Foreign-to-Foreign Communications are Outside FISA - makes clear that foreign-to-foreign communications are outside of FISA and don?t require a court order. 4. Permits Continued Surveillance Where Targets Travel Internationally - provides that a FISA order for electronic surveillance shall continue to be in effect for the authorized period even if the person leaves the U.S. 5. Streamlines FISA Application Process - removes redundant requirements in the application process and streamlines some of the current detailed requirements in order to permit information to be drafted in summary form. 6. Increases Speed and Agility of FISA Process ? authorizes the FISA court, DOJ, FBI, and NSA to hire more staff for the preparation and consideration of FISA applications and orders. Authorizes the appointment of additional FISA judges to provide for the prompt and timely consideration of FISA applications and requires a 24-hour turnaround for emergency applications. 7. Reiterates Exclusivity of FISA and Clarifies Military Force Statute ? reiterates that FISA is the exclusive means by which domestic electronic surveillance for foreign intelligence purposes may be conducted, unless Congress amends the law or passes additional laws regarding electronic surveillance. Makes clear that the AUMF does not constitute an exception to that rule. 8. Requires Congressional Oversight of TSP and Other Programs in Existence - requires a report to Intel on the Terrorist Surveillance Program (TSP) and any program involving electronic surveillance of U.S. persons in the U.S. for foreign intelligence purposes that is outside FISA. Provides access of this report to members of the Judiciary Committee. 9. Reps. Schiff and Flake previously teamed up on similar legislation last year. They offered several measures dealing with domestic surveillance including one that would have cut funding to any program that conducted domestic surveillance outside of FISA. However, the amendment to the Department of Defense Appropriations bill was defeated in a close vote, with 23 Republicans supporting the measure. Reps. Schiff and Flake also worked together in 2005 to secure passage of an amendment to the Patriot Act to provide additional safeguards for library and bookstore records. Rep. Schiff was recently appointed to serve on the House Appropriations Committee in the 110th Congress. In the 109th Congress, Rep. Schiff served on the House International Relations Committee and the House Judiciary Committee. He represents California?s 29th Congressional District, which includes the communities of Alhambra, Altadena, Burbank, East Pasadena, East San Gabriel, Glendale, Monterey Park, Pasadena, San Gabriel, South Pasadena and Temple City. From rforno at infowarrior.org Mon Jan 8 08:43:08 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 08 Jan 2007 08:43:08 -0500 Subject: [Infowarrior] - =?iso-8859-1?q?What_=B9_s_Making_Us_Sick_Is_an_Ep?= =?iso-8859-1?q?idemic_of_Diagnoses?= Message-ID: January 2, 2007 Essay What?s Making Us Sick Is an Epidemic of Diagnoses By H. GILBERT WELCH, LISA SCHWARTZ and STEVEN WOLOSHIN http://www.nytimes.com/2007/01/02/health/02essa.html?_r=2&oref=slogin&pagewa nted=print For most Americans, the biggest health threat is not avian flu, West Nile or mad cow disease. It?s our health-care system. You might think this is because doctors make mistakes (we do make mistakes). But you can?t be a victim of medical error if you are not in the system. The larger threat posed by American medicine is that more and more of us are being drawn into the system not because of an epidemic of disease, but because of an epidemic of diagnoses. Americans live longer than ever, yet more of us are told we are sick. How can this be? One reason is that we devote more resources to medical care than any other country. Some of this investment is productive, curing disease and alleviating suffering. But it also leads to more diagnoses, a trend that has become an epidemic. This epidemic is a threat to your health. It has two distinct sources. One is the medicalization of everyday life. Most of us experience physical or emotional sensations we don?t like, and in the past, this was considered a part of life. Increasingly, however, such sensations are considered symptoms of disease. Everyday experiences like insomnia, sadness, twitchy legs and impaired sex drive now become diagnoses: sleep disorder, depression, restless leg syndrome and sexual dysfunction. Perhaps most worrisome is the medicalization of childhood. If children cough after exercising, they have asthma; if they have trouble reading, they are dyslexic; if they are unhappy, they are depressed; and if they alternate between unhappiness and liveliness, they have bipolar disorder. While these diagnoses may benefit the few with severe symptoms, one has to wonder about the effect on the many whose symptoms are mild, intermittent or transient. The other source is the drive to find disease early. While diagnoses used to be reserved for serious illness, we now diagnose illness in people who have no symptoms at all, those with so-called predisease or those ?at risk.? Two developments accelerate this process. First, advanced technology allows doctors to look really hard for things to be wrong. We can detect trace molecules in the blood. We can direct fiber-optic devices into every orifice. And CT scans, ultrasounds, M.R.I. and PET scans let doctors define subtle structural defects deep inside the body. These technologies make it possible to give a diagnosis to just about everybody: arthritis in people without joint pain, stomach damage in people without heartburn and prostate cancer in over a million people who, but for testing, would have lived as long without being a cancer patient. Second, the rules are changing. Expert panels constantly expand what constitutes disease: thresholds for diagnosing diabetes, hypertension, osteoporosis and obesity have all fallen in the last few years. The criterion for normal cholesterol has dropped multiple times. With these changes, disease can now be diagnosed in more than half the population. Most of us assume that all this additional diagnosis can only be beneficial. And some of it is. But at the extreme, the logic of early detection is absurd. If more than half of us are sick, what does it mean to be normal? Many more of us harbor ?pre-disease? than will ever get disease, and all of us are ?at risk.? The medicalization of everyday life is no less problematic. Exactly what are we doing to our children when 40 percent of summer campers are on one or more chronic prescription medications? No one should take the process of making people into patients lightly. There are real drawbacks. Simply labeling people as diseased can make them feel anxious and vulnerable ? a particular concern in children. But the real problem with the epidemic of diagnoses is that it leads to an epidemic of treatments. Not all treatments have important benefits, but almost all can have harms. Sometimes the harms are known, but often the harms of new therapies take years to emerge ? after many have been exposed. For the severely ill, these harms generally pale relative to the potential benefits. But for those experiencing mild symptoms, the harms become much more relevant. And for the many labeled as having predisease or as being ?at risk? but destined to remain healthy, treatment can only cause harm. The epidemic of diagnoses has many causes. More diagnoses mean more money for drug manufacturers, hospitals, physicians and disease advocacy groups. Researchers, and even the disease-based organization of the National Institutes of Health, secure their stature (and financing) by promoting the detection of ?their? disease. Medico-legal concerns also drive the epidemic. While failing to make a diagnosis can result in lawsuits, there are no corresponding penalties for overdiagnosis. Thus, the path of least resistance for clinicians is to diagnose liberally ? even when we wonder if doing so really helps our patients. As more of us are being told we are sick, fewer of us are being told we are well. People need to think hard about the benefits and risks of increased diagnosis: the fundamental question they face is whether or not to become a patient. And doctors need to remember the value of reassuring people that they are not sick. Perhaps someone should start monitoring a new health metric: the proportion of the population not requiring medical care. And the National Institutes of Health could propose a new goal for medical researchers: reduce the need for medical services, not increase it. Dr. Welch is the author of ?Should I Be Tested for Cancer? Maybe Not and Here?s Why? (University of California Press). Dr. Schwartz and Dr. Woloshin are senior research associates at the VA Outcomes Group in White River Junction, Vt. From rforno at infowarrior.org Mon Jan 8 10:36:59 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 08 Jan 2007 10:36:59 -0500 Subject: [Infowarrior] - Satellite Television in a Portable Box Message-ID: Satellite Television in a Portable Box By LORNE MANLY http://www.nytimes.com/2007/01/08/technology/08satellite.html?pagewanted=pri nt LOS ANGELES ? Rick Rosner is a self-described television junkie. Not only he is the creator and producer of many television series, most notably ?CHiPs? and ?The New Hollywood Squares,? he feels an overpowering need to surround himself with television everywhere he may be. Fourteen television sets jostle for space in Mr. Rosner?s penthouse condominium in Marina Del Rey. When more than a decade ago he moved into his previous home, in Coldwater Canyon, only to learn he could not pick up a cable signal, he dispatched a production assistant to Phoenix to get something not yet available on the West Coast: DirecTV. On location shoots he would lug one of his DirecTV set-top boxes along and then rent or buy a satellite dish and attach it to his balcony railing with duct tape. That hassle got him thinking: What if there were a portable satellite dish, which folds up like a piece of luggage, and could be used for camping and tailgate parties or in dorm rooms? And that?s how a longtime television producer turned into an inventor. The result of his obsessive handiwork will be on display today at the Consumer Electronics Show in Las Vegas, when DirecTV will unveil the Sat-Go, a mobile satellite and television system weighing about 25 pounds that will sell for $1,000 to $1,300. DirecTV hopes that the Sat-Go will help differentiate the company from its cable-television competition and attract a different type of customer when the product goes on sale this spring. ?I love to try different things,? the 65-year-old Mr. Rosner said when asked to explain the moonlighting. ?That?s sort of the story of my life.? Mr. Rosner?s affection for all things television began as a child, when shows like ?Captain Video and His Video Rangers? and ?The Howdy Doody Show? captivated him, and working as a page at NBC during college cemented that connection. When he dropped out of veterinary school at Cornell University after six weeks, he moved to New York and reclaimed his post at NBC before getting a job at ?Candid Camera? and becoming a television producer. The walls of his condominium are crammed with pictures of people he?s worked with and for over the years, like Mike Douglas, Regis Philbin, John Davidson and Joan Rivers. But even while involved in the television business, his enthusiasms took him in different directions. When on one episode of ?The Steve Allen Show? the host was made to scuba dive, an emergency rescue unit came in to school Mr. Allen, and Mr. Rosner struck up a friendship with the visitors. That led him to taking a course at the Los Angeles County sheriff?s department. One night, he and his partner were parked at a Winchell?s doughnut shop in Los Angeles when two California highway patrolmen, complete with darkened helmet visor and shiny boots, pulled up behind them. But that intimidating sight melted when the two took off their helmets and sunglasses. ?Right there, it hit me,? said Mr. Rosner over a lunch of shrimp cocktail and Caesar salad at a dockside restaurant near his condominium. ?That?s a TV series. Two guys racing around the L.A. freeway system. Two good guys doing a job.? ?He incorporates parts of his life into his business,? said Michael Gelman, executive producer of ?Live With Regis and Kelly,? who became friends with Mr. Rosner when he worked on ?The New Hollywood Squares? more than 20 years ago. A similar connection explains the genesis of Sat-Go. After getting his inspiration for Sat-Go during an early morning walk in Vancouver, he hooked up with David Kuether, a friend who was an engineer at DirecTV, and the two set out to build a mobile satellite TV. Mr. Rosner then called in a favor from another friend, his former art director on ?The New Hollywood Squares? who is now the head of ?The Tonight Show?s? prop shop. They built a prototype ? ?it looked like a big sewing machine,? he said ? and then tried to persuade DirecTV to build and sell it. At first, they were greeted with a decided lack of interest. But the head of the set-top box division sent Mr. Rosner and his contraption to see Eric Shanks, executive vice president of DirecTV Entertainment. Luckily for Mr. Rosner, Mr. Shanks was a ?CHiPs? fanatic and jumped at the chance to meet its creator. ?It?s my second-favorite show,? he said. (?The A-Team? is No. 1.) DirecTV will be selling Sat-Go in places it has never been before, like Cabela?s, the hunting, fishing and camping store, and advertising in unfamiliar publications, like RV magazine. Although the modest first-run of production (about 10,000) makes Sat-Go an expensive toy, that price should come down, and the monthly subscription fee of $4.99 is the same as adding a box, according to Mr. Shanks. Mr. Rosner has continued to be involved in every aspect of the Sat-Go?s development, particularly its design. Mr. Rosner and DirecTV executives both knew they wanted it to look like a high-end piece of luggage, one that could come from the likes of Louis Vuitton. But the color never satisfied. After the fifth or six try with the manufacturer, Mr. Rosner arrived one day with a carton full of Hershey dark chocolate bars ? the hue reminded him of an early Bentley from Rolls-Royce ? and announced this was the color the SAT-Go casing should be. ?It just looked so rich,? said Mr. Rosner, who this late December day in a chilly Southern California was wearing a chocolate brown slacks with a chocolate brown Sat-Go sweater. ?It said money.? Mr. Rosner?s nearly constant presence ? in the past year and half he estimated that he dropped by DirecTV?s headquarters in El Segundo two or three times a week ? could be unnerving to SatGo?s development team, so much so that the head of engineering called Mr. Shanks to complain that Mr. Rosner was distracting him. But Mr. Rosner has a history of barreling through obstacles and getting what he desires. ?Rick has always been a champion of the what-if scenario of television,? said Harry Friedman, executive producer of ?Wheel of Fortune? and ?Jeopardy? and a friend of Mr. Rosner?s since they worked together on ?The New Hollywood Squares.? Mr. Rosner was the first to take game shows out on the road, plopping ?The New Hollywood Squares? down in New York?s Radio City Music Hall and on the beach in the Bahamas. Now that the Sat-Go is a reality, Mr. Rosner can turn his attention to his next big entertainment project, a feature film based on ?CHiPs.? Wilmer Valderrama (?That 70s Show,? ?Fast Food Nation?) will play Officer Frank ?Ponch? Poncherello, the Erik Estrada role, and Warner Brothers expects to shoot the picture this year. But Mr. Rosner is not done with DirecTV; he is helping the company develop different Sat-Go offshoots. The Sat-Go Pro will come in a hardened plastic case and be marketed to users like FEMA, the Federal Emergency Management Agency. The Sat-Go Light will be about half the weight. And Mr. Rosner wants DirecTV to build a version with a digital video-recorder, too. ?I am the biggest DirecTV fan in the world,? he said. ?No one appreciates that company more than me.? And Mr. Rosner wants to make sure no one will ever have to go without television again. From rforno at infowarrior.org Mon Jan 8 10:39:35 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 08 Jan 2007 10:39:35 -0500 Subject: [Infowarrior] - MI5 offers fear by email Message-ID: MI5 offers fear by email Terror alerts by email By John Oates ? More by this author Published Monday 8th January 2007 15:16 GMT http://www.theregister.co.uk/2007/01/08/mi5_email_updates/ The Security Service MI5 will announce tomorrow that subscribers to its website can sign up for email notification of changes to the current threat level. A spokeswoman for the Home Office said: "There will be two electronic lists, one for people interested in updates to the threat level and one for changes and updates to the website. This aims to improve public understanding of the service's work and to offer faster information about threat levels." Anyone can sign up to the lists. There are five levels of threat: low, moderate, substantial, severe and critical. The level is set by the Joint Terrorism Analysis Centre made up of representatives of 11 government departments but run by MI5. The level is currently "severe", Home Secretary John Reid said in early December that the chances of attack over Christmas was "highly likely" There's more on how scared you should be here but sensitive readers should be warned the page contains a picture of John Reid. The site also puts to rest the myth that MI5 only recruits people who are shorter than 5'11". In fact only mobile surveillance staff have to be shorter than 5'11". More myths laid to rest here. From rforno at infowarrior.org Mon Jan 8 12:46:35 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 08 Jan 2007 12:46:35 -0500 Subject: [Infowarrior] - Britons to be scanned for FBI database Message-ID: Britons to be scanned for FBI database Paul Harris in New York, Jamie Doward and Paul Gallagher Sunday January 7, 2007 The Observer http://www.guardian.co.uk/humanrights/story/0,,1984650,00.html Millions of Britons who visit the United States are to have their fingerprints stored on the FBI database alongside those of criminals, in a move that has outraged civil rights groups. The Observer has established that under new plans to combat terrorism, the US government will demand that visitors have all 10 fingers scanned when they enter the country. The information will be shared with intelligence agencies, including the FBI, with no restrictions on their international use. US airport scanners now take only two fingerprints from travellers. The move to 10 allows the information to be compatible with the FBI database. 'We are going to start testing at several airports,' a Department of Homeland Security spokeswoman confirmed. 'It will begin some time this summer.' Sources said 10 airports would initially be involved. The scheme will cover most of the major airports frequently used by British travellers, including New York, Washington and Miami. Countries subject to the new scheme include Britain, other European Union nations, Japan, Australia and New Zealand. Last night the British civil rights group Liberty expressed astonishment at the plan, which will affect four million British travellers to the US. 'This must be the Keystone Cops school of border control,' said Shami Chakrabarti, director of Liberty. 'Accumulating the fingerprints of millions of innocent passengers will not deter would-be suicide bombers.' Security experts warned the scale of the scheme might jeopardise its success. 'This maniacal proposal will turn thousands of law-abiding British travellers into terrorist suspects,' said Simon Davies, head of Privacy International, a campaign against intrusive surveillance. 'The technology at US airports will be far less reliable. That means anyone could be the victim of a false match, Davies said. 'Be warned. A San Francisco Bay family holiday may easily become a nightmare.' He predicted that airport queues would treble as a result of the scheme. 'Taking fingerprints is a delicate and complex undertaking that can't be rushed to keep queues short,' he said. A recent report by the civil liberties group Statewatch highlighted a Japanese study that tested 15 biometric systems and found 11 of them failed to detect 'false' fingerprints were being used in the form of a latex strip covering a person's fingers. Britons already have their credit card details and email accounts inspected by the American authorities following a deal between the EU and the Department of Homeland Security. Now passengers face having all their credit card transactions traced when using one to book a flight. And travellers giving an email address to an airline will be open to having all messages they send and receive from that address scrutinised. The demands were disclosed in 'undertakings' given by the Department of Homeland Security to the EU and published by the Department for Transport after a request under the freedom of information legislation. In America, the 10-digit fingerprint plan has sparked concern among civil rights groups, which accuse the government of using the excuse of terrorism to expand its ability to monitor individuals. The scheme uses an electronic scanner. Fingerprint information is then fed into a Department of Homeland Security database that stores material from domestic security organisations such as the FBI, as well as international bodies like Interpol. It already holds 71 million fingerprints and is growing. 'This is about stopping crime and about national security after 9/11,' the Homeland Security spokeswoman said. 'The reason for 10-digit fingerprints is that it is more secure than the two-digit system, and the 10-digit system is becoming the international standard.' The spokeswoman said she was confident the new procedure would not deter people from visiting the US. 'That is what people said when we introduced the two-digit system,' she said. 'But that is not what happened.' She added the reason the scheme was to run in just 10 airports initially was to ensure its smooth operation before it became standard at all US airports, major ports of entry and consulates abroad. The Department of Homeland Security aims to have the new system in place across the US by the end of 2008. In a speech at a technology conference Michael Chertoff, the Secretary of Homeland Security, said the main aim was to deter 'the unknown terrorist'. It could pick up on fingerprints left at terrorist sites around the world. 'A fingerprint that is left... in the training camp or in the safe house is, in fact, a powerful tool.' He added that he hoped the system would deter any terrorists from ever trying to enter the US. 'We will have a world in which any terrorist who has ever been in a safe house or has ever been in a training camp is going to ask himself or herself this question: have I ever left a fingerprint anywhere?' Chertoff said. From rforno at infowarrior.org Mon Jan 8 12:52:17 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 08 Jan 2007 12:52:17 -0500 Subject: [Infowarrior] - Supreme Court won't KO airport ID policy Message-ID: Supreme Court won't KO airport ID policy Associated Press http://www.mercurynews.com/mld/mercurynews/news/politics/16410623.htm WASHINGTON - The Supreme Court on Monday rejected a challenge to federal airport regulations requiring passengers to show identification before they board planes. The justices, without comment, let stand an appeals court ruling against Libertarian activist and millionaire John Gilmore. Gilmore wanted the court to force the federal government to disclose the policy that requires passengers to produce identification. Unless the regulations are made public, air travelers have no way to determine if the regulations call for impermissible searches, Gilmore said in court papers. The Justice Department has said that demanding ID protects passengers' safety. The case is Gilmore v. Gonzales, 06-211. From rforno at infowarrior.org Mon Jan 8 13:08:17 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 08 Jan 2007 13:08:17 -0500 Subject: [Infowarrior] - Music Fans: Dismantle DRM Message-ID: Technology January 5, 2007, 12:01AM EST Music Fans: Dismantle DRM New lawsuits are using antitrust law to challenge media giants' music download policies, claiming they unfairly restrict users' purchases http://businessweek.com/technology/content/jan2007/tc20070105_896787.htm?cha n=technology_technology+index+page_today%27s+top+stories by Catherine Holahan When it comes to legal action over downloaded music, the defendants are often individuals: The lone user downloads one too many copyrighted files and Big Media goes on the offensive. But now, the little guy is turning the tables. A fresh crop of lawsuits filed on behalf of individuals argue that it's the big companies that are ripping off the consumer. Melanie Tucker, a San Diego resident, says Apple Computer (AAPL) unfairly restricts how its iTunes Store customers can use legally purchased music. Apple uses its so-called Digital Rights Management, or DRM, software to prevent iTunes songs from easily running on media players that compete with its iPods. (The files can be converted but the process is time-consuming and can be confusing.) Apple's brand of DRM software, called FairPlay, also prevents music purchased through services other than iTunes from playing on the iPod. Tucker maintains that the company, which controls between 70% to more than 85% of the legal music download market and perhaps a 90% share of the digital music player market, is behaving like an overly aggressive monopoly, stifling competition in violation of antitrust legislation. "Apple has monopoly power in both markets through iTunes and iPod and they have made a conscious decision to disable people from freely using other formats on their iPod and vice versa," says Andrew S. Friedman, one of Tucker's attorneys. Friedman is seeking class-action status for the suit. My Tunes vs. iTunes Tucker's suit comes on the heels of a March, 2006 class action filed by Scott Ruth against music industry players including Sony BMG Music Entertainment (owned by Sony (SNE) and Bertelsmann Media), Universal Music Group, Time Warner Music Group (TWX), and EMI (EMI). Ruth, an Arizona resident, argues that the labels are violating antitrust agreements by using DRM to prevent music from being sold by a variety of retailers, thereby stifling competition that could keep prices down. Both Ruth and Tucker's suits seek compensation for music download customers as well as a change in the restrictions. The arguments in Ruth and Tucker's suits are not particularly new. Consumers have long complained that legally purchased songs cannot be played on all their devices in part because of restrictions on the number of devices that can hold a license for a song at any one time. Traditionally, the record labels and download services have argued that the restrictions are necessary to combat piracy and ensure artists are compensated. Seeing few alternatives, many music lovers have begrudgingly accepted this answer?or opted for illegal downloading. But the lawsuits show customers are no longer willing to accept the status quo. Some DRM opponents have begun arguing that DRM restrictions are actually fueling piracy by forcing users to choose between buying music that they will only be able to play on a limited number of compatible devices or stealing music that they can play anywhere. "Right now the fact is that pirated music and pirated movies are actually worth more than the movies and music you buy," says Rob Enderle, principal analyst with the Enderle Group. "I can't think of another product that is actually worth more stolen than if you purchased it." Music Biz Ready to Play The music industry is showing signs of softening. While record labels aren't changing their tune on the need for DRM to prohibit piracy, the Recording Industry Association of America, which represents the major labels, wants changes that would let users play downloaded music across a variety of devices. "We are focused on interoperability," says RIAA President Cary Sherman. Over time, the recording industry has gradually shown other signs of flexibility. It has allowed music subscription sites to license music and has enabled services that give songs away for free in exchange for exposing customers to advertisements. It has even enabled users to put rented songs, obtained through subscription services, on portable devices?long a sticking point between the industry, the services, and the users who did not want to get subscriptions without the ability to take their music with them (see BusinessWeek.com, 9/5/06, "Meet the iTunes Wannabes"). Interoperability Is Key Much of the change in attitude has resulted from consumer backlash and the music industry's growing frustration with Apple, which has refused to give the industry more control over pricing (see BusinessWeek.com, 12/19/05, "Apple May Be Holding back the Music Biz"). The trouble is, Apple is opposed to interoperability and labels don't have a choice but to do what the Web stores want. "How powerful is a company when they are negotiating with Wal-Mart (WMT)?" asks Sherman. "Want Wal-Mart to carry your stuff, your prices are going to come down. Record companies have to negotiate with Apple because they are the dominant player." Both Apple and Microsoft (MSFT), maker of the Zune music player, have said they have not made their products interoperable because people want a seamless experience between download store and device. The more media player manufacturers and download services are involved, the more difficult seamless interoperability becomes. Microsoft experienced this with its "PlaysForSure" technology, which was used by Samsung, Creative Labs (CREAF), and others with only varying degrees of success. That's one of the reasons why, in releasing Zune, Microsoft opted for a system that didn't have to work with products it didn't control (see BusinessWeek.com, 11/12/06, "A Method to Microsoft's Zune Madness"). Calls to Apple and Microsoft representatives were not returned. However, such interoperability issues would likely not exist if the companies just did away with DRM altogether, allowing users to download music and then copy it to as many devices as they want. Several download services such as eMusic and Amie Street have developed businesses around nonrestricted music files and flexible price models. And eMusic, which focuses on independent label artists similar to Amie Street, has been particularly successful. In the three years it has been in business, it has sold more than 100 million songs. "Paying customers will stay paying customers and people looking for free music will continue to look for free music," says eMusic president and chief executive officer David Pakman. "We challenge the notion that [DRM] is a requirement in order for the industry to grow." New Business Model What's more, eMusic has seen steady growth. It is now the No. 2 music service after iTunes, based on volume of songs sold (Apple sells about 1.8 million songs a day). On average, eMusic customers buy 20 songs a month, spending about $168 a year on songs, says Pakman. The average iPod owner buys fewer than 15 songs a year per owned iPod (see BusinessWeek.com, 11/21/06, "Online Music's Elusive Bottom Line"). Pakman sees the number of songs his customers buy as evidence that songs can be progressively priced in a way that reflects demand for particular songs and discourages piracy. Elliott Breece, co-founder and CEO of Amie Street, concurs. Songs at Amie Street start free and then become gradually more expensive as they start to sell. Prices are capped at 98 cents, a penny less than the price for each iTunes song. Amie Street has sold more than 70,000 songs since its October launch. Breece says that Amie Street wouldn't be able to compete if users couldn't download songs and play them wherever they wanted. "People want to buy and own stuff," says Breece. "In a lot of ways DRM isn't really natural." The protections, however, are a way to secure loyalty among customers. After all, why would a longtime iPod user want to buy another, comparably priced music device if doing so would require spending hours to convert files into the appropriate format? Thus, barring an anti-Apple court decision (which even Friedman concedes would be a couple years off at the earliest), there's no real reason for Apple to change. Unless, of course, consumers start voting with their pocketbooks by purchasing music through non-DRM services and listening to it on non-iPod players. An Open-Format Future? Michael Bebel is CEO of Ruckus Network, an advertising and subscription-supported music download service that is focused on college students and uses Microsoft's PlaysForSure technology. Bebel says he can see a future with no DRM?if consumers stand up in big enough numbers. "I think that at least the calls for change are going to reach a critical point this year," says Bebel. "But change never occurs as rapidly as one might hope or like." The labels could help speed the change by refusing to license certain songs to iTunes in order to bolster less restrictive forms of DRM. But they would risk losing sales from frustrated fans who might not want to purchase an actual CD to get an individual song on their iPods. If in the unlikely event labels drop DRM altogether, Apple would still be able to affix its own restrictions when selling through iTunes. That's why music sold through iTunes from labels such as Nettwerk Music Group, which does not use DRM, still cannot be easily played on non-Apple media devices. "Our whole motivation in the digital world is to not try to control the consumer experience," says Brent Muhle, Nettwerk's general manager. "So if a consumer is a rabid iTunes user and they want to buy from iTunes we want them to have a media file to buy. If they want to buy directly from us, we are going to give it to them in as open a format as possible." Still, no one tech service remains dominant forever. Remember when Microsoft ruled the world? It still has the most dominant operating system, but it is facing accelerating competition and has been forced by courts to play nicer with rivals. And the lawsuits certainly hurt Microsoft's public profile and emboldened the competition. Apple could suffer a similar fate, eventually relaxing its stance on interoperability. After all, France is suing the company because of its reluctance to open up the iPod to other music services (see BusinessWeek.com, 3/21/06, "Apple vs. France"). That suit, coupled with Tucker's potential class action and others, could make Steve Jobs think harder about making the iTunes Store or the iPod more compatible with competing devices or stores. But, short of a court order, don't expect a change of heart any time soon. Holahan is a writer for BusinessWeek.com in New York. From rforno at infowarrior.org Mon Jan 8 21:35:28 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 08 Jan 2007 21:35:28 -0500 Subject: [Infowarrior] - A shifting landscape for e-mail security Message-ID: A shifting landscape for e-mail security By Joris Evers http://news.com.com/A+shifting+landscape+for+e-mail+security/2100-7350_3-614 7760.html Story last modified Mon Jan 08 15:18:57 PST 2007 Cisco Systems' purchase of e-mail security specialist IronPort Systems is another sign that big-name vendors are taking over the spam fight, analysts say. Upon completion of the $830 million cash and stock deal, networking giant Cisco will join Symantec and Microsoft as a leader in the e-mail security arena. Those other companies entered the market via acquisitions and product development of their own. "As a market matures, this is typically what happens--the major vendors want to have another arrow in their quiver to sell," said Peter Firstbrook, an analyst with Gartner. More acquisitions are likely, with Cisco rival Juniper Networks and tech giant IBM possible suitors for the remaining independent e-mail security companies, he said. E-mail security used to be the terrain of specialized providers, selling to eager buyers who wanted to stop the influx of e-mail threats, particularly spam. Today, such technology has become more of a commodity, and the area has changed from a sellers market to a buyers market catered to by the big guys, analysts said. Industry consolidation has been ongoing, driven by e-mail security becoming a necessity for businesses. Spam and other e-mail pests have kept on rising, despite Microsoft Chairman Bill Gates' promise to squelch the issue. More than 90 percent of e-mail is unsolicited, and 2006 was a record year in spam yet again, according to IronPort statistics. Acquisitions in the space include Microsoft's takeovers of Sybari Software and FrontBridge Technologies, as well as Symantec's purchase of Brightmail and Secure Computing's buy of CipherTrust. As a result, the independent companies that remain face a tougher market. "It is a brutal battle against intelligent and well-armed enemies," said Peter Christy, an analyst with the Internet Research Group in Los Altos, Calif. "This is a time where antispam companies will start to fall by the wayside. If you're not in the top four, there is a question of how you survive with a decent business if somebody doesn't buy you." Companies such as Proofpoint and Barracuda Networks could be acquisition targets, Christy said. "Anyone in this space who is not public would like to be acquired," he said. The number of companies active in the space has decreased from about 150 in 2003 to about 75 now, said Dean Drako, CEO of Mountain View, Calif.-based Barracuda Networks, a venture-backed maker of antispam appliances. Yet Drako believes the market won't consolidate at the pace that pundits have proclaimed. "I would characterize the merger and acquisition activity in this market as overhyped beyond hope for the last four years," he said. "Will there be some more consolidation in this area? Probably. In the short term, the market is not going to change significantly from the way it is today. In the longer term, over many years, the number of suppliers will be fewer." Drako would not be drawn on the question of whether Barracuda was up for sale or would launch as a public entity. The company, which markets primarily to small and midsized organizations, is well-positioned to remain an independent player, he said. "The customer cares about that the vendor is large enough to survive to provide them what they need. We crossed that threshold a year or so ago," he said. Cisco's entry augurs a tougher battle amongst the big guys. Symantec, in particular, faces a challenge, compared with the days when it competed mainly with smaller rivals: The Cupertino, Calif., company used to go head-to-head with David, now it's squaring off with Goliath. "The last thing Symantec had over IronPort was their big brand name," Firstbrook said. On the rise The e-mail security market is growing rapidly. In 2005, it hit $660 million in worldwide revenue and was growing at 44 percent per year, according to Gartner data. Symantec held 12 percent of that pie, and IronPort had 6.6 percent, the analyst firm said. Cisco paid a premium for IronPort, which is known for its high-end e-mail security appliances. The $830 million deal is the second biggest purchase of a privately-held business by Cisco and the fifth-biggest takeover in the network specialist's history. By contrast, Secure Computing paid $273.6 million in July for IronPort rival CipherTrust. An acquisition should be welcome news to customers of IronPort and other such companies that get bought, analysts said. The suitors typically have deeper pockets, which should translate into more stability. "A private company, consuming venture capital, is living in limbo," Christy said. Also, customers will be able to buy multiple products from a single provider, instead of having to deal with several suppliers. "The more vendors you have, the higher the administration cost," Firstbrook said. In Cisco's case, buyers may even be able to get their Cisco discount applied to IronPort products, he said. But not all IronPort customers are happy that the company will be part of Cisco. "There goes the neighborhood," CNET News.com reader Fred Dunn, who works at a large academic institution, wrote in response to the buyout news. "With Cisco's reputation, we can already see the annual maintenance fees going up." Tom Gillis, senior vice president of marketing at IronPort, assured customers that nothing will change as the company operates as a subsidiary of Cisco. "It is business as usual--no changes to products, pricing or support," he said. Copyright ?1995-2007 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Mon Jan 8 23:38:41 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 08 Jan 2007 23:38:41 -0500 Subject: [Infowarrior] - Microsoft involves NSA on Vista security Message-ID: For Windows Vista Security, Microsoft Called in Pros By Alec Klein and Ellen Nakashima Washington Post Staff Writers Tuesday, January 9, 2007; D01 http://www.washingtonpost.com/wp-dyn/content/article/2007/01/08/AR2007010801 352_pf.html When Microsoft introduces its long-awaited Windows Vista operating system this month, it will have an unlikely partner to thank for making its flagship product safe and secure for millions of computer users across the world: the National Security Agency. For the first time, the giant software maker is acknowledging the help of the secretive agency, better known for eavesdropping on foreign officials and, more recently, U.S. citizens as part of the Bush administration's effort to combat terrorism. The agency said it has helped in the development of the security of Microsoft's new operating system -- the brains of a computer -- to protect it from worms, Trojan horses and other insidious computer attackers. "Our intention is to help everyone with security," Tony W. Sager, the NSA's chief of vulnerability analysis and operations group, said yesterday. The NSA's impact may be felt widely. Windows commands more than 90 percent of the worldwide market share in desktop operating systems, and Vista, which is set to be released to consumers Jan. 30, is expected to be used by more than 600 million computer users by 2010, according to Al Gillen, an analyst at market research firm International Data. Microsoft has not promoted the NSA's contributions, mentioning on its Web site the agency's role only at the end of its "Windows Vista Security Guide," which states that the "guide is not intended for home users" but for information and security specialists. The Redmond, Wash., software maker declined to be specific about the contributions the NSA made to secure the Windows operating system. The NSA also declined to be specific but said it used two groups -- a "red team" and a "blue team" -- to test Vista's security. The red team, for instance, posed as "the determined, technically competent adversary" to disrupt, corrupt or steal information. "They pretend to be bad guys," Sager said. The blue team helped Defense Department system administrators with Vista's configuration . Microsoft said this is not the first time it has sought help from the NSA. For about four years, Microsoft has tapped the spy agency for security expertise in reviewing its operating systems, including the Windows XP consumer version and the Windows Server 2003 for corporate customers. With hundreds of thousands of Defense Department employees using Microsoft's software, the NSA realizes that it's in its own interest to make the product as secure as possible. "It's partly a recognition that this is a commercial world," Sager said. "Our customers have spoken." Microsoft also has sought the security expertise of other U.S. government and international entities, including NATO. "I cannot mention any of the other international agencies," said Donald R. Armstrong, senior program manager of Microsoft's government security program, citing the wishes of those agencies to remain anonymous. Microsoft's concerns extend beyond the welfare of its software when it seeks the security expertise of government agencies. "When you get into an environment where a Microsoft product is used in a battlefield situation or a government situation where if a system is compromised, identities could be found out," and it could be a matter of life and death, Armstrong said. Other software makers have turned to government agencies for security advice, including Apple, which makes the Mac OS X operating system. "We work with a number of U.S. government agencies on Mac OS X security and collaborated with the NSA on the Mac OS X security configuration guide," said Apple spokesman Anuj Nayar in an e-mail. Novell, which sells a Linux-based operating system, also works with government agencies on software security issues, spokesman Bruce Lowry said in an e-mail, "but we're not in a position to go into specifics of the who, what, when types of questions." The NSA declined to comment on its security work with other software firms, but Sager said Microsoft is the only one "with this kind of relationship at this point where there's an acknowledgment publicly." The NSA, which provided its service free, said it was Microsoft's idea to acknowledge the spy agency's role. The NSA's primary mission is signals intelligence -- monitoring the communications of foreign powers, terrorists and others. But its secondary objection is "information assurance," under which the security of Microsoft's operating system falls. Industry observers suggest that both the NSA and Microsoft have good reason to disclose their relationship. For Microsoft, the NSA's imprimatur may be viewed as a vote of confidence in the operating system's security. "I kind of call it a Good Housekeeping seal" of approval, said Michael Cherry, a former Windows program manager who now analyzes the product for Directions on Microsoft, a firm that tracks the software maker. Cherry says the NSA's involvement can help counter the perception that Windows is not entirely secure and help create a perception that Microsoft has solved the security problems that have plagued it in the past. "Microsoft also wants to make the case that [the new Windows] more secure than its earlier versions," he said. Armstrong, the Microsoft manager, said: "The entire crux of Vista was security. . . . Security is at the forefront of our thoughts and our methods in developments and is critically important to our customers." From rforno at infowarrior.org Tue Jan 9 10:07:11 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 09 Jan 2007 10:07:11 -0500 Subject: [Infowarrior] - NASA Finally Goes Metric Message-ID: NASA Finally Goes Metric By SPACE.com Staff http://space.com/news/070108_moon_metric.html posted: 08 January 2007 04:00 pm ET When NASA returns astronauts to the Moon, the mission will be measured kilometers, not miles. The agency has decided to use metric units for all operations on the lunar surface, according to a statement released today. The change will standardize parts and tools. It means Russian wrenches could be used to fix an air leak in a U.S.-built habitat. It will also make communications easier, such as when determining how far to send a rover for a science project. NASA has ostensibly used the metric system since about 1990, the statement said, but English units are still employed on some missions, and a few projects use both. NASA uses both English and metric aboard the International Space Station. The dual strategy led to the loss of the Mars Climate Orbiter robotic probe in 1999; a contractor provided thruster firing data in English units while NASA was calculating in metric. The decision comes after a series of meetings between NASA and 13 other space agencies around the world, where metric measurements rule. "When we made the announcement at the meeting, the reps for the other space agencies all gave a little cheer," said Jeff Volosin, strategy development lead for NASA's Exploration Systems Mission Directorate. "I think NASA has been seen as maybe a bit stubborn by other space agencies in the past, so this was important as a gesture of our willingness to be cooperative when it comes to the Moon." Informally, the space agencies have also discussed using Internet protocols for lunar communications, the statement said. "That way, if some smaller space agency or some private company wants to get involved in something we're doing on the Moon, they can say, 'Hey, we already know how to do internet communications,'" Volosin said. "It lowers the barrier to entry." From rforno at infowarrior.org Tue Jan 9 10:33:05 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 09 Jan 2007 10:33:05 -0500 Subject: [Infowarrior] - Are You a Citizen? Prove It Message-ID: Are You a Citizen? Prove It NationalBy Kavan Peterson - When Colorado state Sen. Andy McElhany (R) championed adoption of the strictest identification requirements in the country, his aim was to keep illegal immigrants off state welfare rolls. He didn't anticipate making it harder for his 15-year-old daughter to get a learner's permit. http://www.infozine.com/news/stories/op/storiesView/sid/20090/ Stateline.org - infoZine - But that's what happened when his wife and daughter showed up at the Division of Motor Vehicles office in Colorado Springs in September. They brought the teen's passport, only to discover DMV had changed the rules and a passport was no longer a sufficient form of identification. "There's no reason to believe a 15-year-old girl is going to be running around with a fake passport just to get a driver's permit," a chagrined McElhany said. Going to the DMV never has been a walk in the park, but it's likely to get even more difficult as states across the country begin to comply with stringent federal identification rules required by the 2005 Real ID Act. voter id Americans by the tens of millions will have to dig out documents such as Social Security cards and birth certificates, or go to the expense of getting new ones, to renew their driver's licenses. Fears of terrorism and the uproar over illegal immigration are behind the new rules. The Real ID Act is a response to the fact that four of the 19 foreign hijackers on Sept. 11 had obtained valid U.S. driver's licenses. Worries about voter fraud and the chance that illegal immigrants are taking advantage of taxpayer-funded public services also have prompted a surge in stiffer identification requirements - from voting booths to Medicaid applications. To weed out the few, all Americans growingly need a paper trail to qualify for some of the perks of citizenship. Colorado ran into legal trouble within months of enacting the nation's toughest ID standards. New rules requiring proof of both identity and legal U.S. residency left some unable to get a driver's license or state ID card. Without ID, they also were left without access to everything from welfare to winter heating assistance to fishing licenses. A state judge in December temporarily froze the new rules, moving the ID dispute into the courts. Colorado's new law denying benefits to those without proper ID - a bipartisan measure heavily pushed by outgoing Gov. Bill Owens (R) -- is the most far-reaching of a record 78 immigration-related laws enacted in 33 states in 2006. They ranged from crackdowns on employers and human traffickers to restrictions on social services and in-state college tuition. About 100,000 of Colorado's 4.3 million residents get state aid. Some 3,000 immigrants were flagged as possible illegal aliens in the first three months under the state's new ID requirements, and DMV offices detected 150 fake birth certificates, Colorado Revenue Director M. Michael Cooke told Stateline.org. Only 200 people sought temporary waivers from the requirement on grounds of illness or disability or because they lacked the required documents, Cooke said. That shows the new identification requirements "haven't been overly burdensome," she said. immigrants in the US But advocates for the poor said caseworkers are overwhelmed with families needing social services that need help tracking down certified birth certificates. The Denver Department of Human Services, which helps poor people order and pay for duplicates of their birth certificates, had about twice as many folks seeking help a month after the law took effect and expects a doubling again by 2007, according to spokeswoman Sue Cobb. Three people turned away at Colorado's DMV filed a class-action lawsuit and won a temporary suspension of the ID rules in December. The judge found the document requirements for a driver's license imposed a hardship and may have been adopted without proper public comment. The DMV, enforcing a new state law, required applicants to provide two from a list of 19 acceptable documents. One of the plaintiffs, 70-year-old Leon Hill, became homeless after he was robbed of his identification and money shortly after moving to Denver in 2006. He was denied a new ID when he could produce only his original California birth certificate and a photocopy his driving record. Diana Galliano, 42, was denied a driver's license when she presented her valid New York driver's license and U.S. passport. Michael Sullivan, 49, had a birth certificate and photocopies of his stolen New Mexico driver's license and stolen Social Security card. "In Colorado they've made it so hard to get an ID, it's truly a Catch-22 where citizens can't get an identity card unless they've already got one," said Denver attorney Tim MacDonald, whose law firm is working pro bono on the case with the Colorado Coalition for the Homeless. Despite his daughter's run-in at the DMV, McElhany, the state senator, said he still strongly supports new statutes to crack down on illegal aliens. A national uproar over illegal immigration came to a head last year in Colorado, a non-border state whose immigrant population has nearly quadrupled since 1990 to about 370,000, with half of those undocumented, according to an estimate by the nonprofit Pew Hispanic Center. Fed up by the federal government's inability to stop illegal border crossings, the Democratic-controlled Legislature passed 12 immigration bills in a heated special session in July. Still, even lawmakers who voted for the new ID bill said they will consider tweaking it when the Legislature goes back into session in January. "We need to sit down and make sure that we're not blocking services to those entitled to them and that we're protecting our freedom to live under an efficient and effective government," Colorado state Rep. Bernie Buescher (D) told Stateline.org. Most of the 245 million driver's license holders in the United States aren't aware yet that the Real ID Act's document dragnet for terrorists, illegal aliens and imposters is about to entangle them, too. But state officials are aware and are set to bang on the doors of the new Congress demanding more time and money to comply. States are throwing up their hands at the requirement that each driver come in person to motor vehicle offices to renew driver's licenses starting in May 2008. Everyone will have to bring a set of documents proving his identity and residency, although the exact documents haven't been spelled out yet. The papers will have to be verified by government databases that do not yet exist. States also have to create new IDs with anti-counterfeiting security features. By curbing renewals by mail and online, Real ID will force DMVs to handle 686 million customer transactions face-to-face over five years, instead of the 295 million they would handle anyway, a study by the National Governors Association, the National Conference of State Legislatures and the American Association of Motor Vehicle Administrators concluded. DMV staffs would have to be doubled at a cost of more than $11 billion to take on the extra duties, state officials estimate. "When lines at the DMV are snaking around the block and the cost of a driver's license has doubled or tripled, the politicians holding the bag won't stay in office very long," predicts Lee Tien, an attorney for the Electronic Frontier Foundation, a San Francisco consumer advocacy group that opposes national ID standards. It worries that large government databases of personal information are a threat to privacy and could expose consumers to identify theft and fraud. Exercising the basic right of citizenship - the right to vote -- also is becoming more of a hassle. South Carolina Gov. Mark Sanford (R) initially was turned away from a polling place on Election Day 2006 when he could not produce his voter registration card and his driver's license showed his old Columbia address instead of the governor's mansion. An election official stood her ground while television crews recorded the scene. Sanford voted later with a newly issued replacement card. South Carolina is one of 26 states that now require voters to present some form of identification when they show up at the polls. Georgia and Missouri passed laws last year to require government-issued photo IDs at the polls, but courts struck them down. The Missouri Supreme Court ruled that the state's new voter ID requirements "impermissibly infringe on core voting rights guaranteed by the Missouri Constitution." Georgia's law, which required residents without a state photo ID to purchase a $20 digital identification card to vote, was struck down in federal court. The judge likened the law to an illegal Jim Crow-era poll tax. Indiana's voter ID law, considered to be the toughest, so far has survived a legal challenge. The 7th U.S. Circuit Court of Appeals on a 2-1 vote upheld the law Jan. 4. It requires a government-issued photo ID with the voter's address and signature. Those without proper identification can cast provisional ballots that are counted only if the voter provides proof of identity within 48 hours. In Arizona, stringent ID requirements approved at the ballot box in 2004 were initially struck down by a federal court. But they were reinstated by the U.S. Supreme Court one week before the 2006 election. Arizona voters needed either a government-issued photo ID or two documents showing name and address, such as a utility bill or tax return. The federal government also is starting to require proof of citizenship for benefits. For the first time, all 46 million poor, elderly and disabled people in state-run Medicaid health insurance programs must produce documents proving they were born in the United States or are here legally. Four states - Georgia, Montana, New Hampshire and New York - already required Medicaid applicants to prove their citizenship. The ID rules, which went into effect last July, are targeted at illegal immigrants, who aren't eligible for Medicaid. The Congressional Budget Office estimated the change will save at least $735 million in taxpayer dollars over the next decade. But the new law creates problems for Americans without birth certificates or those who can't find them easily. Even parents with a child's birth certificate in hand - including for babies born in U.S. hospitals, making them automatic citizens - must provide separate documentation proving legal state residency, such as school or health records. Advocates and state Medicaid administrators worry the nuisance and cost of securing the right documents could discourage parents from getting their child vaccinated or treated. The elderly and mentally ill in nursing homes or state institutions are especially liable to slip through the cracks, advocates warn. It's common for senior citizens to let driver's licenses lapse or for Alzheimer's patients to lose track of personal identification, noted Elizabeth Priaulx of the National Disability Rights Network. The preceding article is the fourth to be excerpted from State of the States 2007, Stateline.org's annual report on significant state policy developments and trends. (The online article was updated to include a Jan. 4 court ruling on Indiana's voter ID law.) The 48-page State of the States publication is now available. Our limited supply of print copies is already exhausted, but to order an electronic version, click here. Send your comments on this story to letters at stateline.org . Selected reader feedback will be posted in the Letters to the editor section. Source: Contact Kavan Peterson at kpeterson at stateline.org - ? 2006 stateline.org From rforno at infowarrior.org Tue Jan 9 13:27:39 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 09 Jan 2007 13:27:39 -0500 Subject: [Infowarrior] - Hack Will Help Kill HD DVD Copy Protection Message-ID: Hack Will Help Kill HD DVD Copy Protection http://news.yahoo.com/s/pcworld/20070109/tc_pcworld/128469&printer=1 Robert McMillan, IDG News ServiceTue Jan 9, 10:00 AM ET The recent release of software that can be used to decode encrypted HD DVD and Blu-ray movies is the first step toward making the encryption standard used by these next-generation video players obsolete, Princeton University researchers said Monday. Late last month, a hacker going by the name Muslix64 released software that could be used to decrypt movies that were encoded using the AACS (Advanced Access Content System) digital rights management specification. AACS is supported by Hollywood and video player manufacturers. Introduced in April 2005, AACS is the copy protection system for HD DVD and Blu-ray movies. It is supported by companies such as Microsoft, Panasonic, Sony, Toshiba, Walt Disney and Warner Bros. Arms Race Muslix64's BackupHDDVD software did not crack AACS, but it will make it easier for some technically adept users to decrypt movies, said Alex Halderman, a Princeton computer science student who, along with noted researcher Ed Felten, is calling the software "the first step in the meltdown of AACS." AACS devices use cryptographic techniques to read numeric codes, called 'keys,' from video discs. These keys are then used to unlock the digital content, making it readable on the player. Muslix64's software does not give users a way to discover these keys, but it does provide a way to descramble content once the key is uncovered. "This is the framework through which the arms race is going to be fought," Halderman said. "They don't have the ammunition yet, but this is the gun." All You Need Is The Key AACS is supposed to work better than the CSS (content scrambling system) encryption system used to protect DVDs from unauthorized copying. CSS was cracked just a few years after its release by three hackers, including a 16-year-old Norwegian named Jon Johansen. Unlike CSS, however, the AACS system gives movie companies a way of "revoking keys"--changing new movies so that these keys cannot be read on video players that have been cracked. This system gives Hollywood a way of protecting new releases, but it only works if hackers publicize their work and disclose which player has been cracked. And even with key revocation, nothing can be done to prevent disks whose keys have already been published from being unlocked, Halderman said. "What the future looks like to us is that some individuals will have cracks that they don't publish and which Hollywood is unable to revoke," he said. "Other people will have cracks that they do publish, and which will work for all old disks." Trouble For Hollywood? This scenario may not be so bad for the movie studios, so long as they are able to prevent widespread illegal distribution of their products and keep movies from being widely available while they are still being shown in theatres, said Mike McGuire, an analyst with Gartner Inc. "If they can preserve the existing [theatrical] release windows, then they're probably going to feel reasonably comfortable," he said. Still, Halderman believes it's only a matter of time before the keys that can be used with BackupHDDVD become public and Hollywood will be faced with unauthorized copying of AACS-protected material. "There's just no doubt that title keys are going to become available at some point in the near future," he said. From rforno at infowarrior.org Tue Jan 9 19:45:47 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 09 Jan 2007 19:45:47 -0500 Subject: [Infowarrior] - TSA approves two more firms for Registered Traveler Message-ID: TSA approves two more firms for Registered Traveler By Alice Lipowicz, Contributing Writer http://mobile.gcn.com/articles/vol1_no1/42849-1.html 01/02/07 Two more companies have been approved by the Transportation Security Administration as providers of the Registered Traveler program designed to speed enrolled travelers through airports nationwide. The agency announced on its Web site that Unisys Corp., Blue Bell, Pa., and Verant Identification Systems Inc. of Rochester, N.Y., were certified by the agency in December as having met the minimum requirements for offering registered traveler services to sponsoring entities. A month before a subsidiary of Verified Identity Pass Inc. of New York became the first company approved. Registered Traveler is a program sponsored by the Homeland Security Department in which frequent travelers voluntarily enroll in advance their biometric and personal information in exchange for expedited passage through airport security. The travelers pay a fee to participate. Until now, Registered Traveler has been operated as a demonstration project at a handful of airports. In the upcoming nationwide rollout, the program will be sponsored by airports and operated by service providers approved by the TSA. To date Unisys, Verant and Verified Identity Pass are the only authorized providers, though more may be approved. Unisys officials said in recent interviews with media outlets that they expect to begin operating a Registered Traveler program at Reno/Tahoe International Airport. Unisys operated pilot programs at the Minneapolis, Los Angeles and Houston airports. Verified has been operating a pilot program at Orlando International Airport in Florida since June 2005. Verified said in a recent news release it expects to begin initiating Registered Traveler services this month at John F. Kennedy International Airport in New York as well as at airports in San Jose, Calif., Indianapolis and Cincinnati, and expanding to as many as 20 airports within a year. Lockheed Martin Corp., which was systems integrator for enrollments and biometric capture for Verified at the Orlando program, will continue as a subcontractor to Verified Identity Pass for account management, network management and operations. General Electric Co., which earlier this year became a partner in Verified Identity Pass, will handle enrollment. In related news, the American Association of Airport Executives, which operates a clearinghouse that has been designated by the TSA as the central information management system for Registered Traveler, said it has signed agreements with Unisys, Verant, Verified Identity Pass and Vigilant Solutions Inc. of Jacksonville Beach, Fla. to utilize the clearinghouse for Registered Traveler. Vigilant operates a Registered Traveler program at the Jacksonville airport and expects to receive TSA approval shortly for participating in the national rollout, Chuck Crossman, senior vice president of Vigilant, said an interview today. Also participating in Registered Traveler pilot projects was EDS Corp. of Plano, Texas, which operated pilot programs at Boston and Washington airports. Alice Lipowicz is a staff writer for Government Computer News? affiliate publication, Washington Technology. From rforno at infowarrior.org Tue Jan 9 23:18:34 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 09 Jan 2007 23:18:34 -0500 Subject: [Infowarrior] - =?iso-8859-1?q?Congress_to_Take_Up_Net_=B9_s_Futu?= =?iso-8859-1?q?re?= Message-ID: January 10, 2007 Congress to Take Up Net?s Future By STEPHEN LABATON http://www.nytimes.com/2007/01/10/washington/10net.html?pagewanted=print WASHINGTON, Jan. 9 ? Senior lawmakers, emboldened by the recent restrictions on AT&T and the change in control of Congress, have begun drafting legislation that would prevent high-speed Internet companies from charging content providers for priority access. The first significant so-called net neutrality legislation of the new Congressional session was introduced Tuesday by Senator Byron L. Dorgan, Democrat of South Dakota, and Senator Olympia J. Snowe of Maine, one of the few Republicans in Congress to support such a measure. ?The success of the Internet has been its openness and the ability of anyone anywhere in this country to go on the Internet and reach the world,? Mr. Dorgan said. ?If the big interests who control the pipes become gatekeepers who erect tolls, it will have a significant impact on the Internet as we know it.? In the House, Representative Edward J. Markey, the Massachusetts Democrat who heads the Energy and Commerce Subcommittee on Telecommunications and the Internet, said recently that he would introduce legislation soon and planned to hold hearings. Despite the flurry of activity, the proposals face significant political impediments and no one expects that they will be adopted quickly. But the fight promises to be a bonanza for lobbyists and a fund-raising tool for lawmakers. It pits Internet giants like Google, Yahoo, eBay and Amazon, which support the legislation, against telecommunication titans like Verizon, AT&T and large cable companies like Comcast. The debate may also affect the plans of the companies to develop new services and to consider certain mergers or acquisitions. Consumer groups have allied themselves with content providers. The groups maintain that without the legislation, some content providers would be discouraged from offering services while others would impose costs on providers that would either discourage them from offering new services or pass them on to consumers. They also feel that small companies would be unable to compete. But the telephone and cable companies say that efforts to limit their ability to charge for faster service would discourage the pipeline companies from making billions of dollars in investments to upgrade their networks, and would, as a practical matter, be even more harmful to consumers. Beyond the debate, the fight over net neutrality is, like most regulatory political battles, a fight over money and competing business models. Companies like Google, Yahoo and many content providers do not want to pay for the kinds of faster Internet service that will enable consumers to more quickly download videos and play games. In their thirst to continue to grow rapidly, content providers are looking to expand, but they consider any attempt by the telephone and cable companies to charge them for priority services as restricting their ability to move into new areas. On the other hand, the telephone and cable companies ? the so-called Internet pipes ? want to be able to charge for access, particularly as they begin competing with content providers by offering their video services and programming. The phone companies have also been studying a business model not unlike that of the cable TV industry: charging premiums to certain content providers for greater access to their pipes. They say that existing rules, as well as sound business judgment, would preclude them from trying to degrade or slow their broadband service and that what they oppose is regulation that would prevent them from charging for offering a faster service. They also point out that many content providers are already charging customers for priority services, so that what they are proposing is not unduly restrictive. While the debate has broken largely along partisan lines ? with Democrats among the staunchest supporters and Republicans the biggest foes ? there remains considerable Democratic opposition. Last June, a vote on an amendment by Mr. Markey similar to what he plans to introduce failed by 269 to 152, with 58 Democrats voting against the measure. Many of those Democrats have been allied with unions, which have sided with the phone companies because they believe that the lack of restrictions will encourage the companies to invest and expand their networks. In the Senate, where the party in the minority has considerably more power than in the House, the measure suffers from similar political problems. Last year the Republicans blocked the measure from reaching the Senate floor. But several developments have given some momentum to the supporters of the measures. The House is now under the control of the Democrats, and the new speaker, Nancy Pelosi of California, has been a vigorous supporter of the legislation. Ms. Pelosi?s district in San Francisco is near Silicon Valley, the home of many companies that have sought the legislation. Moreover, the conditions that the Federal Communications Commission imposed on AT&T as a condition of its acquisition of SBC Communications represented an important political victory for proponents of the legislation. After one of the five members of the commission removed himself from the proceeding, the commission?s two Democrats forced the companies to agree to a two-year moratorium on offering any service that ?privileges, degrades or prioritizes any packet? transmitted over its broadband service. The conditions imposed no significant immediate costs on AT&T. The company does not yet have the equipment in place on its network to offer a priority service on a large scale. But the conditions imposed by the F.C.C. showed that, contrary to assertions of the phone companies, it was possible to draft language that would preclude the companies from discriminating against providers. The conditions also set a political benchmark of sorts, and gave the supporters of the legislation two years to try to gain more momentum just as all of the companies are trying to figure out their next major sources of revenue. From rforno at infowarrior.org Wed Jan 10 09:04:50 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Jan 2007 09:04:50 -0500 Subject: [Infowarrior] - Survey Finds Drug Ads Drive Prescribing Message-ID: http://www.prwatch.org/node/5617 Survey Finds Drug Ads Drive Prescribing A survey of 39,090 patients and 335 primary-care physicians reveals the power of direct-to-consumer advertising of drugs. "Seventy-eight percent of doctors said patients asked them at least occasionally to prescribe drugs they had seen advertised on television, and 67 percent said they sometimes did so," Consumer Reports reveals. While a majority of patients rated their doctors highly, approximately one-third "failed to discuss side effects of prescribed drugs, and two-thirds never brought up costs of treatments and tests." Of the doctors surveyed, 40% considered direct-to-consumer ads by the drug industry were a disservice to the public. The report authors urge consumers to "ignore drug ads." Website: Consumer Reports, February 2006 URL: http://www.consumerreports.org/cro/current-issue/consumer-reports/1006_toc_o v1.htm From rforno at infowarrior.org Wed Jan 10 16:09:21 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Jan 2007 16:09:21 -0500 Subject: [Infowarrior] - Privacy Concern: Beware Spoke.Com Message-ID: (while perhaps not identical to Spoke.Com, this is why I refuse to participate in things like Plaxo, LinkedIn, and related contact-management sites.......rf) http://phil.yanov.com/2007/01/spokecom-is-evil.htm Spoke.com says it is growing rapidly. Their press release claims: Since introducing its free service in August 2006, Spoke Software has added more than three million new contacts to its database and has enabled more than 6,000 sales and marketing professionals to improve sales productivity with higher quality, more targeted leads. With no requirement to track points, make trades or give away the direct contact information of colleagues, users are flocking to Spoke's online business contact information database which now provides access to more than 35 million people and 900,000 companies -- more than any other online business database. This means that over 6000 sales people now have access to 35 million other people using spoke.com. If you are in the business of selling stuff that sounds like a good thing. The problem is that as one of those 6000 people you have entered into a real Faustian bargain. How the devil will get your soul... Spoke says that it launched it's free service in August and that they have added 3 million new names since August. How did they do that? It was easy! To get access to Spoke's "free" service, you must install the Spoke toolbar. The Spoke toolbar then copies all of the information from your address book into the Spoke database. It's at this point you should be able to smell the burning sulfur. If, for example, I pressed the button for Spoke's free service, the Spoke toolbar would install and then copy the roughly 2100 names, phone numbers, and email addresses out of my Outlook Contact database and then add them to Spoke's database. Spoke would then be able to sell those names, titles, companies, addresses, and email addresses to direct marketing organizations. Participating in this scheme is a sure path to hell. Consider the horrors: * You will be submitting the unlisted phone numbers of family, friends, and confidants that may appear in your address book. * You may be submitting passwords, PIN numbers, and other private, privileged information stored in your address book because you think no one has access to it. * If you are in sales, you've just given away the contact information (and trust) you have worked to develop with your best clients. Now every S&M (sales and marketing) person in the Spoke universe will be bombarding your best clients with calls and potentially competitive offerings. Instead of joining Spoke, you should be asking congress to outlaw it. From rforno at infowarrior.org Wed Jan 10 22:19:53 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Jan 2007 22:19:53 -0500 Subject: [Infowarrior] - Government agency tells schools to shun Vista Message-ID: Government agency tells schools to shun Vista Richard Thurston ZDNet UK Published: 10 Jan 2007 16:58 GMT http://news.zdnet.co.uk/software/0,1000000121,39285414,00.htm In a surprise criticism of Microsoft, the government's schools computer agency, has warned that deploying Vista carries too much risk and that its benefits are unclear. Becta, the British Educational Communications and Technology Agency, said on Wednesday that it "strongly recommends" schools do not deploy Microsoft's next operating system within the next 12 months. And in a further dig at Microsoft, Becta argues there are no "must-have" features in Vista and that "technical, financial and organisational challenges associated with early deployment currently make this [Vista] a high-risk strategy." Tom McMullan, a technical consultant at Becta, told ZDNet UK: "There is not a case for schools to deploy it unless it is mission-critical stable." Speaking at the BETT education trade show; "There are lots of incremental improvements, but there are no must-haves that justify early deployment." Becta was similarly dismissive of Office 2007, which is being launched alongside Vista. Although it acknowledged that there are many new features in Office 2007, the agency said most of these were only useful in the private sector. Unsurprisingly, Microsoft tried to wave aside such caution. Steve Beswick, its director of education for the UK, told ZDNet UK: "Customers should evaluate Vista and test it and decide 'Is this good for learning?' Rollout shouldn't be stopped if it aids learning." Becta this month renewed its Memorandum of Understanding with Microsoft for another year. It gives schools discounts of between 20 percent and 37 percent on the vendor's software products. The agency has recently been attacked by MPs for its policy on open source. From rforno at infowarrior.org Wed Jan 10 22:19:59 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Jan 2007 22:19:59 -0500 Subject: [Infowarrior] - Rural Montana librarian a threat to national security In-Reply-To: <20070110230111.GA9033@gsp.org> Message-ID: C/o RSK..... ----- Forwarded Message Libraries are dangerous places http://janellen.blogspot.com/2007/01/libraries-are-dangerous-places.html Excerpt: I learned today that she had recently submitted a request for a patron, ordering books from the large library in Billings. Being a tiny library, this is routine; she does this every week-- for folks who want to read items that aren't available, or maybe for kids who need something for a school report. She submits the order, the books come back, everyone is happy. Not this time. This time, she received these books; but they came with a letter informing her that because she had ordered them, she had been placed on a "Watch List." Pursuant to recent policy, with due respect for concerns with the requirements of the Patriot Act, she will have to appear in person in Billings before she will be permitted to order any more books. My suggestion is that every librarian in every library in the United States request a copy of these books (even if they already have one). From rforno at infowarrior.org Wed Jan 10 22:20:03 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Jan 2007 22:20:03 -0500 Subject: [Infowarrior] - Senators pledge scrutiny of federal data mining Message-ID: Senators pledge scrutiny of federal data mining By Anne Broache http://news.com.com/Senators+pledge+scrutiny+of+federal+data+mining/2100-102 8_3-6149118.html Story last modified Wed Jan 10 13:38:03 PST 2007 WASHINGTON--Senate Democrats said on Wednesday they will monitor the possible privacy threats lurking in data-mining programs created by the Bush administration, but avoided criticizing the president directly. By devoting the first Senate Judiciary Committee hearing of the new year to the topic, incoming Chairman Patrick Leahy said he wanted to put the Bush administration on notice: Congress will no longer stand idle while the executive branch continues an "unchecked explosion" in computerized sifting of huge volumes of sensitive personal information, he said. But Leahy and his colleagues said they were interested in collecting information on data mining, not banning the practice. "Congress is overdue in taking stock of the proliferation of these databases that increasingly are collecting more information about each and every American," the veteran senator from Vermont said. Leahy added that he plans a series of hearings on privacy-related issues during the upcoming congressional session. According to a 2004 government report (PDF), at least 52 federal agencies are operating or devising at least 199 different data-mining programs. Citing those figures, Leahy said he believed such activities--frequently justified in the name of combating terrorism--may have value but "often lack adequate safeguards to protect privacy and civil liberties." Congressional skepticism of government data-mining projects by Democrats and Republicans alike is nothing new. In January 2003, the Senate voted unanimously to restrict a Pentagon data-mining program known as Total Information Awareness--which proposed linking databases from sources such as credit card companies, medical insurers and motor vehicle agencies in an effort to snag terrorists--because of privacy concerns. In an attempt to step up oversight, Russ Feingold (D-Wis.), along with Leahy, Daniel Akaka (D-Hawaii) and John Sununu (R-N.H.), plan to jointly reintroduce on Wednesday a legislative proposal called the Federal Agency Data Mining Reporting Act. Feingold proposed nearly identical versions in both 2003 and 2005, but they died without a floor vote. The bill would require the heads of all federal agencies engaged in data mining to submit a report on numerous aspects of the operation. These would include its goals, the data sources and technology used, an assessment of its expected effectiveness and an explanation of its potential privacy impact on individuals. That report is supposed to be updated "not less frequently than annually" and made public, according to the bill. However, the agencies have the option of submitting a classified "annex" that may be available only to certain congressional committees. At Wednesday's hearing, Feingold said he hoped "these reports will help Congress--and to the degree appropriate, the public--finally understand what is going on behind the closed doors of the executive branch." In the papers Leahy said his renewed push for oversight has been fueled in part by press reports, which have shed light on a number of recent examples of troubling data-mining regimes. Perhaps most recently, the Washington Post reported that through a system known as OneDOJ, the Department of Justice has amassed more than a million case records, including incident reports and interrogation summaries reports involving people who have not been formally charged or convicted. Before that, the Department of Homeland Security published a notice indicating it has been using data mining to compile "risk assessments" on travelers to the United States, as part of a cargo-screening program known as the Automated Targeting System. A department official has said publicly that the effort has been mischaracterized and is not invasive to privacy. On Wednesday, Leahy asked a panel of invited witnesses whether they could point to any scientific study making a case for data mining. In their testimony, the five witnesses--representatives of think tanks and advocacy groups-- all voiced at least some degree of support for increased checks on government data-mining ventures. None of the panelists could come up with an answer, although James Carafano, a research fellow with the conservative Heritage Foundation, said "behavior science modeling is a rapidly developing field." Jim Harper, director of information policy studies at the free-market Cato Institute and an adviser to Homeland Security's privacy office, took a dimmer view of the practice. He argued that data mining could never be a useful tool because inevitably high "false-positive" rates would subject too many innocent Americans to undue scrutiny and violate their privacy. Sen. Arlen Specter, the outgoing Republican chairman of the Judiciary Committee, said he agreed with the need "to keep the various federal agencies on their toes," but saw no need to be overly restrictive of data mining. "Within the range of investigative tools, if there is no adverse action, if there's no specific prejudice to the individual, then I think there is latitude for law enforcement to look for patterns (in data)," the Pennsylvania senator and former prosecutor said. The new Democratic majority's interest in upping its checks on Bush administration antiterrorism policies has not been limited to the Senate this week. The House of Representatives on Tuesday evening voted 299-128 to approve what is intended to be heightened independence for the two-year-old Privacy and Civil Liberties Oversight Board, which is charged with advising the White House on such matters and only recently held its first public meeting. The proposal, should it be approved by the Senate and signed by the president, would remove the five-member board from the president's office, making it an independent agency; grant it subpoena power; require that all of its members, not just its chairmen, be confirmed by the Senate; and require it to submit periodic reports on its findings, among other things. The 277-page legislative package in which the proposal is embedded, however, has proved controversial and may not sail so easily through the Senate. Democrats have portrayed the first item on their 100-hours agenda as an attempt at implementing the 9/11 Commission's recommendations on issues like aviation security and emergency communications once and for all, but critics have said the proposal is nothing more than an unfunded political move. Copyright ?1995-2007 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Wed Jan 10 22:28:30 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Jan 2007 22:28:30 -0500 Subject: [Infowarrior] - Cisco sues Apple over use of iPhone trademark Message-ID: Cisco sues Apple over use of iPhone trademark By Marguerite Reardon http://news.com.com/Cisco+sues+Apple+over+use+of+iPhone+trademark/2100-1047_ 3-6149285.html Story last modified Wed Jan 10 19:08:21 PST 2007 Cisco Systems has filed a lawsuit against Apple accusing the company of infringing its iPhone trademark, the networking company said Wednesday. The suit also accuses the iPod maker used a front company to try to acquire rights to the name. Cisco accused Apple in a suit filed in United States District Court for the Northern District of California of willingly infringing its trademark when it announced the new iPhone at the Macworld Expo in San Francisco on Tuesday. Cisco said in the complaint that Apple had attempted to get rights to the iPhone name several times, but after Cisco refused, the company created a front company to try to acquire the rights another way, according to the lawsuit (click for PDF). Mark Chandler, senior vice president and general counsel at Cisco, said in an interview that the companies were close to finalizing a deal Monday night that would have allowed both Cisco and Apple to use the iPhone name. One aspect of the agreement called for some sort of technical interoperability between Cisco's Linksys Internet telephony products and Apple's cell phone. Chandler said the hope was that by making the products interoperable, it would help alleviate confusion among customers, who would likely be target consumers for both products. The companies left the negotiating table at 8 p.m. Monday with only a few points left to negotiate, Chandler said. Then on Tuesday, Apple CEO Steve Jobs took the stage at the Macworld Expo and, amid much fanfare, unveiled the new "iPhone." "We indicated that it was important that the negotiations be completed before the launch of their product," Chandler said. "Our expectation was that our name wouldn't be used without permission. And it is a surprise when any large company announces a product using a name they don't have a right to use." Chandler said Cisco made it clear after Apple's launch that negotiations needed to be completed immediately, but he said Cisco has still not heard from Apple. Cisco is seeking an injunction that will prevent Apple from using the name as well as damages from the company, the lawsuit said. Fresh off one of the biggest launches in its history, a product Jobs called one of the most exciting products he's ever worked on, the company dug in its heels. "We think Cisco's trademark suit is silly...We believe (their) trademark registration is tenuous at best," said Natalie Kerris, an Apple spokeswoman. "There are already several companies using the iPhone name for VoIP (voice over IP) products," Kerris said. "We're the first company ever to use iPhone for a cell phone. If Cisco wants to challenge us on it, we're confident we'll prevail." Cisco obtained the iPhone trademark in 2000 when it acquired Infogear, a small Redwood City, Calif., start-up that developed consumer devices that allowed people to easily access the Internet without a PC. Infogear had actually registered the iPhone trademark in March 1996. Cisco's home networking division, Linksys, has been using the iPhone trademark on a new family of voice over IP phones since early last year, Cisco said. And last month, Linksys expanded the iPhone family with additional products. A British company called Orate Telecommunications Services also offers a VoIP phone called an iPhone, and closer to home, a San Jose, Calif., company called Teledex offers an iPhone for hotel rooms. Chandler said Cisco is aware that other companies have used the iPhone name and in the past Cisco has been involved in "enforcement actions involving the use of this name." For more than a year, Apple watchers have speculated about a new phone developed by Apple that would combine smart phone cellular technology with the full functionality of an iPod music and video player. Fans and bloggers had been referring to an Apple-designed cell phone as the iPhone for some time, and Apple's repeated attempts at obtaining the trademark make it clear Apple hoped to use the moniker as well. Cisco said in its complaint that Apple had first approached the company about acquiring the rights to the iPhone trademark in 2001. Over the years, Apple continued to make requests for the rights, including several attempts in 2006, Cisco said. "Each time, Apple was told that Cisco was not interested in ceding the mark to Apple," Cisco's complaint reads. Apple apparently was not willing to accept Cisco's decision, so it created a Wilmington, Del.-based front company called Ocean Telecom Services that applied to use the trademark in the U.S. on September 26, 2006, according to Cisco's complaint. That company, Cisco says in the filing, is "owned or otherwise controlled by Apple and is the alter ego of Apple." Around the same time on September 19, 2006, Apple also filed for the trademark for iPhone in Australia. In Ocean Telecom Services' U.S. filing and in Apple's Australian filing, each company refers to a trademark filing made on March 27, 2006, in Trinidad & Tobago. In its complaint, Cisco said that it's the reference to this document that is almost identical in each filing that leads the company to believe Ocean Telecom is actually owned by Apple. Longtime Apple watcher Roger Kay, an analyst with Endpoint Technologies Associates, was blunt in his assessment of the situation. "This was just brass balls on the part of Steve (Jobs), to go in there and just grab that trademark and not pay a license for it or negotiate. It's the height of arrogance," Kay said. "He basically thinks he can get away with it." However, it's likely that the two companies will settle their differences, as prolonged litigation doesn't really serve either company, Kay said. "Apple is playing chicken with Cisco, and there's other companies I'd rather play chicken with," he said, referring to Cisco's deep pockets. Cisco holds a clear advantage in the legal dispute as the trademark holder of record and having already released products using the iPhone name, said Bruce Sunstein, co-founder of the Boston law firm Bromberg & Sunstein. "The one who has a registration is in a better position than the one who does not." Apple's only choice is to argue that its "iFamily" of trademarks such as iPod, iTunes and iMac create confusion in a customer's mind as to who makes the iPhone, Sunstein said. It's not out of the question, but in general the company in Cisco's position with clear rights to the trademark has a stronger argument than a company making the family argument, he said. Also, the applications for trademarks in other countries have no bearing on Cisco's iPhone trademark, Sunstein said. "The fact that Apple may have superior rights in Australia doesn't (give) them any rights in the U.S.," he said. Apple's Kerris had no comment on the status of negotiations between the two companies, including whether Apple had received documents from Cisco the night prior to the iPhone launch, as Cisco had stated Tuesday. In the U.S., courts evaluate trademark disputes based on a list of 13 factors, including how similar the trademarks are, how well-recognized they are--and, crucially, whether there will be "any actual confusion" on the part of consumers. Identical product names in similar areas have prompted courts to side with the original trademark holder in the past. In one 2003 decision by a federal appeals court, a company selling "Red Bull" tequila sought a trademark. But the court ruled a malt beverage made by Schlitz and also called Red Bull was already trademarked, and granting a second one would result in a "likelihood of confusion" between the two alcoholic drinks. Under federal law, the loser in a trademark dispute can be forced to hand over any profits it received as the result of selling the device in question, and signs, labels, and packaging can be required to be destroyed. CNET News.com's Declan McCullagh contributed to this report. Copyright ?1995-2007 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Wed Jan 10 22:31:28 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Jan 2007 22:31:28 -0500 Subject: [Infowarrior] - Firms Fret as Office E-Mail Jumps Security Walls Message-ID: January 11, 2007 Firms Fret as Office E-Mail Jumps Security Walls By BRAD STONE http://www.nytimes.com/2007/01/11/technology/11email.html?ei=5094&en=e91f4d2 5007d7c7a&hp=&ex=1168491600&partner=homepage&pagewanted=print SAN FRANCISCO, Jan. 10 ? Companies spend millions on systems to keep corporate e-mail safe. If only their employees were as paranoid. A growing number of Internet-literate workers are forwarding their office e-mail to free Web-accessible personal accounts offered by Google, Yahoo and other companies. Their employers, who envision corporate secrets leaking through the back door of otherwise well-protected computer networks, are not pleased. ?It?s a hole you can drive an 18-wheeler through,? said Paul D. Myer, president of the security firm 8E6 Technologies in Orange, Calif. It is a battle of best intentions: productivity and convenience pitted against security and more than a little anxiety. Corporate techies ? who, after all, are paid to worry ? want strict control over internal company communications and fear that forwarding e-mail might expose proprietary secrets to prying eyes. Employees just want to get to their mail quickly, wherever they are, without leaping through too many security hoops. Corporate networks, which typically have several layers of defenses against hackers, can require special software and multiple passwords for access. Some companies use systems that give employees a security code that changes every 60 seconds; this must be read from the display screen of a small card and typed quickly. That is too much for some employees, especially when their computers can store the passwords for their Web-based mail, allowing them to get right down to business. So far, no major corporate disasters caused by this kind of e-mail forwarding have come to light. But security experts say the risks are real. For example, the flimsier security defenses of Web mail systems could allow viruses or spyware to get through, and employees could unwittingly download them at the office and infect the corporate network. Also, because messages sent from Web-based accounts do not pass through the corporate mail system, companies could run afoul of federal laws that require them to archive corporate mail and turn it over during litigation. Lawyers in particular wring their hands over employees using outside e-mail services. They encourage companies to keep messages for as long as necessary and then erase them to keep them out of the reach of legal foes. Companies have no control over the life span of e-mail messages in employees? Web accounts. ?If employees are just forwarding to their Web e-mail, we have no way to know what they are doing on the other end,? said Joe Fantuzzi, chief executive of the information security firm Workshare. ?They could do anything they want. They could be giving secrets to the K.G.B.? Hospitals have an added legal obligation to protect patient records. But when DeKalb Medical Center in Atlanta started monitoring its staff use of Web-based e-mail, it found that doctors and nurses routinely forwarded confidential medical records to their personal Web mail accounts ? not for nefarious purposes, but so they could continue to work from home. In the months after the hospital began monitoring traffic to Web e-mail services, it identified ?a couple hundred incidents,? said Sharon Finney, DeKalb?s information security administrator. ?I was surprised about the lack of literacy about the technology we depend on every day,? she said. DeKalb now forbids the practice, and uses several software systems that monitor the hospital?s outbound e-mail and Web traffic. Ms Finney said she still catches four to five perpetrators a month trying to forward hospital e-mail. The Web mail services may also be prone to glitches. Last month, Google fixed a bug that caused the disappearance of ?some or all? of the stored mail of around 60 users. A week later, it acknowledged a security hole that could have exposed its users? address books to Internet attackers. Even the security experts most knowledgeable about the risks of e-mail forwarding to personal accounts acknowledge doing so themselves. ?Of course I do it; who doesn?t?? said Kimberly Getgen Bargero, vice president for marketing at Sendmail, an e-mail software company in Emeryville, Calif. Ms. Bargero said she often used her Yahoo Mail account on business trips so she does not have to access her corporate network remotely. It is difficult to quantify exactly how many otherwise model employees are opting to use services like Yahoo Mail or Google?s Gmail over their company?s authorized e-mail programs. Sophisticated users at the companies most lax about e-mail security can automatically forward all of their work e-mail to their personal accounts, hopscotching over the various requests for passwords meant to ward off intruders. The more casual e-mail scofflaws send only the occasional message to their personal accounts ? or just ?cc? messages to their Web in-boxes to preserve them for later use ? even when the messages contain sensitive company information. Some companies frown on office use of any Web-based accounts, even for personal messages. At the business software maker BEA Systems, Anthony Bisulca, a senior security analyst, estimated that around 30 percent of his employees were using private e-mail accounts in the office, even though the company?s Internet policy clearly prohibits it. But it is not easy to wean people off of their online mailboxes. ?Of course they scream,? said Todd Wilson, an operations manager at the Bloomberg School of Public Health at Johns Hopkins University. ?They look at me like I have three heads.? Mr. Wilson said that the use of the Web services had become a ?huge concern,? partly because copies of the forwarded messages sit untouched on the school?s servers, taking up space. Many corporate technology professionals express the fear that Google and its rivals may actually own the intellectual property in the e-mail that resides on their systems. Gmail?s terms of service, however, state that e-mail belongs to the user, not to Google. The company?s automated software does scan messages in Gmail, looking for keywords that might generate related text advertisements on the page. A Google spokeswoman said the company has an extensive privacy policy to ensure no humans at Google read user e-mail. Paul Kocher, president of the security firm Cryptography Research, said the real issue for companies was trust. ?If you can?t trust employees enough to use services like Gmail, they probably shouldn?t be working for you,? he said. Many companies apparently do not have that level of trust. In a survey conducted last year, the e-mail security firm Proofpoint found that 37 percent of companies in the United States used software to monitor office use of Web mail. The Internet companies themselves are looking to take advantage of consumer preferences for Web based e-mail services. This year, Google plans to introduce a more secure version of Gmail for use in large companies. But Microsoft and other providers of traditional internal e-mail systems, which the research firm Radicati says generated $2.5 billion in sales last year, are helping companies combat employee use of the Web services. The new version of Microsoft?s corporate e-mail service, Exchange Server, offers administrators improved tools to monitor the content of employee mail and block forwarded messages. At the same time, upgrades to Exchange and Microsoft?s e-mail program Outlook have made it easier for traveling employees to access e-mail on the corporate network from a Web browser. Microsoft also recently began urging corporate technology departments to give employees more storage space in their e-mail accounts. But the Web services are improving as well, and employees will no doubt continue to find them tempting. ?We have as high a security standard as any company,? said Ms. Bargero of Sendmail, ?and sometimes it is just too difficult to access our e-mail.? From rforno at infowarrior.org Wed Jan 10 23:03:14 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 10 Jan 2007 23:03:14 -0500 Subject: [Infowarrior] - Creative Commons helps authors terminate copyright transfers Message-ID: NewsForge The Online Newspaper for Linux and Open Source http://trends.newsforge.com/ Title Creative Commons helps authors terminate copyright transfers Date 2007.01.10 13:00 Author Nathan Willis Topic http://trends.newsforge.com/article.pl?sid=07/01/04/1613249 Still seething over that bad book publishing deal you entered into in 1981? Good news: you might be able to rescue your manuscript and do something lucrative with it, thanks to Creative Commons (CC) and obscure portions of US copyright law. CC is beta testing a Web-based tool on its ccLabs site that helps authors through the tricky legal maze required to terminate a copyright transfer. US copyright law dictates that authors can reclaim rights that they signed away (perhaps naively or without benefit of legal advice) in the past, but due to the numerous changes to copyright law over the years, the devil is in the details. For instance, material created as "work for hire" or under commission are generally not eligible for transfer termination, but the specific definitions of those terms changed in 1978. And authors can terminate transfers for most eligible works after a specified period of time, but the creation date, publication date, and contract date all come into play. In its current form, the Termination of Transfer Tool (TTT) is an interactive question-and-answer session. It steps you through the details of your situation, asking about dates, contracts, and -- where necessary -- legal wording. If you meet the requirements for a transfer termination, the tool compiles your information into a PDF file that you can print out and take downtown to your lawyer's office. If you don't meet the requirements, it tells you why and refers you to the appropriate definitions and FAQs on the CC Web site. CC does not initiate the legal process to exercise your transfer termination rights, and it has no plans to. The organization does hope to add a referral program to the process that will recommend lawyers willing to assist authors in the process of reclaiming their rights, but that program is still under development. For the time being, TTT is branded a "beta," and CC is soliciting feedback on its design and clarity. Since the minimum time window for a termination is 35 years after the publication date, I did not have any personal copyright transfers to test in the TTT. CC provides a few hypothetical cases to play with, but I found it more interesting to experiment with some likely scenarios based on older members of my family who have published books. I can say this much without hesitation: CC isn't exaggerating when it calls the provisions of copyright law "complex." Finding the specific conditions under which the author of a creative work can reclaim licensed-away rights is not easy. Considering how few creators are likely to actually meet all of the transfer termination requirements, CC is wise to bill the TTT as more of an informational aid than a practical utility. As an educational program, the tool sheds some light on its subject matter -- but it does not simplify it. Based on my experience, although TTT does an excellent job of walking a copyright holder through the step-by-step process of determining eligibility of a transfer termination, this step-by-step approach hides the overall layout of the eligibility provisions. I would almost rather see a yes/no "logic table" with an overview of what scenarios meet the law's requirements than have to guess my way through the Q&A process using trial and error and leaping back and forth to the FAQ. Still, I have to wholeheartedly agree with the first goal stated in CC's release announcement for TTT: it is important to raise awareness of this copyright transfer termination option. I had never heard of it before TTT, and my unscientific poll of authors and artists indicates most are in the same boat. Much of existing copyright law is one-sided, slanted toward Big Media and away from the little guy. TTT doesn't change that, but the more people who understand how odd and inconvenient the law is, the closer we are to fixing it and making it easier to use. Maybe only a fraction of us need to exercise author's rights to terminate a bad copyright transfer, but by making an issue out of it, TTT is doing something important. Links 1. "Creative Commons" - http://creativecommons.org/ 2. "ccLabs" - http://labs.creativecommons.org/ 3. "Termination of Transfer Tool" - http://labs.creativecommons.org/termination/ 4. "definitions" - http://labs.creativecommons.org/termination/glossary.html 5. "FAQs" - http://labs.creativecommons.org/termination/faq.php 6. "release announcement" - http://creativecommons.org/weblog/entry/7163 From rforno at infowarrior.org Thu Jan 11 08:38:39 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Jan 2007 08:38:39 -0500 Subject: [Infowarrior] - No cellphone? No BlackBerry? No e-mail? No way? (It's true.) Message-ID: No cellphone? No BlackBerry? No e-mail? No way? (It's true.) http://news.yahoo.com/s/usatoday/20070111/tc_usatoday/nocellphonenoblackberr ynoemailnowayitstrue By Janet Kornblum, USA TODAY 1 hour, 24 minutes ago SAN FRANCISCO - Joan Brady can't even count the number of computers that friends have foisted upon her over the years. Laptops. Desktops. Monitors. It's as if they can't help themselves, as if they just can't accept her for who she is: a woman who dares to live without a PC in the heart of Techtropolis. "I just don't need it," says Brady, 52, a personal chef and party clown. No, she doesn't e-mail. And, really, she does not need you to call her and read the latest e-mail joke to her. She knows what she's missing, and she's grateful for it every day. Call Brady a "tech-no," a member of a dwindling - some might say occasionally oppressed - minority who are resisting the worldwide movement to be constantly connected. They're just saying no to the very technologies that increasingly are captivating most everybody else. Some tech-no's shun e-mail. Others don't use the Web or, like Brady, don't even have a computer. Many avoid cellphones. In a few rare cases, people say no to just about all of it. Even tech-loving teens and twentysomethings are starting to think twice. They might use the Internet (93% of American teens ages 12 to 17 do, according to the Pew Internet & American Life Project), but a few are turning away from the same social networking sites with which their peers are obsessed. By choice, Shane Bugeja, 16, of Columbus, Ohio, doesn't have a Facebook or MySpace page. "I don't find it interesting - having someone reading about you, and you don't know them," he says. That makes him unusual; 55% of online kids (51% of all teens) ages 12 to 17 have a social networking site, says Pew, and 64% of online teens ages 15 to 17 have one. "You are not alone if you don't have one of these profiles, but you are bucking a trend," says Amanda Lenhart of Pew. "I haven't found anybody who's sort of like me," Bugeja says. "Doing what everyone else is doing is not necessarily an attractive thing." It is unclear how many tech-no's there are, but they are becoming an endangered species in a nation in which 81% of adults 18 to 64 are Internet users and 78% use cellphones, according to Pew. These are not people avoiding the latest technologies because of poverty, age or lack of education. Tech-no's "are making a conscious decision to say no to certain things," says Larry Rosen, a professor at California State University-Dominguez Hills and author of TechnoStress. "It's not a snap decision. They usually have a good reason. And it's not that they're giving up everything. We're not going back to the Luddite era. These people are using (only) what they absolutely feel like they need." They might even be a sign of what is to come. "It is going to become very fashionable at some point to be disconnected," Silicon Valley futurist Paul Saffo predicts. "There are going to be people who wear their disconnectivity like a badge." 'Don't think I'm missing out' Alan Moore, 53, a writer in Northampton, England, has no e-mail, no Web access, no cellphone. His PC is a "glorified typewriter." He knows all about blogs and Google and MySpace; an imposter even put up a MySpace page in his name. He understands the convenience of cellphones and knows that people can have hundreds of channels on their TVs rather than his few broadcast ones. Despite this, "I don't think I'm missing out." Instead of Googling every question, he refers to books. Instead of toting a cellphone on a walk, he just walks. "Not being able to be phoned when I'm out: that is blissful," he says. "We live in a culture where we are completely swamped with information. It's like some invisible fluid. I try to control the flow of information through my life." David Levy, a professor in the Information School at the University of Washington in Seattle, also tries to control the flow. An observant Jew, he shuts everything down for the Sabbath from Friday at sundown to Saturday night. He recommends disconnecting once in a while to others, too. "The contemplative dimension of my life is very important to me," he says. But would he ever consider giving up the Net entirely? "Absolutely not, and I wouldn't want to," he says. "The Web is a fantastic tool." But unplugging is getting harder for most people to do - even for a little while. "I don't think you can be disconnected," says Jim Taylor, vice president of the Harrison Group, a marketing and strategic research consulting firm in Waterbury, Conn. It's just about impossible "if you are employed, if people depend on you, if your children are out in the world." People who don't do e-mail increasingly miss all kinds of things, from family photo albums and special-interest discussion groups to party invitations; 125 million people got e-mail invitations via Evite in 2005 alone, the company says. That doesn't bother Brady: "If they care whether I'm there or not, they can call me," she says. Or send a letter - the kind with stamps. People who never go on the Web also miss out on a growing facet of American culture, such as Google and blogs and Craigslist and YouTube; they can't shop online or find out more about their favorite TV characters. They miss instant access to news and never see the viral videos everybody else is talking about and forwarding to their friends. 100% tech-no? Even if they don't care much about popular culture, people without cellphones or e-mail or buddy lists miss out on a world in which friends and family increasingly can get in touch instantly, whether there's an emergency or they just want you to know they're thinking about you. That's why these days, most tech-no's find it's nearly impossible to stay away 100%. John Mashburn, 57, a lawyer from Columbus, Ohio, reads paper maps instead of Googling directions. He couldn't e-mail someone "if my life depended on it," he says. However, he has an office staff and a wife who will, if necessary, print out e-mails for him to read. Even San Francisco chef Brady says she sometimes asks her roommate or 8-year-old niece to look up information online for her. One recent night she even spent three hours looking at YouTube videos on her roommate's laptop. But being a tech-no can have a high social cost. When Brady tells people she doesn't have e-mail, many "kind of look at me like I'm crazy," she says. "One (now ex-) friend got drunk and went on and on about how I was very arrogant, and it wasn't very attractive to be anti-computer - not even charming or funny anymore. I had to get with it. I looked like a stupid idiot. Like some kind of weird little barbarian." When she told other friends about the outburst, they were sympathetic. With her critic. "They said, 'Well, you know, he has a point. There's nothing to be proud of.' " E-mails just not 'useful' Kevin Kertes, 41, a music promoter from Woodland Hills, Calif., has a similar frustration: his brother Jeffrey, 38, a clinical psychologist in metropolitan Detroit. Jeffrey Kertes has a PDA, a pager and a computer. But he only got an e-mail address six months ago after his brother and others hounded him for years. Still, he checks it only "every couple of weeks." "I'm not opposed," he says, but "I don't find e-mails useful. I like talking to people. I like to hear their tone, their laugh. I can't get that from e-mail. The message is lost." He does have a cellphone, but you generally can't reach him on it; he only turns it on when he needs to make a call. "I've sent e-mails to him but have never got a response back," Kevin Kertes says. "It's frustrating. If I want to talk to him privately or there's an urgent matter, I have to go through his wife." But as much as he complains, he acknowledges that his brother "is not at the mercy of it like we are. You can't leave your house without a cellphone. Hell freezes over. You freak out." He also has a BlackBerry. "I check it all the time. But why? Nothing urgent ever comes over it." Says the Harrison Group's Taylor: "The advantages in society of connectedness are astonishing. The difficulty is the inability of people to disconnect. Some become addicted to being gotten to; for most of us, it's a bit of a burden." That's pretty much how Brady's roommate feels. Mark Hawkins, 42, works for an Internet company, so he's connected nearly all the time. He says he really doesn't mind helping Brady; in fact, he admires her. "I like technology, and I like being on top of all the new things that are happening," he says. "But there's a part of me that's like, 'Oh my gosh, get out of here.' I have a love-hate relationship with it, really. "I think so many people feel that technology holds all these answers for us, and if you're not embracing it, you're somehow missing out on this key to life or something." He's amused that people try to give Brady their hand-me-down technology: "It's like they're all lining up to give her access to this world that she has made a conscious decision to just not fall into." Her attitude "keeps things real for me," he says. "It's so easy to get caught up in all of it. It's refreshing to know that hey, you don't have to. You can make choices in life to, you know, do things however you want." From rforno at infowarrior.org Thu Jan 11 09:10:07 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Jan 2007 09:10:07 -0500 Subject: [Infowarrior] - DOD workers warned about spy coins Message-ID: Defense workers warned about spy coins By TED BRIDIS, Associated Press Writer1 hour, 4 minutes ago http://news.yahoo.com/s/ap/spy_coins Can the coins jingling in your pocket trace your movements? The Defense Department is warning its American contractor employees about a new espionage threat seemingly straight from Hollywood: It discovered Canadian coins with tiny radio frequency transmitters hidden inside. In a U.S. government report, it said the mysterious coins were found planted on U.S. contractors with classified security clearances on at least three separate occasions between October 2005 and January 2006 as the contractors traveled through Canada. The U.S. report doesn't suggest who might be tracking American defense contractors or why. It also doesn't describe how the Pentagon discovered the ruse, how the transmitters might function or even which Canadian currency contained them. Further details were secret, according to the U.S. Defense Security Service, which issued the warning to the Pentagon's classified contractors. The government insists the incidents happened, and the risk was genuine. "What's in the report is true," said Martha Deutscher, a spokeswoman for the security service. "This is indeed a sanitized version, which leaves a lot of questions." Top suspects, according to intelligence and technology experts: China, Russia or even France ? all said to actively run espionage operations inside Canada with enough sophistication to produce such technology. The Canadian Security Intelligence Service said it knew nothing about the coins. "This issue has just come to our attention," CSIS spokeswoman Barbara Campion said. "At this point, we don't know of any basis for these claims." She said Canada's intelligence service works closely with its U.S. counterparts and will seek more information if necessary. Experts were astonished about the disclosure and the novel tracking technique, but they quickly rejected suggestions Canada's government might be spying on American contractors. The intelligence services of the two countries are extraordinarily close and routinely share sensitive secrets. "It would seem unthinkable," said David Harris, former chief of strategic planning for the Canadian Security Intelligence Service. "I wouldn't expect to see any offensive operation against the Americans." Harris said likely candidates include foreign spies who targeted Americans abroad or businesses engaged in corporate espionage. "There are certainly a lot of mysterious aspects to this," Harris said. Experts said such tiny transmitters would almost certainly have limited range to communicate with sensors no more than a few feet away, such as ones hidden inside a doorway. "I'm not aware of any (transmitter) that would fit inside a coin and broadcast for kilometers," said Katherine Albrecht, an activist who believes such technology carries serious privacy risks. "Whoever did this obviously has access to some pretty advanced technology." Experts said hiding tracking technology inside coins is fraught with risks because the spy's target might inadvertently give away the coin or spend it buying coffee or a newspaper. They agreed, however, that a coin with a hidden tracking device might not arose suspicion if it were discovered loose in a pocket or briefcase. "It wouldn't seem to be the best place to put something like that; you'd want to put it in something that wouldn't be left behind or spent," said Jeff Richelson, a researcher and author of books about the CIA and its gadgets. "It doesn't seem to make a whole lot of sense." Canada's physically largest coins include its $2 "Toonie," which is more than 1-inch across and thick enough to hide a tiny transmitter. The CIA has acknowledged its own spies have used hollow, U.S. silver-dollar coins to hide messages and film. The government's 29-page report was filled with other espionage warnings. It described unrelated hacker attacks, eavesdropping with miniature pen recorders and the case of a female foreign spy who seduced her American boyfriend to steal his computer passwords. In another case, a film processing company called the FBI after it developed pictures for a contractor that contained classified images of U.S. satellites and their blueprints. The photo was taken from an adjoining office window. ___ On the Web: CIA hollow coin: https://http://www.cia.gov/cia/information/artifacts/ dollar.htm Copyright ? 2007 The Associated Press. All rights reserved. The information contained in the AP News report may not be published, broadcast, rewritten or redistributed without the prior written authority of The Associated Press. Copyright ? 2007 Yahoo! Inc. All rights reserved. Questions or Comments Privacy Policy -Terms of Service - Copyright/IP Policy - Ad Feedback From rforno at infowarrior.org Thu Jan 11 16:21:35 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Jan 2007 16:21:35 -0500 Subject: [Infowarrior] - Analysis: A litmus test for info-sharing Message-ID: Analysis: A litmus test for info-sharing By SHAUN WATERMAN UPI Homeland and National Security Editor http://www.upi.com/inc/view.php?StoryID=20070109-041222-3710r WASHINGTON, Jan. 9 (UPI) -- The litmus test for the success of post-Sept. 11 efforts to overhaul and integrate the information systems of U.S. intelligence agencies is an ambitious new project code-named Railhead, which aims to create a seamless network of networks within which data about terrorist threats can freely and quickly flow to those who need, and are cleared, to see it. Dale Meyerrose, a retired Air Force general who is in charge of information technology for the 16 agencies, told C-SPAN Television at the weekend that the project would create a single "information sharing environment within the National Counter-Terrorism Center," the multi-agency hub that vacuums up and analyzes terrorist threat intelligence from every corner of the U.S. government. Meyerrose revealed the project's codename for the first time in a later interview with United Press International, saying Railhead was one of handful of programs his office was pushing forward as models of how agencies could integrate their information technology in a "synergized and cooperative" fashion. The National Counter-Terrorism Center is the poster child for the efforts to reform U.S. intelligence, by forcing the sprawling and secretive bureaucracies of the spy agencies to collaborate more closely. But it has also become a symbol of the hoops analysts have to jump through, switching from network to network, sometimes on different workstations, to access material from different agencies' databases because policy development and government acquisition have lagged behind technological advance. "Wrestling the (information technology, if you will, becomes more of what the person does in their workspace rather than adding intellectual value to the (intelligence) product that they're supposed to," Meyerrose said. "My job is in essence to make the (information technology) invisible." Railhead aims to do that by putting into practice at the center Congress' vision of an Information Sharing Environment -- a sophisticated platform that will allow counter-terrorism information, including personal data about Americans, to be securely shared in a variety of ways that reflect and respect the different rules in place in different agencies to protect individual privacy and information security. Meyerrose said Railhead and the other pilot projects were also testing a controversial new acquisition strategy called "spiral development." He said a revolution in the way the government spends billions of dollars a year on computers and software is essential to keep up with fast-changing technologies. "What is possible, what is doable, and what is probable, changes every 18-24 months in the information technology world," he said. "Traditional, 'big bang' acquisition strategy, where you outline your requirements one year and take delivery three or four years later ... can't keep up" with that rate of technological change, he added. Meyerrose said traditional acquisition was a "failed strategy," which had contributed to debacles like the National Security Agency's disastrous and highly classified Trailblazer program, and the FBI's failed Sentinel project, which congressional critics have lambasted as hundred-million -- or in Trailblazer's case multi-billion -- dollar boondoggles. To fix the way the nation's spy agencies develop and deploy their information technology, Meyerrose said, spiral acquisition was a way of "not designing to requirement, but designing to opportunity," because intelligence agencies and the firms they are working with on new technology could change the specifications of a project as new capabilities became available. Conversely, he said, if a project's requirements could be satisfied by a cutting-edge technology that wasn't stable enough yet for deployment, project managers could buy "bridging technologies" to use for a year or two in developing the project until the more advanced product was ready to be incorporated. Prof. James Hendler, former chief scientist for information systems at the Pentagon's hatchery for cutting edge technology, the Defense Advanced Research Projects Agency, told UPI that the classic model of spiral development was the way Microsoft builds software code, in a series of versions. "You're developing (version 1.2), testing (version 1.1) and deploying (version 1.0) all at the same time," he explained. In acquisition terms, he said, it was helpful to think of a decision to buy a television set. "You say you want a set that does this, this and this, and then you buy one." In spiral acquisition, he said, "I'm buying, not a TV set, but a continually improving way to watch television." He cautioned that the term was a catch-all used to cover a number of different approaches to acquisition, all designed to reduce the enormous time lags that traditional procurement created between concept and deployment, and free up government buyers to take advantage of emerging new technologies. Spiral acquisition is about "designing something that won't be obsolete by the time you deploy it," Hendler said. But critics say the strategy can be a ticket to expensive programs that develop technologies which are late and don't meet requirements. "We definitely have some concerns" about spiral acquisition, Ryan Alexander, president of non-partisan government spending watchdog Taxpayers for Common Sense told UPI. "The bottom line is, with anything that fails to identify upfront what the technology it's buying is supposed to do, it's hard to know if you're getting your money's worth," she said. Meyerrose acknowledged the criticism, but said his office was working hard to develop ways to measure the efficacy of the new way of doing business. "It will be as important and just as tough for us to come up with the right performance measures ... as it will to come up with the right technologies to fit with the right processes," he said. Hendler said that spiral procurements sometimes looked more expensive, but used the analogy of buying a personal computer. "I can buy the cheapest computer that does what I want right now. Or I can spend a bit more money and buy something that I think will last three years. It's spending more now to save money in the future." He said that spiral development was a model for acquisition in fields other than just computers and software. "It's good for integrating any fast changing technology," he said. Meyerrose warned that he expected some resistance to the new strategies. "There are folks who don't like these kinds of changes," he said. But he added that the Director of National Intelligence John Negroponte, who announced last week that he was leaving for a job at the State Department, nonetheless "intends to exert leadership" to make sure needed changes happened. "Fixing the acquisition capacities of the Intelligence Community ... is exactly what the (director of national intelligence) is supposed to do," said Meyerrose, vowing "take on" any would-be foot-draggers. "There can be no pocket vetos in this business," he vowed. Del.icio.us | Digg it | RSS [Get Copyright Permissions]E-MAIL | PRINT | SAVE | LICENSE ? Copyright 2007 United Press International, I From rforno at infowarrior.org Thu Jan 11 22:07:35 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Jan 2007 22:07:35 -0500 Subject: [Infowarrior] - MPAA: Idiots At The Helm Message-ID: MPAA: Idiots At The Helm (or: "How the MPAA could easily increase profits and turn the tide of P2P to work in their favor") http://attrition.org/security/rants/z/mpaa.html ...and in related news.... The MPAA and other anti-piracy watchdogs try to trap people into downloading fake torrents, so they can collect IP addresses, and send copyright infringement letters to ISPs. They hire a company to put up fake copies of popular movies, music albums, and TV series. < - > http://torrentfreak.com/mpaa-caught-uploading-fake-torrents/ From rforno at infowarrior.org Thu Jan 11 22:11:11 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Jan 2007 22:11:11 -0500 Subject: [Infowarrior] - Microsoft: Responsible Vulnerability Disclosure Protects Users Message-ID: Microsoft: Responsible Vulnerability Disclosure Protects Users http://www2.csoonline.com/exclusives/column.html?CID=28071 Responsible disclosure benefits everyone in the security ecosystem by providing the most comprehensive and highest-quality security update possible. By Mark Miller, Director, Microsoft Security Response Center Responsible disclosure, reporting a vulnerability directly to the vendor and allowing sufficient time to produce an update, benefits the users and everyone else in the security ecosystem by providing the most comprehensive and highest-quality security update possible. >From my experience helping customers digest and respond to full disclosure reports, I can tell you that responsible disclosure, while not perfect, doesn?t increase risk as full disclosure can. Generally, responsible disclosure benefits everyone involved by providing the best possible protection for customers without forcing vendors into sacrificing quality or security or introducing additional risk. Through responsible disclosure, vendors such as Microsoft are given an appropriate amount of time to investigate a security report, reproduce it against all supported platforms, analyze it for variations and similar vulnerabilities in surrounding code, and test the resulting update to ensure an appropriate level of quality for mass distribution. This results in the most comprehensive and highest-quality security update possible, which is one of the key goals of the Microsoft Security Response Center?s security investigation process. A key point that is often forgotten in discussions about disclosure is the reality that customers face in protecting systems. When you think of an enterprise with thousands of servers, limited deployment windows and a cost to the business for every update deployed, you can easily understand why every customer I have ever spoken with wants to minimize the number of updates while ensuring the highest level of protection. Responsible disclosure by security researchers allows Microsoft and other vendors to deliver that to our customers. By producing a comprehensive fix that resolves any additional issues found in surrounding code, we minimize the number of updates. Customers also want updates that minimize disruption to their environment, especially in line-of-business and third-party applications. With adequate testing time, Microsoft is able to provide the highest-quality updates, thereby minimizing customer downtime and investment related to deploying security updates. In contrast, full disclosure-reporting vulnerability details to either public mailing lists or Web sites-creates an environment in which customer angst is high and the risks for the ecosystem are increased. These reports can force vendors to rush to provide workaround solutions and security updates that customers can use to mitigate exploitation of the reported vulnerability. However, to release updates on a compressed schedule, shortcuts must be made in the development process. These shortcuts can increase the risk that a fix won?t resolve similar vulnerabilities in surrounding code or that a fix could have quality issues due to a shortened testing cycle. Vendors only take these shortcuts because we have to, knowing that once vulnerability details are published the time to exploit can be exceedingly short-many times in the range of days or hours. So, while in the end the update may be released in a shorter period of time-which is often a key argument in favor of full disclosure-there is a significant cost in terms of security coverage and quality. There are, of course, exceptions to full disclosure and responsible disclosure, such as broad zero-day attacks. In those cases it?s only through rapid cooperation between multiple vendors, researchers and the security community that we can quickly provide effective mitigations and solutions to the threat. Over the last few years it?s been refreshing to see more researchers move to adopt responsible disclosure, but there are still many full disclosure reports. The security researcher community is an integral part of this change, with Microsoft products experiencing approximately 75 percent responsible disclosure. As such, we are committed to working with the community to strengthen support for responsible disclosure and minimize customer risk. We do this by having open communications channels, treating researchers with respect, and listening and learning from them. We believe people deserve credit for helping protect our customers and improve the security of our products. It?s important for vendors and the industry to give credit-as Microsoft does in every security bulletin-to the researchers who help customers and vendors through responsible disclosure reporting. While there has been progress over the last few years, there is still room for improvement. Microsoft remains committed to working with security researchers, vendors and the security community in a responsible way to continue to drive positive improvements to customers? security. Mark Miller is director of the Microsoft Security Response Center and has been involved its response process for five years. Before joining the MSRC, he provided customer support and service as part of the Product Support Services Security Team. From rforno at infowarrior.org Thu Jan 11 22:11:54 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Jan 2007 22:11:54 -0500 Subject: [Infowarrior] - MJR: The Vulnerability Disclosure Game: Are We More Secure? Message-ID: Web Exclusives The Vulnerability Disclosure Game: Are We More Secure? http://www2.csoonline.com/exclusives/column.html?CID=28072 Can we speak frankly about "vulnerability disclosure" now? More than a decade into the process, can anyone say security has improved? By Marcus J. Ranum Can we speak frankly about "vulnerability disclosure" now? Can we, please? It?s long past time. More than a decade into the process, can anyone say security has improved? Back in the mid-1990s, when the vulnerability disclosure economy was starting to take shape, I was one of a small handful of security practitioners who was trying hard to apply the brakes against what we saw as a dangerous trend. Unfortunately, at that time, the security industry was not yet mature enough for customers to understand that they were being sold a dangerous bill of goods. For longer than a decade, we?ve lived under the mob rule, where for some security consultants and companies, "marketing" has been replaced by "splashily announcing holes in commercial products to get 20 seconds of fame on CNN." What?s amazing about the disclosure game is not that it?s been tolerated for so long, but that it worked at all. (See Schneier: Full Disclosure of Security Vulnerabilities a ?Damned Good Idea?.) Do you remember the original premise of the disclosure game? By publicly announcing vulnerabilities in products we will force the vendors to be more responsive in fixing them, and security will be better. Remember that one? Tell me, dear reader, after 10 years of flash-alerts, rushed patch cycles and zero-day attacks, do you think security has gotten better? (See Microsoft: Responsible Vulnerability Disclosure Protects Users.) I think there are a few places where we can see signs of improvement. I know that Microsoft, Oracle and others have spent huge amounts of money improving the security of their software. Never mind the fact that 99.99 percent of the computer users in the world would rather they had spent that money making their software cheaper or faster, I suppose it?s a great thing to see that software security is being taken seriously. Security has gotten more expensive. But do you think security has gotten better? >From where I sit, it looks like the vulnerability rate is pretty much a constant. If the proponents of disclosure were right, their stated objective?browbeating the vendors into making their products better?would have been accomplished years ago. But we?re speaking frankly, here, aren?t we? So, as one adult to another, let me tell you why it won?t work: because it was never about making software better. In fact, it was never about making your security better. That?s right. Now that we can look back at 10 years of what disclosure has brought us, it?s brought us?well, nothing much. Nothing much, that is, except a grey-market economy in exploits, where independent "vulnerability researchers" attempt to cash in by finding new attacks that they can sell to security companies or spyware manufacturers?whichever bids higher. Nothing much unless you count the massive amounts of "free" marketing exposure for companies that trade in exploits. The sad part about it all is that they?ve managed to convince you they?re doing you a favor. It looks like a pretty expensive-looking "favor" to me! Back when the Internet security bubble started, I offered a litmus test for practitioners. Simply put: You?re either part of the solution, or you?re part of the problem. You?re writing the next firewall or secure application or working to improve some site?s security. Or you?re part of the problem: You?re looking for the next hole in Oracle that?ll get you two minutes on CNN, or you?re getting ready to announce a clever new way rootkits can evade detection from security tools, or you?re devising the next denial-of-service attack, etc. The state of ethics in the computer security industry is pathetic; it?s on par with where medicine was in the 1820s?except that some of the snake-oil salesmen in the 1820s actually believed in their products. At this point in the history of security, the disclosure economy has been in place long enough that some of the new entrants to the field think that?s the way it?s always been?I?ve run into second-generation "true believers" who really think vulnerability disclosure is all about making software better. Guys, I think it?s time to hang up that ideology; it?s obviously not true. If it was going to help, it would have showed some signs of helping by now. So let?s be frank, shall we? Those of you who are playing the disclosure game are just playing for your two minutes of fame: You?re not making software better. Sure, some of you work for consultancies and startups, and it saves you a ton of money by not having to have a marketing budget, but isn?t shouting "fire!" in a crowded theater so?um, ?90s? I know that the typical security customer is (to you) an unsophisticated rube, but that does not justify you placing them at increased risk just so you can publish a new signature for your pen-testing tool or get your funny-haired "chief hacking officer" on CNN one more time. I have news for you: Most of the computer users on the planet wish you?d find some other use for your talents?something that actually does help. Computer security needs to grow the hell up, and needs to do it pretty quickly. It seems that virtually every aspect of life is becoming increasingly computerized and exposed to online attack. The problem is getting more significant the longer we wait to deal with it, but the early history of computer security has been a massive disappointment to all of us: huge amounts of money spent with relatively little improvement to show for it. One of the reasons is that a huge amount of that effort has been wasted, barking up the wrong tree. Unfortunately, if you look at the last 10 years of security, it?s a litany of "one step forward, one step back," thanks in part to the vulnerability pimps, parasites and snake-oil salesmen who flocked into the industry when they smelled money and a chance to get some attention. At this point, they?re so deeply entrenched and vested that they?re here to stay, unless the industry as a whole turns away from rewarding bad behavior. If you?re a customer or end user, you can see how well disclosure worked to improve your security over the last decade. Let me be frank: It?s up to you. Marcus Ranum, CSO of Tenable Network Security, is internationally recognized as one of computer security?s visionary thinkers. Since his early involvement with security in the late 1980s he has been involved in every stage of the security industry, from coding the first commercial firewall (DEC SEAL) to acting as founder and CEO of one of the early IDS innovators (NFR). He lives in the middle of nowhere in Pennsylvania. From rforno at infowarrior.org Thu Jan 11 22:12:19 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Jan 2007 22:12:19 -0500 Subject: [Infowarrior] - Schneier: Full Disclosure of Security Vulnerabilities a 'Damned Good Idea' Message-ID: Schneier: Full Disclosure of Security Vulnerabilities a 'Damned Good Idea' http://www2.csoonline.com/exclusives/column.html?CID=28073 Security guru Bruce Schneier sounds off on why full disclosure forces vendors to patch flaws. By Bruce Schneier Full disclosure?the practice of making the details of security vulnerabilities public?is a damned good idea. Public scrutiny is the only reliable way to improve security, while secrecy only makes us less secure. Unfortunately, secrecy sounds like a good idea. Keeping software vulnerabilities secret, the argument goes, keeps them out of the hands of the hackers (See The Vulnerability Disclosure Game: Are We More Secure?). The problem, according to this position, is less the vulnerability itself and more the information about the vulnerability. But that assumes that hackers can?t discover vulnerabilities on their own, and that software companies will spend time and money fixing secret vulnerabilities. Both of those assumptions are false. Hackers have proven to be quite adept at discovering secret vulnerabilities, and full disclosure is the only reason vendors routinely patch their systems. To understand why the second assumption isn?t true, you need to understand the underlying economics. To a software company, vulnerabilities are largely an externality. That is, they affect you?the user?much more than they affect it. A smart vendor treats vulnerabilities less as a software problem, and more as a PR problem. So if we, the user community, want software vendors to patch vulnerabilities, we need to make the PR problem more acute. Full disclosure does this. Before full disclosure was the norm, researchers would discover vulnerabilities in software and send details to the software companies?who would ignore them, trusting in the security of secrecy. Some would go so far as to threaten the researchers with legal action if they disclosed the vulnerabilities. Later on, researchers announced that particular vulnerabilities existed, but did not publish details. Software companies would then call the vulnerabilities ?theoretical? and deny that they actually existed. Of course, they would still ignore the problems, and occasionally threaten the researcher with legal action. Then, of course, some hacker would create an exploit using the vulnerability?and the company would release a really quick patch, apologize profusely, and then go on to explain that the whole thing was entirely the fault of the evil, vile hackers. It wasn?t until researchers published complete details of the vulnerabilities that the software companies started fixing them. Of course, the software companies hated this. They received bad PR every time a vulnerability was made public, and the only way to get some good PR was to quickly release a patch. For a large company like Microsoft, this was very expensive. So a bunch of software companies, and some security researchers, banded together and invented ?responsible disclosure? (See "The Chilling Effect"). The basic idea was that the threat of publishing the vulnerability is almost as good as actually publishing it. A responsible researcher would quietly give the software vendor a head start on patching its software, before releasing the vulnerability to the public. This was a good idea?and these days it?s normal procedure?but one that was possible only because full disclosure was the norm. And it remains a good idea only as long as full disclosure is the threat. The moral here doesn?t just apply to software; it?s very general. Public scrutiny is how security improves, whether we?re talking about software or airport security or government counterterrorism measures. Yes, there are trade-offs. Full disclosure means that the bad guys learn about the vulnerability at the same time as the rest of us?unless, of course, they knew about it beforehand?but most of the time the benefits far outweigh the disadvantages. Secrecy prevents people from accurately assessing their own risk. Secrecy precludes public debate about security, and inhibits security education that leads to improvements. Secrecy doesn?t improve security; it stifles it. I?d rather have as much information as I can to make an informed decision about security, whether it?s a buying decision about a software product or an election decision about two political parties. I?d rather have the information I need to pressure vendors to improve security. I don?t want to live in a world where companies can sell me software they know is full of holes or where the government can implement security measures without accountability. I much prefer a world where I have all the information I need to assess and protect my own security. Bruce Schneier is a noted security expert and founder and CTO of BT Counterpane. From rforno at infowarrior.org Thu Jan 11 22:13:06 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Jan 2007 22:13:06 -0500 Subject: [Infowarrior] - How the Web makes creating software vulnerabilities easier Message-ID: The Chilling Effect http://www.csoonline.com/read/010107/fea_vuln_pf.html How the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal. By Scott Berinato Last February at Purdue University, a student taking "cs390s?Secure Computing" told his professor, Dr. Pascal Meunier, that a Web application he used for his physics class seemed to contain a serious vulnerability that made the app highly insecure. Such a discovery didn't surprise Meunier. "It's a secure computing class; naturally students want to discover vulnerabilities." They probably want to impress their prof, too, who's a fixture in the vulnerability discovery and disclosure world. Dr. Meunier has created software that interfaces with vulnerability databases. He created ReAssure, a kind of vulnerability playground, a safe computing space to test exploits and perform what Meunier calls "logically destructive experiments." He sits on the board of editors for the Common Vulnerabilities and Exposures (CVE) service, the definitive dictionary of all confirmed software bugs. And he has managed the Vulnerabilities Database and Incident Response Database projects at Purdue's Center for Education and Research in Information and Assurance, or Cerias, an acronym pronounced like the adjective that means "no joke." When the undergraduate approached Meunier, the professor sensed an educational opportunity and didn't hesitate to get involved. "We wanted to be good citizens and help prevent the exploit from being used," he says. In the context of vulnerable software, it would be the last time Meunier decided to be a good citizen. Meunier notified the authors of the physics department application that one of his students?he didn't say which one?had found a suspected flaw, "and their response was beautiful," says Meunier. They found, verified and fixed the bug right away, no questions asked. But two months later, in April, the same physics department website was hacked. A detective approached Meunier, whose name was mentioned by the staff of the vulnerable website during questioning. The detective asked Meunier for the name of the student who had discovered the February vulnerability. The self-described "stubborn idealist" Meunier refused to name the student. He didn't believe it was in that student's character to hack the site and, furthermore, he didn't believe the vulnerability the student had discovered, which had been fixed, was even connected to the April hack. The detective pushed him. Meunier recalls in his blog: "I was quickly threatened with the possibility of court orders, and the number of felony counts in the incident was brandished as justification for revealing the name of the student." Meunier's stomach knotted when some of his superiors sided with the detective and asked him to turn over the student. Meunier asked himself: "Was this worth losing my job? Was this worth the hassle of responding to court orders, subpoenas, and possibly having my computers (work and personal) seized?" Later, Meunier recast the downward spiral of emotions: "I was miffed, uneasy, disillusioned." This is not good news for vulnerability research, the game of discovering and disclosing software flaws. True, discovery and disclosure always have been contentious topics in the information security ranks. For many years, no calculus existed for when and how to ethically disclose software vulnerabilities. Opinions varied on who should disclose them, too. Disclosure was a philosophical problem with no one answer but rather, schools of thought. Public shaming adherents advised security researchers, amateurs and professionals alike to go public with software flaws early and often and shame vendors into fixing their flawed code. Back-channel disciples believed in a strong but limited expert community of researchers working with vendors behind the scenes. Many others' disclosure tenets fell in between. Still, in recent years, with shrink-wrapped software, the community has managed to develop a workable disclosure process. Standard operating procedures for discovering bugs have been accepted and guidelines for disclosing them to the vendor and the public have fallen into place, and they have seemed to work. Economists have even proved a correlation between what they call "responsible disclosure" and improved software security. But then, right when security researchers were getting good at the disclosure game, the game changed. The most critical code moved to the Internet, where it was highly customized and constantly interacting with other highly customized code. And all this Web code changed often, too, sometimes daily. Vulnerabilities multiplied quickly. Exploits followed. But researchers had no counterpart methodology for disclosing Web vulnerabilities that mirrored the system for vulnerability disclosure in off-the-shelf software. It's not even clear what constitutes a vulnerability on the Web. Finally, and most serious, legal experts can't yet say whether it's even legal to discover and disclose vulnerabilities on Web applications like the one that Meunier's student found. To Meunier's relief, the student volunteered himself to the detective and was quickly cleared. But the effects of the episode are lasting. If it had come to it, Meunier says, he would have named the student to preserve his job, and he hated being put in that position. "Even if there turn out to be zero legal consequences" for disclosing Web vulnerabilities, Meunier says, "the inconvenience, the threat of being harassed is already a disincentive. So essentially now my research is restricted." He ceased using disclosure as a teaching opportunity as well. Meunier wrote a five-point don't-ask-don't-tell plan he intended to give to cs390s students at the beginning of each semester. If they found a Web vulnerability, no matter how serious or threatening, Meunier wrote, he didn't want to hear about it. Furthermore, he said students should "delete any evidence you knew about this problem...go on with your life," although he later amended this advice to say students should report vulnerabilities to CERT/CC. A gray pall, a palpable chilling effect has settled over the security research community. Many, like Meunier, have decided that the discovery and disclosure game is not worth the risk. The net effect of this is fewer people with good intentions willing to cast a necessary critical eye on software vulnerabilities. That leaves the malicious ones, unconcerned by the legal or social implications of what they do, as the dominant demographic still looking for Web vulnerabilities. The Rise of Responsible Disclosure In the same way that light baffles physicists because it behaves simultaneously like a wave and a particle, software baffles economists because it behaves simultaneously like a manufactured good and a creative expression. It's both product and speech. It carries the properties of a car and a novel at the same time. With cars, manufacturers determine quality largely before they're released and the quality can be proven, quantified. Either it has air bags or it doesn't. With novels (the words, not the paper stock and binding), quality depends on what consumers get versus what they want. It is subjective and determined after the book has been released. Moby-Dick is a high-quality creative venture to some and poor quality to others. At any rate, this creates a paradox. If software is both scientifically engineered and creatively conjured, its quality is determined both before and after it's released and is both provable and unprovable. In fact, says economist Ashish Arora at Carnegie Mellon University, it is precisely this paradox that leads to a world full of vulnerable software. "I'm an economist so I ask myself, Why don't vendors make higher quality software?" After all, in a free market, all other things being equal, a better engineered product should win over a lesser one with rational consumers. But with software, lesser-quality products, requiring massive amounts of repair post-release, dominate. "The truth is, as a manufactured good, it's extraordinarily expensive [and] time-consuming [to make it high quality]." At the same time, as a creative expression, making "quality" software is as indeterminate as the next best-seller. "People use software in so many ways, it's very difficult to anticipate what they want. "It's terrible to say," Arora concedes, "but in some ways, from an economic perspective, it's more efficient to let the market tell you the flaws once the software is out in the public." The same consumers who complain about flawed software, Arora argues, would neither wait to buy the better software nor pay the price premium for it if more-flawed, less-expensive software were available sooner or at the same time. True, code can be engineered to be more secure. But as long as publishing vulnerable software remains legal, vulnerable software will rule because it's a significantly more efficient market than the alternative, high-security, low-flaw market. The price consumers pay for supporting cheaper, buggy software is they become an ad hoc quality control department. They suffer the consequences when software fails. But vendors pay a price, too. By letting the market sort out the bugs, vendors have ceded control over who looks for flaws in their software and how flaws are disclosed to the public. Vendors can't control how, when or why a bug is disclosed by a public full of people with manifold motivations and ethics. Some want notoriety. Some use disclosure for corporate marketing. Some do it for a fee. Some have collegial intentions, hoping to improve software quality through community efforts. Some want to shame the vendor into patching through bad publicity. And still others exploit the vulnerabilities to make money illicitly or cause damage. "Disclosure is one of the main ethical debates in computer security," says researcher Steve Christey. "There are so many perspectives, so many competing interests, that it can be exhausting to try and get some movement forward." What this system created was a kind of free-for-all in the disclosure bazaar. Discovery and disclosure took place without any controls. Hackers traded information on flaws without informing the vendors. Security vendors built up entire teams of researchers whose job was to dig up flaws and disclose them via press release. Some told the vendors before going public. Others did not. Freelance consultants looked for major flaws to make a name for themselves and drum up business. Sometimes these flaws were so esoteric that they posed minimal real-world risk, but the researcher might not mention that. Sometimes the flaws were indeed serious, but the vendor would try to downplay them. Still other researchers and amateur hackers tried to do the right thing and quietly inform vendors when they found holes in code. Sometimes the vendors chose to ignore them and hope security by obscurity would protect them. Sometimes, Arora alleges, vendors paid mercenaries and politely asked them to keep it quiet while they worked on a fix. Vulnerability disclosure came to be thought of as a messy, ugly, necessary evil. The madness crested, famously, at the Black Hat hacker conference in Las Vegas in 2005, when a researcher named Michael Lynn prepared to disclose to a room full of hackers and security researchers serious flaws in Cisco's IOS software, the code that controls many of the routers on the Internet. His employer, ISS (now owned by IBM) warned him not to disclose the vulnerabilities. So he quit his job. Cisco in turn threatened legal action and ordered workers to tear out pages from the conference program and destroy conference CDs that contained Lynn's presentation. Hackers accused Cisco of spin and censorship. Vendors accused hackers of unethical and dangerous speech. In the end, Lynn gave his presentation. Cisco sued. Lynn settled and agreed not to talk about it anymore. The confounding part of all the grandstanding, though, was how unnecessary it was. In fact, as early as 2000, a hacker known as Rain Forest Puppy had written a draft proposal for how responsible disclosure could work. In 2002, researchers Chris Wysopal and Christey picked up on this work and created a far more detailed proposal. Broadly, it calls for a week to establish contact between the researcher finding a vulnerability and a vendor's predetermined liaison on vulnerabilities. Then it gives the vendor, as a general guideline, 30 days to develop a fix and report it to the world through proper channels. It's a head-start program, full disclosure?delayed. It posits that a vulnerability will inevitably become public, so here's an opportunity to create a fix before that happens, since the moment it does become public the risk of exploit increases. Wysopal and Christey submitted the draft to the IETF (Internet Engineering Task Force), where it was well-received but not adopted because it focused more on social standards, not technical ones. Still, its effects were lasting, and by 2004, many of its definitions and tenets had been folded into the accepted disclosure practices for shrink-wrapped software. By the time Lynn finally took the stage and disclosed Cisco's vulnerabilities, US-CERT, Mitre's CVE dictionary (Christey is editor), and Department of Homeland Security guidelines all used large swaths of Wysopal's and Christey's work. Recently, economist Arora conducted several detailed economic and mathematical studies on disclosure, one of which seemed to prove that vendors patch software faster when bugs are reported through this system. For packaged software, responsible disclosure works. >From Buffer Overflows to Cross-Site Scripting Three vulnerabilities that followed the responsible disclosure process recently are CVE-2006-3873, a buffer overflow in an Internet Explorer DLL file; CVE-2006-3961, a buffer overflow in an Active X control in a McAfee product; and CVE-2006-4565, a buffer overflow in the Firefox browser and Thunderbird e-mail program. It's not surprising that all three are buffer overflows. With shrink-wrapped software, buffer overflows have been for years the predominant vulnerability discovered and exploited. But shrink-wrapped, distributable software, while still proliferating and still being exploited, is a less desirable target for exploiters than it once was. This isn't because shrink-wrapped software is harder to hack than it used to be?the number of buffer overflows discovered has remained steady for half a decade, according to the CVE (see chart on Page 21). Rather, it's because websites have even more vulnerabilities than packaged software, and Web vulnerabilities are as easy to discover and hack and, more and more, that's where hacking is most profitable. In military parlance, webpages provide a target-rich environment. The speed with which Web vulnerabilities have risen to dominate the vulnerability discussion is startling. Between 2004 and 2006, buffer overflows dropped from the number-one reported class of vulnerability to number four. Counter to that, Web vulnerabilities shot past buffer overflows to take the top three spots. The number-one reported vulnerability, cross-site scripting (XSS) comprised one in five of all CVE-reported bugs in 2006. To understand XSS is to understand why, from a technical perspective, it will be so hard to apply responsible disclosure principles to Web vulnerabilities. Cross-site scripting (which is something of a misnomer) uses vulnerabilities in webpages to insert code, or scripts. The code is injected into the vulnerable site unwittingly by the victim, who usually clicks on a link that has HTML and JavaScript embedded in it. (Another variety, less common and more serious, doesn't require a click). The link might promise a free iPod or simply seem so innocuous, a link to a news story, say, that the user won't deem it dangerous. Once clicked, though, the embedded exploit executes on the targeted website's server. The scripts will usually have a malicious intent?from simply defacing the website to stealing cookies or passwords, or redirecting the user to a fake webpage embedded in a legitimate site, a high-end phishing scheme that affected PayPal last year. A buffer overflow targets an application. But XSS is, as researcher Jeremiah Grossman (founder of WhiteHat Security) puts it, "an attack on the user, not the system." It requires the user to visit the vulnerable site and participate in executing the code. This is reason number one it's harder to disclose Web vulnerabilities. What exactly is the vulnerability in this XSS scenario? Is it the design of the page? Yes, in part. But often, it's also the social engineering performed on the user and his browser. A hacker who calls himself RSnake and who's regarded in the research community as an expert on XSS goes even further, saying, "[XSS is] a gateway. All it means is I can pull some code in from somewhere." In some sense it is like the door to a house. Is a door a vulnerability? Or is it when it's left unlocked that it becomes a vulnerability? When do you report a door as a weakness?when it's just there, when it's left unlocked, or when someone illegally or unwittingly walks through it? In the same way, it's possible to argue that careless users are as much to blame for XSS as software flaws. For the moment, let's treat XSS, the ability to inject code, as a technical vulnerability. Problem number two with disclosure of XSS is its prevalence. Grossman, who founded his own research company, White Hat, claims XSS vulnerabilities can be found in 70 percent of websites. RSnake goes further. "I know Jeremiah says seven of 10. I'd say there's only one in 30 I come across where the XSS isn't totally obvious. I don't know of a company I couldn't break into [using XSS]." If you apply Grossman's number to a recent Netcraft survey, which estimated that there are close to 100 million websites, you've got 70 million sites with XSS vulnerabilities. Repairing them one-off, two-off, 200,000-off is spitting in the proverbial ocean. Even if you've disclosed, you've done very little to reduce the overall risk of exploit. "Logistically, there's no way to disclose this stuff to all the interested parties," Grossman says. "I used to think it was my moral professional duty to report every vulnerability, but it would take up my whole day." What's more, new XSS vulnerabilities are created all the time, first because many programming languages have been made so easy to use that amateurs can rapidly build highly insecure webpages. And second because, in those slick, dynamic pages commonly marketed as "Web 2.0," code is both highly customized and constantly changing, says Wysopal, who is now CTO of VeriCode. "For example, look at IIS [Microsoft's shrink-wrapped Web server software]," he says. "For about two years people were hammering on that and disclosing all kinds of flaws. But in the last couple of years, there have been almost no new vulnerabilities with IIS. It went from being a dog to one of the highest security products out there. But it was one code base and lots of give-and-take between researchers and the vendor, over and over. "On the Web, you don't have that give and take," he says. You can't continually improve a webpage's code because "Web code is highly customized. You won't see the same code on two different banking sites, and the code changes all the time." That means, in the case of Web vulnerabilities, says Christey, "every input and every button you can press is a potential place to attack. And because so much data is moving you can lose complete control. Many of these vulnerabilities work by mixing code where you expect to mix it. It creates flexibility but it also creates an opportunity for hacking." There are in fact so many variables in a Web session?how the site is configured and updated, how the browser is visiting the site configured to interact with the site?that vulnerabilities to some extent become a function of complexity. They may affect some subset of users?people who use one browser over another, say. When it's difficult to even recreate the set of variables that comprise a vulnerability, it's hard to responsibly disclose that vulnerability. "In some ways," RSnake says, "there is no hope. I'm not comfortable telling companies that I know how to protect them from this." A wake-up call for websites Around breakfast one day late last August, RSnake started a thread on his discussion board, Sla.ckers.org, a site frequented by hackers and researchers looking for interesting new exploits and trends in Web vulnerabilities. RSnake's first post was titled "So it begins." All that followed were two links, www.alexa.com and www.altavista.com, and a short note: "These have been out there for a while but are still unfixed." Clicking on the links exploited XSS vulnerabilities with a reasonably harmless, proof-of-concept script. RSnake had disclosed vulnerabilities. He did this because he felt the research community and, more to the point, the public at large, neither understood nor respected the seriousness and prevalence of XSS. It was time, he says, to do some guerilla vulnerability disclosure. "I want them to understand this isn't Joe Shmoe finding a little hole and building a phishing site," RSnake says. "This is one of the pieces of the puzzle that could be used as a nasty tool." If that first post didn't serve as a wake-up call, what followed it should. Hundreds of XSS vulnerabilities were disclosed by the regular klatch of hackers at the site. Most exploited well-known, highly trafficked sites. Usually the posts included a link that included a proof-of-concept exploit. An XSS hole in www.gm.com, for example, simply delivered a pop-up dialog box with an exclamation mark in the box. By early October, anonymous lurkers were contributing long lists of XSS-vulnerable sites. In one set of these, exploit links connected to a defaced page with Sylvester Stallone's picture on it and the message "This page has been hacked! You got Stallown3d!1" The sites this hacker contributed included the websites of USA Today, The New York Times, The Boston Globe, ABC, CBS, Warner Bros., Petco, Nike, and Linens 'n Things. "What can I say?" RSnake wrote. "We have some kick-ass lurkers here." Some of the XSS holes were closed up shortly after appearing on the site. Others remain vulnerable. At least one person tried to get the discussion board shut down, RSnake says, and a couple of others "didn't react in a way that I thought was responsible." Contacts from a few of the victim sites?Google and Mozilla, among others?called to tell RSnake they'd fixed the problem and "to say thanks through gritted teeth." Most haven't contacted him, and he suspects most know about neither the discussion thread nor their XSS vulnerabilities. By early November last year, the number of vulnerable sites posted reached 1,000, many discovered by RSnake himself. His signature on his posts reads "RSnake?Gotta love it." It connotes an aloofness that permeates the discussion thread, as if finding XSS vulnerabilities were too easy. It's fun but hardly professionally interesting, like Tom Brady playing flag football. Clearly, this is not responsible disclosure by the standards shrink-wrapped software has come to be judged, but RSnake doesn't think responsible disclosure, even if it were somehow developed for Web vulnerabilities (and we've already seen how hard that will be, technically), can work. For one, he says, he'd be spending all day filling out vulnerability reports. But more to the point, "If I went out of my way to tell them they're vulnerable, they may or may not fix it, and, most importantly, the public doesn't get that this is a big problem." Discovery Is (Not?) a Crime RSnake is not alone in his skepticism over proper channels being used for something like XSS vulnerabilities. Wysopal himself says that responsible disclosure guidelines, ones he helped develop, "don't apply at all with Web vulnerabilities." Implicit in his and Christey's process was the idea that the person disclosing the vulnerabilities was entitled to discover them in the first place, that the software was theirs to inspect. (Even on your own software, the end user license agreement?EULA?and the Digital Millennium Copyright Act?DMCA?limit what you can do with/to it). The seemingly endless string of websites RSnake and the small band of hackers had outed were not theirs to audit. Disclosing the XSS vulnerabilities on those websites was implicitly confessing to having discovered that vulnerability. Posting the exploit code?no matter how innocuous?was definitive proof of discovery. That, it turns out, might be illegal. No one knows for sure yet if it is, but how the law develops will determine whether vulnerability research will get back on track or devolve into the unorganized bazaar that it once was and that RSnake's discussion board hints it could be. The case law in this space is sparse, but one of the few recent cases that address vulnerability discovery is not encouraging. A man named Eric McCarty, after allegedly being denied admission to the University of Southern California, hacked the online admission system, copied seven records from the database and mailed the information under a pseudonym to a security news website. The website notified the university and subsequently published information about the vulnerability. McCarty made little attempt to cover his tracks and even blogged about the hack. Soon enough, he was charged with a crime. The case is somewhat addled, says Jennifer Granick, a prominent lawyer in the vulnerability disclosure field and executive director at Stanford's Center for Internet and Society. "The prosecutor argued that it's because he copied the data and sent it to an unauthorized person that he's being charged," says Granick, "but copying data isn't illegal. So you're prosecuting for unauthorized testing of the system"?what any Web vulnerability discoverer is doing?"but you're motivated by what they did with the information. It's kind of scary." Two cases in a similar vein preceded McCarty's. One was acquitted in less than half an hour, Granick says; in the other, prosecutors managed to convict the hacker, but, in a strange twist, they dropped the conviction on appeal (Granick represented the defendant on the appeal). In the USC case, though, McCarty pleaded guilty to unauthorized access. Granick calls this "terrible and detrimental." "Law says you can't access computers without permission," she explains. "Permission on a website is implied. So far, we've relied on that. The Internet couldn't work if you had to get permission every time you wanted to access something. But what if you're using a website in a way that's possible but that the owner didn't intend? The question is whether the law prohibits you from exploring all the ways a website works," including through vulnerabilities. Granick would like to see a rule established that states it's not illegal to report truthful information about a website vulnerability, when that information is gleaned from taking the steps necessary to find the vulnerability, in other words, benevolently exploiting it. "Reporting how a website works has to be different than attacking a website," she says. "Without it, you encourage bad disclosure, or people won't do it at all because they're afraid of the consequences." Already many researchers, including Meunier at Purdue, have come to view a request for a researchers' proof-of-concept exploit code as a potentially aggressive tactic. Handing it over, Meunier says, is a bad idea because it's proof that you've explored the website in a way the person you're giving the code to did not intend. The victim you're trying to help could submit that as Exhibit A in a criminal trial against you. RSnake says he thought about these issues before he started his discussion thread. "I went back and forth personally," he says. "Frankly, I don't think it's really illegal. I have no interest in exploiting the Web." As for others on the discussion board "everyone on my board, I believe, is nonmalicious." But he acknowledges that the specter of illegality and the uncertainty surrounding Web vulnerability disclosure are driving some researchers away and driving others, just as Granick predicted, to try to disclose anonymously or through back channels, which he says is unfortunate. "We're like a security lab. Trying to shut us down is the exact wrong response. It doesn't make the problem go away. If anything, it makes it worse. What we're doing is not meant to hurt companies. It's meant to make them protect themselves. I'm a consumer advocate." A Limited Pool of Bravery What happens next depends, largely, on those who publish vulnerable software on the Web. Will those with vulnerable websites, instead of attacking the messenger, work with the research community to develop some kind of responsible disclosure process for Web vulnerabilities, as complex and uncertain a prospect as that is? Christey remains optimistic. "Just as with shrink-wrapped software five years ago, there are no security contacts and response teams for Web vulnerabilities. In some ways, it's the same thing over again. If the dynamic Web follows the same pattern, it will get worse before it gets better, but at least we're not at square one." Christey says his hope rests in part on an efficacious public that demands better software and a more secure Internet, something he says hasn't materialized yet. Or will they start suing, threatening, harassing those who discover and disclose their Web vulnerabilities regardless of the researchers' intention, confidently cutting the current with the winds of McCarty's guilty plea filling their sails? Certainly this prospect concerns legal scholars and researchers, even ones who are pressing forward and discovering and disclosing Web vulnerabilities despite the current uncertainty and risk. Noble as his intentions may be, RSnake is not in the business of martyrdom. He says, "If the FBI came to my door [asking for information on people posting to the discussion board], I'd say 'Here's their IP address.' I do not protect them. They know that." He sounds much as Meunier did when he conceded that he'd have turned over his student if it had come to that. In the fifth and final point he provides for students telling them that he wants no part of their vulnerability discovery and disclosure, he writes: "I've exhausted my limited pool of bravery. Despite the possible benefits to the university and society at large, I'm intimidated by the possible consequences to my career, bank account and sanity. I agree with [noted security researcher] H.D. Moore, as far as production websites are concerned: 'There is no way to report a vulnerability safely.'" E-mail feedback to Senior Editor Scott Berinato. From rforno at infowarrior.org Thu Jan 11 22:13:32 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Jan 2007 22:13:32 -0500 Subject: [Infowarrior] - Why we need hackers Message-ID: Why we need hackers By Patrick Gray | 9 January 2007 02:45PM http://www.pcauthority.com.au/feature.aspx?CIaFID=3204 It would be easier if hackers, who say they?re acting in the public interest by releasing information on the vulnerabilities they find, would just get real jobs and stop pointing out the weaknesses in our software, right? Wrong. As most who work in the IT security field will tell you, all the software that we use is shipped in a vulnerable state. The security holes are there from day one, and if the good guys don?t find the bugs, the bad guys will. The only way to defend an operating system or an application against a bug is to know of the existence of the bug in the first place. Just 10 years ago, the bug-hunting community was a mish-mash of hackers, system administrators and programmers. Many were geeks seeking kudos for finding the latest "zero-day" or "fresh" vulnerability. Since then, IT security has become a booming business and vulnerability information is worth its weight in gold. Scores, if not hundreds of full-time bug hunters now spend their days earning hefty salaries pulling apart software and looking for bugs ? a weird sort of third-party quality assurance service for software companies. They disclose their findings to the vendor, which releases a patch, then they release information about the bug to the wider community. But what are the ethics of security research? How much information should researchers release when they find a bug? 'You talk about why people crack things; I think the benefit is that it keeps the vendors in line, its holds them accountable,? says Rick Forno, the former chief security officer of Internic. 'And chances are if the good guys find something, the bad guys have known about it longer than the good guys.' US-based Forno is currently studying for a PhD on vulnerability disclosure at Curtin University in Western Australia. In his role as Internic?s CSO, he was responsible for securing the Internet?s root domain name servers ? the core directories responsible for matching domain names to IP addresses. In short, they?re important machines. While Forno defends security researchers who disclose information on the vulnerabilities they uncover ? even "proof of concept exploit code", the software researchers sometimes release, which allows all and sundry to use the vulnerability ? he says there?s a right way to do it and a wrong way. 'Knowledge is neutral. How do you use it, to patch a system or exploit a system,?' he asks. 'There is a big movement now to restrict adverse information ... but where do you draw the line between where information is deemed to be adverse or helpful. Too often people err on the side of caution.? In this feature, you?ll hear from the hackers themselves, who largely serve the public interest. Some have disclosed information that?s led to computer worms being unleashed by unscrupulous hackers. Others have written tools the bad guys use to penetrate networks. All say they?ve acted in the public interest. Are they mischievous characters or guardian angels? Read on and decide for yourself.David Litchfield is a security researcher, entrepreneur and accidental architect of one of the fastest spreading computer worms the Internet has ever seen; the Slammer SQL worm. Security geeks often come from similar backgrounds. Raised by the pocket-protector sporting supergeeks of the 1960s, these guys and gals were twiddling with computers at the age that most of us were learning how to hold a crayon. Not so for David Litchfield, who was already 23 when he decided to make the move into IT security in the late 90s, dropping out of a degree in zoology to pursue computer science studies. But the course ran too slow for his liking ? he dropped out of university altogether and moved to London from Scotland to find work in IT. 'At first, I was working in pubs, doing a lot of canvassing while I was teaching myself computers,' he says. Since his early days in IT, Litchfield has become, arguably, the most prominent database software security researcher in the world. And it was his research that made the Slammer worm possible. Litchfield had discovered a vulnerability in Microsoft?s SQL server product and decided, after the company had released a patch for the bug, to present details about the glitch to a security conference in 2002. 'The code I presented [at the Black Hat security conference] became the template for Slammer,' he says. 'There was six months between the release of the code and the worm.' When it was unleashed on January 25 of 2003, Slammer wreaked havoc on the Internet. While it was relatively benign ? it didn?t destroy any data on infected systems ? it generated enough traffic to grind some corners of cyberspace to a near-total halt. Why was a security researcher presenting information that could be used to cause so much disruption? Litchfield had uncovered a vulnerability in Microsoft?s flagship database server, SQL, that was so easy to exploit he considered the release of the code used to exploit it as a wake-up call for database administrators. 'I said if you don?t fix this it will become the next big worm,' he says. As it turns out, he was right. Despite administrators having six months to apply a patch from Microsoft that would have eradicated the vulnerability he discovered, few, it seems, heeded his warning. These days Litchfield doesn?t release ?proof-of-concept? code like that used as the foundation for Slammer, but says the effect of his research, and even the worm itself, has been positive. 'At the time I did (regret releasing the code) but looking back, Slammer, thankfully, was benign. It didn?t have a malicious payload, it just screwed up a few weekends, and it?s really what brought patching to the boardroom,' he argues. 'Today if you come across a SQL server, nine out of 10 times it will be patched, so Slammer at least brought a change in the way people look at patching.' You?d think Litchfield?s company, Next Generation Security Software, would hardly be on Microsoft?s Christmas card list after his research was used to knock over SQL servers, but NGS does a substantial amount of work for the software giant. But he?s not cosy with all the major vendors. He?s been involved in a very public flamewar with Oracle?s chief security officer Mary Ann Davidson for years. 'Before the spat began I travelled over to Redwood Shores to have a coffee with her. I like the woman, she?s a nice person, but professionally I think she?s in the wrong job,' he says bluntly. It was Lichfield who released limited details of scores of vulnerabilities in Oracle products immediately after the launch of the company?s ?Unbreakable? marketing campaign. The campaign suggested that Oracle software was secure, and Litchfield knew it wasn?t. So he set to work on breaking the company?s ?unbreakable? products. 'I think it was the civic thing to do, to be honest,' he says. 'If you bought something from a shop, your details are in a database somewhere. To make that information safe, we need secure databases ... and Oracle isn?t doing that. There?s been a complete and utter failure from Oracle as far as I?m concerned.'It?s not always independent researchers who spend their days trying to break software and digital security mechanisms ? sometimes the vendors get in on the action as well. Cryptographer Scott Fluhrer, who works for Cisco, is probably best known for being one of the team responsible for sending the Wired Equivalent Privacy (WEP) standard to the computing graveyard. WEP was the default standard for wireless network encryption, but a paper published in 2001 by Fluhrer and two Israeli researchers, Weaknesses in the Key Scheduling Algorithm of RC4, showed just how flawed the encryption scheme is. You may be asking, at this point, why on Earth vendors are still shipping wireless networking equipment with WEP "security" built in? Well, one reason is for backwards compatibility, and the other is that it?s "better than nothing", but only marginally. Thanks to Fluhrer and a few others, cracking WEP is trivial. This means you can access your next door neighbour?s access point for free Internet access, or even sniff their data as it flies back and forth. Why you?d want to read your next door neighbour?s email is anyone?s guess, but you get the drift: WEP is useless. If you want real wireless security, you?ll need WPA, or Wi-Fi Protected Access. So what was Fluhrer?s motivation? He happily admits ego was involved, which makes one wonder: if someone admits to being motivated by ego, does that make them humble? 'As much as I?d like to say "it?s to make the world a more secure place", well, that really wasn?t my main goal,' he wrote in an email to PC Authority. 'Ultimately, I suspect it was that I could, and to show people I could.' At least he?s honest. Still, there were also some altruistic motives at play; Fluhrer says it?s important to research weaknesses in security schemes and make them public. 'After all, with security, it?s quite difficult to determine if what you?ve designed actually works; whether it is actually secure,' he explains. 'The only way we know to test that is to have skilled people try to break it. Given that, it?s obviously better to have the good guys break it first.' The disclosure aspect is also important, Fluhrer says. 'It?s quite impossible to tell the good guys about the weakness without telling the bad guys about it too,' he argues. 'If we don?t publish the results, then any bad guy who stumbles on the same result will be able to break it at will. If we just claim to have results without publishing them, we wouldn?t be taken seriously? By publishing the results, we let companies who take security seriously update their equipment.' So how did he break WEP? 'I did some simulations based on random sets of related (cryptographic) keys, and while I didn?t find the weakness I was looking for, I did notice an anomaly where occasionally, a set of related keys would act quite non-randomly,' he says. 'I tracked down what was happening in those cases, and found the basic observation the attack was based on.' But Fluhrer misunderstood how WEP worked, so his research didn?t break WEP directly. 'At this point, I went to a technical conference, and ran into (Israeli researchers Itsik) Mantin and (Adi) Shamir. We decided to collaborate,' he says. 'Together, we refined the attack, including how these results could be applied to the real WEP protocol.' The rest, as they say, is history. Hacking tools: For better or worse? Security research isn?t all about breaking software; sometimes it means creating it. Gordon Lyon, who?s better known by his handle Fyodor, achieved a fame of sorts when he wrote the Nmap network scanning software. Nmap, a port-scanning utility, has become the de facto standard tool for good guys and bad guys alike. It?s a relatively simple piece of software that scans IP ranges for open or closed ports. It can identify running services, like Web-server or mail transfer software, Trojan software and even the operating system of the target machine. But it wasn?t until his utility made a guest appearance in [i]The Matrix Reloaded[/i] that Fyodor got serious kudos from the geek elite. 'That was pretty awesome,' Fyodor told PC Authority. 'Especially since I had no idea it would happen.' He?d scored tickets to a midnight showing when the movie was released. Sensing a ?hacking scene? was approaching, Fyodor shuddered. 'I was like ?oh no! These are always terrible!,' he says. 'Then I saw her (the Trinity character) whip out Nmap and was amazed.' Fyodor?s movie companion, James Hong, the man behind the lurid dotcom operation hotornot.com, was as stunned as he was. Let me tell you, you can spend almost 10 years writing a port scanner, adding all sorts of great and useful features,' Fyodor says. 'But you don?t get nearly as much press from big new releases as when some hot celebrity chick in black vinyl uses Nmap for five seconds in a movie.' But if anything, Fyodor finds Internet fame a little embarrassing. He took his nickname from Russian author Fyodor Dostoevsky. 'I?m a little embarrassed that a Google search for Fyodor now lists me before Dostoevsky,' he says. 'I guess it is hard to earn and maintain a decent PageRank when you?re dead.' Fyodor, who?s now based in California and spends his days maintaining Nmap, says he never thought the side project would take off. He released it as open source software, and the response was overwhelming. 'Tons of people started sending me suggestions, improvement ideas [and] patches,' he says. 'So I decided to release one more version, and well, here it is nine and a half years later and I just released a version two nights ago.' Today, Fyodor makes a crust by licensing Nmap to software companies that include it in their products. It?s a legitimate enterprise, but not even Fyodor himself saw it coming. 'One reason I used a handle was I was worried I?d get sued, harassed,' he says. 'But actually the response has been extremely positive in almost all cases.' If someone is sophisticated enough to know what Nmap is, they also understand how much value it can bring them in terms of securing their own network, he adds. 'The very first step in securing your network is understanding what is really going on. So you whip out Nmap to inventory your systems, check whether any unexpected ports are listening, ensuring that your firewall is really behaving as you expect it to.' Besides, the bad guys already had access to scanning technology prior to the release of Nmap, even if it wasn?t as sophisticated, Fyodor says. At 29, Fyodor, a self-confessed workaholic, has some expensive hobbies, racing his BMW M3 coupe for kicks. 'I love to ski in the winters at Tahoe, I like driving fast, taking my car to the racetrack or going go-kart racing,' he says. Fyodor, the author of the Nmap network scanning software You?d think Mudge?s use of a pseudonym would suggest he?s an underground guy; an enemy of the establishment. But this good-guy hacker is about as close to the establishment as it gets. It was Mudge (pictured on this page with former US President Bill Clinton) who in 1998 told the US Senate that hackers could take down the Internet in 30 minutes. Now he?s BBN Technologies? technical director of national intelligence research and applications. BBN is a government contractor in the US, which provides services for several, unspecified US Government agencies. He?s a cryptography and hacking expert. Read between the lines. Pieter 'Mudge" Zatko As one of the members of L0pht Heavy Industries -- a Boston-based hacker collective that later formed the respected @Stake security company ? Mudge was behind L0phtCrack, the creme de la creme of password crackers. 'L0phtCrack was a password-cracking tool I wrote for use on and against Microsoft Windows systems,' he told PC Authority. 'It ended up working extremely well, too well for many people's liking.' At the time, he was responsible for auditing and maintaining several hundred systems. Most of them were Unix based, but increasingly he was being tasked with taking care of Windows boxes. 'There simply weren?t any tools to do the equivalent password cracking and auditing on MS Windows systems as there were for Unix,' he says. 'So I had to write my own ... during that time I started looking into what Hobbit, a legendary Boston area hacker, had been working on... he had pointed out to me that LANMAN, Microsoft?s legacy [password storage mechanism], didn?t look to be too well done. It sure wasn?t.' What started out as an auditing tool turned into a demonstration that MS systems needed to be segmented on networks and treated as if their passwords were trivial to retrieve, which, thanks to L0phtcrack, they were. The tool completely broke Windows passwords. 'It was not a good tool, as many organisations and people claimed, for ensuring that users were choosing strong passwords based upon the amount of time that the program took to return the unencrypted password,' he says. 'It could, and usually did, return almost all of the passwords (on a targeted machine).' With that in mind, it was no surprise that Mudge was a tad miffed when L0phtcrack became a successful commercial product. He?d demonstrated just how bad Windows passwords were -- auditing them became moot -- yet the market lapped up the tool as an auditing suite. 'Originally I released L0phtCrack free of charge for most uses under a BSD style licence,' he says. Commercial users were supposed to pay a $25 fee, but no one was paying, and the tool had been downloaded hundreds of thousands of times from government networks. 'That didn?t bother me as much as the support emails that started showing up, primarily from the US Government,' he says. 'We put a trivial timeout mechanism in to the next release of the software, and when I say trivial we went out of our way to make sure it was easily "crackable".' Mudge, (with long hair) at the White House. He is Technical Director, National Intelligence Research and Applications at BBN Technologies. Mudge, (with long hair) at the White House. He is Technical Director, National Intelligence Research and Applications at BBN Technologies. The people who were going to crack the software were not people who would have paid for it in the first place, so Mudge let them use it and spread the word about how effective it was. Within a very short period of time, the software was pulling in revenues 'well into the six figure range'. So what would Mudge say to those who?d charge him with writing a tool that can be used by the bad guys? 'Don?t eat anything but strained food. Outlaw hammers. Arrest anyone who owns or drives a car... these tools [can be] used by bad guys,' he says. 'The tool is not the issue. It?s the person behind the tool that one needs to worry about.' In other words, password crackers don?t kill people, people kill people. But it?s not just passwords that he?s known for breaking. Mudge also pioneered the techniques used to discover and exploit buffer overflow vulnerabilities. These are the class of vulnerabilities that lead to all the superworms -- Code Red, Slammer, Blaster and more. 'I?ll probably get a few thousand years tacked on to my Purgatory sentence for my contribution to the field of buffer overflows,' Mudge jokes. Perhaps due to his relatively diverse expertise, Mudge is happy to weigh in on the Apple versus Windows security debate, a topic many sway away from. Unfortunately, he says, there?s no clear winner. 'I?m a bit disappointed in Apple as they seem to be handling the security issue in the same marketing and PR fashion that Microsoft initially handled its security PR angle,' he says. He has nothing against the company, he says, and is a fan of Steve Jobs. Likewise, he?s been impressed by the inroads Microsoft has made in its war on vulnerabilities. 'I?m also very impressed with how Microsoft, a very large organisation, has changed in how it handles security reports and patches in comparison to its initial "that vulnerability is completely theoretical" responses,' he says. '[But] the simple fact is that both OSes have security problems.' From rforno at infowarrior.org Thu Jan 11 22:55:56 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Jan 2007 22:55:56 -0500 Subject: [Infowarrior] - Senator to FCC: Don't even think about a broadcast flag Message-ID: Senator to FCC: Don't even think about a broadcast flag http://arstechnica.com/news.ars/post/20070111-8596.html 1/11/2007 10:08:30 AM, by Nate Anderson Senator John Sununu (R-NH) has just announced that his office is working on legislation that would prevent the FCC from creating specific technology mandates that have to be followed by consumer electronics manufacturers. What's his target? The broadcast flag. Television and movie studios have wanted a broadcast flag for years. The flag is a short analog or digital signal embedded into broadcasts that specifies what users can do with the content. It would most often be used to prevent any copying of broadcast material, but there's an obvious problem with the plan: it requires recording devices to pay attention to the flag. Because no consumers wander the aisles at Best Buy thinking, "You know, I would definitely buy this DVD recorder, but only if it supported broadcast flag technology," the industry has asked the federal government to step in and simply require manufacturers to respect the flag. At first they approached the FCC, and the FCC complied by dutifully trotting out some new broadcast flag regulations. Unfortunately for the content industry, the FCC doesn't generally have the right to tell manufacturers how to build their products. The rules were thrown out by an appeals court in 2005. Undaunted, the industry tried again in Congress. Last year, when a rewrite to the 1996 Telecommunications Act was being considered, broadcast flag legislation was in fact attached to the bill and even made it through committee before bogging down. Sununu's bill will attempt to rein in the FCC and prevent it from reviving the broadcast flag without Congressional authorization to do so. "The FCC seems to be under the belief that it should occasionally impose technology mandates," Sununu said in a statement. "These misguided requirements distort the marketplace by forcing industry to adopt agency-blessed solutions rather than allow innovative and competitive approaches to develop. We have seen this happen with the proposed video flag, and interest groups are pushing for an audio flag mandate as well. Whether well-intentioned or not, the FCC has no business interfering in private industry to satisfy select special interests or to impose its own views." From rforno at infowarrior.org Thu Jan 11 23:26:48 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 Jan 2007 23:26:48 -0500 Subject: [Infowarrior] - Oracle offering early warning on security fixes Message-ID: Oracle offering early warning on security fixes By Joris Evers http://news.com.com/Oracle+offering+early+warning+on+security+fixes/2100-100 2_3-6149632.html Story last modified Thu Jan 11 16:46:10 PST 2007 Following Microsoft's lead, business software giant Oracle is now giving system administrators a heads-up on its upcoming security patches. As part of its quarterly patch cycle, Oracle on Tuesday plans to release fixes for 52 security vulnerabilities across its products, the company said in a note on its Web site Thursday. Some of the bugs are serious and could allow a system running the vulnerable Oracle software to be compromised remotely by an anonymous attacker, it said. It is the first time Oracle has offered such advance notification. Microsoft has been giving customers a similar early warning since late 2004. Both companies have put their patches on a schedule so customers know when to expect them. The early warning is meant to allow for extra preparedness. "This is something customers have asked us for," Darius Wiles, Oracle's senior manager of security alerts, said in an interview Thursday. "They want a heads-up of what's coming, so they can line up their operations staff to apply the patches." Oracle's advance notification goes further than Microsoft's, which only states the product family for which patches will be released and gives broad indication of bug severity. Oracle also lists the number of vulnerabilities it plans to patch and gives details of which products and components will get fixes. "The reason we included the components is because the customer may not be affected by certain vulnerabilities, if they have not installed particular components," Wiles said. Oracle is definitely a copycat, but it is copying a best practice, said John Pescatore, an analyst at Gartner. "It is a good idea," he said. "Microsoft has a lot of experience with issuing patches and dealing with what enterprises need to try to reduce the pain of patching." Microsoft was also first with putting security updates on a schedule in 2003, an example Oracle has followed since 2005. "I am not entirely surprised that we're seeing a convergence in the way different vendors are approaching security patch delivery," Wiles said. Oracle, of late, has been more candid about its security update process. Its October quarterly update, which included fixes for 101 vulnerabilities, for the first time included severity ratings. In that update, Oracle also indicated which bugs could be exploited over the Internet by anonymous attackers and added a summary of the security problems for each of its product categories. Oracle's Tuesday "Critical Patch Update" is planned to include twenty-seven fixes for Oracle database products, twelve for Application Server, seven for E-Business Suite, six for Enterprise Manager and three for PeopleSoft, according to Oracle's early warning note. From rforno at infowarrior.org Fri Jan 12 08:51:41 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Jan 2007 08:51:41 -0500 Subject: [Infowarrior] - OSVDB replies to Vuln Disclosure articles from yesterday Message-ID: >From OSVDB: reply: Microsoft: Responsible Vulnerability Disclosure Protects Users http://osvdb.org/blog/?p=157 reply: MJR: The Vulnerability Disclosure Game: Are We More Secure? http://osvdb.org/blog/?p=158 reply: Full Disclosure of Security Vulnerabilities a ?Damned Good Idea? http://osvdb.org/blog/?p=159 From rforno at infowarrior.org Fri Jan 12 09:41:19 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Jan 2007 09:41:19 -0500 Subject: [Infowarrior] - FW: How Apple kept its iPhone secrets In-Reply-To: Message-ID: (c/o M.S.) ------ Forwarded Message How Apple kept its iPhone secrets Bogus prototypes, bullying the press, stifling pillow talk - all to keep iPhone under wraps. Fortune's Peter Lewis goes inside one of the year's biggest tech launches. By Peter H. Lewis, Fortune senior editor January 10 2007: 7:00 PM EST SAN FRANCISCO (Fortune) -- One of the most astonishing things about the new Apple iPhone, introduced yesterday by Steve Jobs at the annual Macworld trade show, is how Apple (Charts) managed to keep it a secret for nearly two-and-a-half years of development while working with partners like Cingular, Yahoo (Charts) and Google (Charts). The iPhone, which won't be available in the United States until June, represents a close development partnership with America's largest wireless phone company (Cingular, now a part of AT&T (Charts), has 58 million subscribers), the world's largest e-mail service (Yahoo has a quarter-billion subscribers worldwide), and the world's dominant search company. Although speculation was rampant before the introduction that Apple would introduce a phone with iPod capabilities, actual details of the device were scarce. Even some senior Apple managers whispered during the keynote that they were seeing the iPhone for the first time, along with the 4,000 other Apple followers who crammed the Moscone meeting center here. Indeed, Apple's emphasis on secrecy may have influenced Apple's choice of Cingular to be the exclusive provider for iPhone service in the United States. Apple, legendary for the ferocity with which it safeguards new product announcements, had extraordinary challenges in keeping the iPhone under wraps for 30 months. Besides involving Cingular, Google and Yahoo, not to mention the unnamed Asian manufacturer, the project touched nearly every department within Apple itself, Jobs said, more so than in any previous Apple creation. ... http://money.cnn.com/2007/01/10/commentary/lewis_fortune_iphone.fortune/ From rforno at infowarrior.org Fri Jan 12 10:04:18 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Jan 2007 10:04:18 -0500 Subject: [Infowarrior] - Matt Blaze on architecture and airport security Message-ID: Blog link: http://www.crypto.com/blog/airport_architecture/ TSA manual link: http://www.tsa.gov/assets/pdf/airport_security_design_guidelines.pdf Architecture and airport security Please try to compose yourself I saw an interesting story (thanks to Dave Farber's Interesting-People list) on how the TSA is considering selling advertising space at airport security checkpoints. My distaste at the prospect of being subjected to ads during these already humiliating and irritating screenings aside, I found the most fascinating part of this article to be its glimpse at the officious technical jargon that has emerged for airport security paraphernalia. Those grey tubs that you put your laptop in (after removing it from its case, of course) are apparently properly called "divestiture bins"; after X-ray, we retrieve our items at the "composure tables". I don't know about you, but I don't usually feel especially composed after making it through a long security line. I'd say you can't make this stuff up, but apparently someone does. Newly armed with the official terminology, I did a bit of googling this morning and found the TSA's Airport Security Design guidelines. This 333 page (PDF format) manual specifies, in all the detail one could ever hope for, everything there is to know about designing the security infrastructure for an airport, right down to the layout of the divest tables for the X-ray ingress points at sterile concourse station SSCPs. It's all very meticulous and complete, even warning of the "potential for added delay while the passenger divests or composes" (page 99). For some geeky reason, I find all this mind-numbing detail about the physical architecture of security to make strangely compelling reading, and I can't help but look for loopholes and vulnerabilities as I skim through it. Somehow, for all the attention to minutiae in the guidelines, everything ends up just slightly wrong by the time it gets put together at an airport. Even if we accept some form of passenger screening as a necessary evil these days, today's checkpoints seem like case studies in basic usability failure designed to inflict maximum frustration on everyone involved. The tables aren't quite at the right height to smoothly enter the X-ray machines, bins slide off the edges of tables, there's never enough space or seating for putting shoes back on as you leave the screening area, basic instructions have to be yelled across crowded hallways. According to the TSA's manual, there are four models of standard approved X-ray machines, from two different manufacturers. All four have sightly different heights, and all are different from the heights of the standard approved tables. Do the people setting this stuff up ever actually fly? And if they can't even get something as simple as the furniture right, how confident should we be in the less visible but more critical parts of the system that we don't see every time we fly? From rforno at infowarrior.org Fri Jan 12 10:10:10 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Jan 2007 10:10:10 -0500 Subject: [Infowarrior] - iPhone Frequently Asked Questions In-Reply-To: Message-ID: Cool and as patented as it may be, from contracts to battery replacement to other functionality quirks, some of these 'shortcomings' don't exactly make me want to rush out and buy one for use as a SERIOUS phone replacement anytime soon......but would be a handy gadget to play with, for sure......rf (If you don't know, Pogue is the Walt Mossburg of Mac tech) The Ultimate iPhone Frequently Asked Questions http://pogue.blogs.nytimes.com/2007/01/11/the-ultimate-iphone-frequently-ask ed-questions/ ...and the Ilounge Review of iPhone, with some more findings/observations: http://www.ilounge.com/index.php/ipod/review/apple-iphone-hands-on/ From rforno at infowarrior.org Fri Jan 12 13:18:57 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Jan 2007 13:18:57 -0500 Subject: [Infowarrior] - No Porn On Sony HD-DVD Blu-ray? Message-ID: ....anyone think this ban will last? -rf No Porn On Sony HD-DVD Blu-ray? Thursday, January 11th, 2007 | 8:15 pm http://www.sgknox.com/2007/01/11/no-porn-on-blu-ray/ Has Sony gone mad? Prominent adult movie producer Digital Playground (site) says it is forced to use HD DVD instead of Blu-ray, because Sony does not allow XXX-rated movies to be released on Blu-ray. It does not matter how you stand to porn. It is here and it is a massive business. It is also an industry that is an early adopter for new media technology. VHS might not have won with out the adult film industry adopting it. German Heise has interviewed Joone the founder of Digital Playgrounds at the AVN 2007 show in Las Vegas. Joone says actually said last year he is committed to Blu-ray. Now they announced four HD DVD titles in the United States. In the interview Joone says he was forced to use HD DVD, because no Blu-ray disc manufacturer would make his discs, because Sony was against it and they would loose their license. If this holds true, Blu-ray is at a major disadvantage and could fail. From rforno at infowarrior.org Fri Jan 12 14:14:54 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Jan 2007 14:14:54 -0500 Subject: [Infowarrior] - TSA screens Atlanta arrivals for metal on LEAVING airport Message-ID: (c/o G.A. Via boingboing) < - > http://www.salon.com/tech/col/smith/2007/01/12/askthepilot216/print.html My second grievance involves an experience I had several days ago at Hartsfield-Jackson airport in Atlanta. Just when I thought I'd seen everything: As we know from an earlier column, passengers arriving at U.S. airports from cities overseas must, after clearing customs and immigration, pass through a TSA checkpoint prior to boarding a domestic connecting flight. But what if I told you that in Atlanta, passengers arriving from overseas must pass through the checkpoint simply to exit the airport? Let's say you live in Atlanta and you've just come in from Frankfurt, Germany. You're not connecting, you're headed for the parking lot or the taxi stand or the MARTA station. Well, sorry, pal, first you have to stand in line, take off your coat and shoes, remove your computer, hand over your liquids and gels, and have your bags X-rayed. Mind you, this is the world's busiest airport in passengers (about 86 million annually). On a recent afternoon in the arrivals hall, the checkpoint line was half an hour long. Not only is the procedure inconvenient, it's bad for business, as people making tight connections are trapped in a queue behind those merely trying to leave the building. Looking for answers, I called TSA headquarters in Washington, and was promptly put on hold for more than 45 minutes. During that stretch I was treated to an interminable tape loop of recorded baggage recommendations, including a reminder that "dips and sauces" are now among airport contraband. I finally reached Christopher White, the agency's regional spokesman, who provided a logical, if semi-satisfactory explanation: At Hartsfield-Jackson, all passengers landing from overseas collect their checked luggage and pass through U.S. customs and immigration within the international arrivals building, better known as concourse E. Having had access to their bags, these passengers cannot reenter the airport's secured areas without rescreening. That makes sense, as conceivably one could remove a dangerous item -- a legally packed weapon, say, or a 5-ounce tube of toothpaste -- from his or her suitcase. Unfortunately, concourse E was not constructed with a dedicated exit route. All channels of egress -- namely the interterminal walkways and/or "people mover" train -- pass through each of the remaining four concourses (five, actually, if you count the "T-Gates") on the way out. So, after clearing customs, suitcases are shuttled ahead separately to central baggage claim, while their owners are herded toward the X-ray machines. "It's troublesome for people, I realize," says White, who reminds us that a new and better-designed international facility is scheduled to open at ATL by 2010. "But remember, concourse E was designed long before Sept. 11." Be that as it may, passengers who've been in contact with checked luggage have always required rechecks before proceeding through secure zones, have they not? Sounds more like a design flaw. Not providing a dedicated exit was, if you ask me, a little like forgetting to install bathrooms. There are plenty of nice things about concourse E -- it's an attractive and spacious building with some interesting gate-side art exhibits -- but this isn't one of them. And we have to wonder, what happens if an arriving passenger doesn't cooperate? What if somebody refuses to take off his shoes? Is he prohibited from going home? Somebody ought to try it and find out. Seriously, after months of ridiculing the TSA's methods, I'm beginning to wonder if perhaps the best way of undermining the agency's folly isn't to employ some protest and civil disobedience. Granted, nobody wants to get his or her name on a government no-fly list, but in a nation where the mildest injustices bring out the pickets and sandwich boards, we've been abashedly sheepish at the airport. Where's the uppity David Stempler and his Air Travelers Association? Where's old Nat Heatwole? For that matter, where's Boyd Rice or Jello Biafra? That's so early '80s, I know, but they were such incisive pranksters, and what better laboratory for farce than a TSA checkpoint? What happens, for instance, if I try to carry a snowman onto an airplane? While you're mulling that over, allow me to correct something. A few paragraphs ago I spoke of "customs and immigration." That's a misnomer, of course, now that the name has been changed to the more paramilitary-sounding Customs and Border Protection. One of those games we play with signage and uniforms. We don't want newly landed foreigners getting any funny ideas as they wait to be photographed and fingerprinted. From rforno at infowarrior.org Fri Jan 12 14:18:52 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Jan 2007 14:18:52 -0500 Subject: [Infowarrior] - Internet should be run by key players: new ITU boss Message-ID: Internet should be run by key players: new ITU boss Fri Jan 12, 2007 1:06 PM ET http://today.reuters.com/news/articlenews.aspx?type=internetNews&storyid=200 7-01-12T180345Z_01_L12910538_RTRUKOC_0_US-INTERNET-UN-ITU.xml&src=rss&rpc=22 GENEVA (Reuters) - The Internet should continue to be overseen by major agencies including ICANN and the ITU, rather than any new "superstructure", the new head of the International Telecommunications Union said on Friday. Hamadoun Toure, who took up the reins of the United Nations agency this month, said the ITU would focus on tackling cyber-security and in narrowing the "digital divide" between rich and poor countries. "We all must work together, each agency has its role to play. We must come to a better cooperation ... and avoid setting up a superstructure which would be very controversial and very difficult to put into effect," Toure told a news conference. The Internet Corporation for Assigned Names and Numbers (ICANN), a California-based non-profit company, manages the Internet's domain-name addressing system. It reports to the U.S. Commerce Department, which last September said it would retain oversight for three more years. Some critics say the U.S. government has too much control over ICANN, which has evolved into a crucial engine for global commerce, communications and culture. Countries such as Iran and Brazil have argued that the Internet should be managed by the United Nations or another global body. "It is not my intention to take over the governance of Internet. I don't think it is in the mandate of ITU and as secretary-general I will continue to contribute to the debate over Internet governance and continue to provide technical support," said Toure, an electrical engineer from Mali. "I will be focusing on cyber-security ...," he added. But asked about repression of freedom of expression on the Internet, including in China where Internet users have been imprisoned, Toure replied: "Freedom of expression is a question of content-editing, which is beyond the mandate of ITU." "ITU does not deal with the content of the Internet, but it has to be involved in the security of the network," he said. In addition to overseeing electronic numbering, ITU will back the Internet's growth through broadband standardization, e-commerce security, and video-recording systems that will enable 3G to be accessible to the Internet, according to Toure. Toure, who joined ITU in 1999, was elected secretary-general last November, succeeding Japan's Yoshio Utsumi. The agency has 191 member states and 640 private sector members. ? Reuters 2007. All rights reserved. Republication or redistribution of Reuters content, including by caching, framing or similar means, is expressly prohibited without the prior written consent of Reuters. Reuters and the Reuters sphere logo are registered trademarks and trademarks of the Reuters group of companies around the world. Close This Window From rforno at infowarrior.org Fri Jan 12 14:24:10 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Jan 2007 14:24:10 -0500 Subject: [Infowarrior] - Senators aim to restrict Net, satellite radio recording Message-ID: Senators aim to restrict Net, satellite radio recording By Anne Broache http://news.com.com/Senators+aim+to+restrict+Net%2C+satellite+radio+recordin g/2100-1028_3-6149915.html Story last modified Fri Jan 12 10:55:40 PST 2007 Satellite and Internet radio services must restrict listeners' ability to record and play back individual songs, under new legislation introduced this week in the U.S. Senate. The rules are embedded in a copyright bill called the "Platform Equality and Remedies for Rights Holders in Music Act," or Perform Act, which was reintroduced Thursday by Senators Dianne Feinstein (D-Calif.), Lindsey Graham (R-S.C.), Joseph Biden (D-Del.) and Lamar Alexander (R-Tenn.). They have pitched the proposal, which first emerged in an earlier version last spring, as a means to level the playing field among "radio-like services" available via cable, satellite and the Internet. By their description, that means requiring all such services to pay "fair market value" for the use of copyright music libraries. The bill's sponsors argue the existing regime must change because it applies different royalty rates, depending on what medium transmits the music. But the measure goes further, taking aim at portable satellite radio devices, such as XM Satellite Radio's Inno player, that allow consumers to store copies of songs originally played on-air. The proposal says that all audio services--Webcasters included--would be obligated to implement "reasonably available and economically reasonable" copy-protection technology aimed at preventing "music theft" and restricting automatic recording. "New radio services are allowing users to do more than simply listen to music," Feinstein said in a statement. "What was once a passive listening experience has turned into a forum where users can record, manipulate, collect and create personalized music libraries." The Recording Industry Association of America applauded the effort and urged Congress to make enacting the law a top priority this year. The lobbying group sued XM last year over a music-storing device offered by the service, arguing that it should have to pay licensing fees akin to what Apple pays to run its iTunes download service. "We love satellite radio," RIAA CEO Mitch Bainwol said in a statement. "But this is simply no way to do business. It's in everyone's best interest to ensure a marketplace where fair competition can thrive." In what the bill's sponsors describe as an attempt to avoid "harming" songwriters and performers, the Perform Act makes distinctions about what sort of recordings listeners would be allowed to make, according to a copy of the bill obtained by CNET News.com. Radio listeners would be permitted to set their devices to automatically record full radio programs on certain channels at certain times. But allowing users to program their devices to automatically find and record specific sound recordings, artists or albums--say, only all Michael Jackson tracks played on the service--would be prohibited. So-called "manual" recording would be allowed, as long as it's done "in a manner that is not an infringement of copyright." In addition, the services would have to employ technological protection measures that prevent people from "separating component segments of the copyrighted material" contained in broadcasts. And they would be required to restrict users' "redistribution, retransmission or other exporting" of all or part of copyright music to other devices--unless the destination device is part of a secure in-home network that also limits the scope of automated recordings. It is unclear how the proposed requirements would affect software recorders. A Mac OS X utility called StreamRipperX, for instance, permits songs from Internet radio stations to be saved as unprotected MP3 files. If future versions of such software tried to circumvent the digital rights management (DRM) technology used in encrypted broadcasts, they would almost certainly violate the Digital Millennium Copyright Act. Digital rights advocacy groups vowed to fight the proposal. A similar bill of the same name introduced last spring encountered considerable resistance from such groups and individual Webcasters, even spawning an opposition Web site. Opponents argue the proposed rules would stymie users' ability to record music off of the radio. And by forcing Webcasters to blanket their content with DRM schemes, they would essentially erase the possibility of editing broadcasts for personal use and would potentially make the shows interoperable with fewer portable players. Under current law, Webcasters must pay royalties to record companies and may not assist their users in recording their Webcasts, but they do not have to employ DRM. Most streaming radio stations, including those operated through Live365, ShoutCast and Apple's iTunes, use an open MP3-streaming format. The proposal "remains a fundamental assault on consumers' reasonable rights and expectations about home recording and fair use in any modern context," said Robert Schwartz, general counsel to the Home Recording Rights Coalition. Gigi Sohn, president of advocacy group Public Knowledge, said she sympathized with calls for streamlined music licensing but blasted the bill as "a direct attack on the satellite music industry and on nascent terrestrial digital radio." She said the bill attempts wrongly to equate download services like iTunes with radio services. "This bill looks to the past rather than to the future," she said in a statement, "by limiting the ability of consumers to use material to which they have subscribed and by limiting future innovations in electronics." CNET News.com's Declan McCullagh contributed to this report. From rforno at infowarrior.org Fri Jan 12 20:32:52 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Jan 2007 20:32:52 -0500 Subject: [Infowarrior] - DHS to Outsource REAL ID Message-ID: Activist: DHS considering outsourcing work for ID law http://www.govexec.com/story_page.cfm?articleid=35855 By Michael Martinez, National Journal's Technology Daily The Homeland Security Department plans to outsource to a private firm the implementation of a federal law mandating nationwide standards for identification cards, according to a privacy activist who claims to have obtained portions of draft regulations circulated last week. Homeland Security sent to the White House Office of Management and Budget proposed regulations for the so-called REAL ID Act. The department recommends that a private data aggregator be responsible for key elements of the law's implementation, according to a document posted by Bill Scannell, a spokesman for the Identity Project. OMB is allowed 90 days to review the draft regulations. Civil libertarians have cited concerns that REAL ID effectively creates a national ID system. Scannell did not say if Homeland Security recommended a particular vendor, but he claimed that Secretary Michael Chertoff personally ordered a plan to hire a private data aggregator for license and ID card checks. Homeland Security is granting the right to control our identity to private industry," Scannell wrote on the Web site UnRealID.com. "It will be Identity-Mart Inc." A Homeland Security spokesman declined to comment on the issue. Some states already are moving to reject REAL ID. A bill authored by Montana state Rep. Brady Wiseman would direct the state's Justice Department not to implement the law. The proposal has been referred to the state House Judiciary Committee. According to Wiseman's bill, REAL ID is "inimical to the security of the people of Montana, will cause unneeded expense and inconvenience to those people, and was adopted by the U.S. Congress in violation of the principles of federalism contained in the 10th Amendment of the U.S. Constitution." A study released last year by the American Association of Motor Vehicle Administrators, the National Conference of State Legislatures and the National Governors Association estimated that REAL ID will cost states at least $11 billion over the next six years to comply. Sens. Daniel Akaka, D-Hawaii, and John Sununu, R-N.H., introduced legislation at the end of last year to repeal REAL ID. Their bill would have reinstated language from a 2004 intelligence law establishing a rulemaking process for the development of federal standards for driver's licenses and ID cards. Akaka, the new chairman of the Senate Commerce Committee, and Sununu, are expected to re-file that proposal in the 110th Congress. Wiseman's bill would make Montana the first state to opt out of REAL ID. A measure to reject the law almost succeeded in New Hampshire last spring, but it died in the state Senate. Supporters of that bill cited various concerns about REAL ID, particularly about whether New Hampshire would be forced to return pilot funding it had received to comply with the law. There also was resistance from civil libertarians who argued it would threaten the privacy of New Hampshire residents. Anti-REAL ID bills are expected in several other states in 2007. State lawmakers approved a resolution at NCSL's annual conference last summer demanding funding from the federal government to comply with the law. Wiseman said he would be opposed to REAL ID regardless of how much money it will cost states to comply. "No amount of funding is going to make compliance okay for me," he said. "This isn't about money." From rforno at infowarrior.org Fri Jan 12 20:35:37 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Jan 2007 20:35:37 -0500 Subject: [Infowarrior] - US Attorney Carol Lam fired Message-ID: Lam is asked to step down http://www.signonsandiego.com/news/metro/20070112-9999-1n12lam.html Job performance said to be behind White House firing By Kelly Thornton and Onell R. Soto UNION-TRIBUNE STAFF WRITERS January 12, 2007 The Bush administration has quietly asked San Diego U.S. Attorney Carol Lam, best known for her high-profile prosecutions of politicians and corporate executives, to resign her post, a law enforcement official said. Lam, a Bush appointee who took the helm in 2002, was targeted because of job performance issues ? in particular that she failed to make smuggling and gun cases a top priority, said the official, who declined to be identified because Lam has yet to step down. Lam has had high-profile successes during her tenure, such as the Randy ?Duke? Cunningham bribery case ? but she alienated herself from bosses at the Justice Department because she is outspoken and independent, said local lawyers familiar with her policies. When she took over, Lam made it clear that she planned to focus less on low-level smuggling cases in favor of public corruption and white collar crime, which would mean fewer but more significant prosecutions. Lam declined to comment yesterday. Several prosecutors in Lam's office and many defense lawyers said yesterday that they were unaware of her impending dismissal, and were universally shocked by it. ?It's virtually unprecedented to fire a U.S. Attorney absent some misconduct in office,? said criminal defense attorney Michael Attanasio, a former federal prosecutor. ?This office has clearly made a priority of investigating and prosecuting white collar offenses and has had occasional success doing so,? he said. ?One would think that would be valued by any administration, even if it meant fewer resources were devoted to routine and repetitive border crimes.? Lam, 47, has been criticized by members of the Border Patrol agents union and by members of Congress, including Vista Republican Darrell Issa, who accused her office of ?an appalling record of refusal to prosecute even the worst criminal alien offenders.? But even some of Lam's legal opponents said the supposed reasons she is being forced out are perplexing. ?What do they want her to do, lock up Mexico?? said Mario Conte, former chief of Federal Defenders of San Diego Inc. Conte, now a professor at California Western School of Law in downtown San Diego, said every prosecutor walks a tightrope. ?I'm sure that Carol, in her role, is simply not able to accommodate everybody's desires of what they think the U.S. Attorney should be doing in this district.? Her most prominent case involved Cunningham. The former Rancho Santa Fe congressman is in federal prison, and indictments of others connected to the case may be forthcoming. Her office is also prosecuting Francisco Javier Arellano-F?lix, a suspected Mexican drug kingpin, who is in federal custody in San Diego facing charges that could lead to the death penalty. Two San Diego city councilmen were convicted of corruption charges by Lam's office, but a judge reversed the jury's verdict for one of the men. Lam spent almost a year personally prosecuting a national hospital chain that she said used complex agreements to pay off local doctors in return for referrals. That case ended in a mistrial. But under Lam, the overall number of prosecutions has plummeted. In 2001, the year before she took over, federal prosecutors in San Diego and Imperial counties filed 5,266 cases, while in 2005, the office prosecuted 3,261 cases, according to statistics compiled by the Transactional Records Access Clearinghouse at Syracuse University from federal reports. Of the 2001 cases, 2,419 were related to immigration, while that number stood at 1,641 in 2005. Although the number of cases dropped significantly in 2005, a higher percentage were immigration-related ? 50 percent in 2005 compared with 46 percent in 2001. Most of the other prosecutions were drug cases, with 2,294 filed in 2001 and 1,290 in 2005. There were 14 weapons cases in 2001, and eight in 2005. Some in the defense community were glad to hear there may be change at the U.S. Attorney's Office. ?She has shown a certain tunnel vision in her prosecutions and has exercised an appalling lack of discretion in terms of the individuals she has targeted for prosecution and the classes of crimes that she has chosen to direct her resources at,? said criminal defense attorney Geoffrey C. Morrison, who represented a defendant in the City Hall corruption case prosecuted by Lam's office. ?Having somebody with a more broad-minded approach and a greater sense of fairness and justice will do the legal community a tremendous justice,? he said. Lam, a career prosecutor, former Superior Court judge and political in dependent, sent an e-mail to her staff late in the afternoon in which she neither confirmed nor denied that she was asked to step down. She told attorneys not to let speculation interfere with their work. She also told them not to speak to reporters about the subject, but to refer calls to her spokeswoman, according to a recipient of the e-mail who asked not to be identified for fear of reprisal. U.S. attorneys are usually appointed by the president and require Senate approval. They typically serve the same term as the president that appointed them, and are replaced when a new president is elected. However, a provision in the Patriot Act that was revised last year allows the Attorney General to appoint interim U.S. Attorneys for indefinite terms when vacancies arise, without Senate confirmation. Filling interim vacancies had been the responsibility of the district court. Sen. Dianne Feinstein, D-Calif., criticized the Bush administration yesterday for ?pushing out U.S. Attorneys from across the country under the cloak of secrecy.? ?We don't know how many U.S. Attorneys have been asked to resign ? it could be two, it could be ten, it could be more. No one knows,? she said in a statement. Feinstein said the administration was abusing its executive power by trying to circumvent the Senate confirmation process. She and two colleagues proposed legislation yesterday to restore appointment authority to the district court when a vacancy occurs and an interim leader is needed. Lam is one of several prosecutors who have either resigned under pressure or been told to leave in recent months. New Mexico U.S. Attorney David Iglesias is among those who have announced they are stepping down. ?I was asked to resign,? he said. ?I asked (why) and wasn't given any answers. I ultimately am OK with that. We all take these jobs knowing we serve at the pleasure of the president.? H.E. ?Bud? Cummins, who left the post of U.S. Attorney in Little Rock, Ark., wouldn't say whether he was asked. His replacement, J. Timothy Griffin, was an Army prosecutor who worked in the White House and for the Republican National Committee. Arkansas' senators, both Democrats, have criticized the way in which he was selected because it did not require Senate approval. It's not the intent of the Justice Department to avoid the confirmation process, and the department is committed to working with senators when making a nomination, a department spokesman said. Of 11 U.S. Attorney vacancies since the Attorney General gained the authority to make the appointments in March 2006, the Bush administration has nominated four people and interviewed seven others, all of whom are expected to complete the confirmation process, said Justice Department spokesman Brian Roehrkasse. ?In every case, it is a goal of this administration to have a U.S. Attorney that is confirmed by the Senate,? Roehrkasse said. ?It is wrong for a member of Congress to believe that this is in any way an attempt to circumvent the confirmation process.? Kelly Thornton: (619) 542-4571; kelly.thornton at uniontrib.com From rforno at infowarrior.org Fri Jan 12 22:15:50 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 12 Jan 2007 22:15:50 -0500 Subject: [Infowarrior] - The Pirate Bay plans to buy island Message-ID: The Pirate Bay plans to buy island Published: 12th January 2007 12:37 CET Online: http://www.thelocal.se/6076/ Swedish file-sharing website The Pirate Bay is planning to buy its own nation in an attempt to circumvent international copyright laws. The group has set up a campaign to raise money to buy Sealand, a former British naval platform in the North Sea that has been designated a 'micronation', and claims to be outside the jurisdiction of the UK or any other country. The Pirate Bay says it is the world's largest 'bit torrent tracker', and is a popular way of sharing music, films, software and other copyrighted material online. It has been under the scrutiny of authorities in Sweden and around the world for some time. The site was briefly closed down after raids by the Swedish police last May. After initially moving to the Netherlands, the site returned to Sweden in June. Swedish authorities have been put under pressure to do more to stop the site. The Motion Picture Association of America, the Swedish Anti-Piracy Bureau and the US government have all lobbied for The Pirate Bay's closure. According to a website set up to secure the purchase of Sealand, The Pirate Bay plans to give citizenship of the micronation to anyone willing to put money towards the purchase. "It should be a great place for everybody, with high-speed Internet access, no copyright laws and VIP accounts to The Pirate Bay," the organisation claims on its website www.buysealand.com. The "island" of Sealand, seven miles off the coast of southern England, was settled in 1967 by an English major, Paddy Roy Bates. Bates proclaimed Sealand a state, issuing passports and gold and silver Sealand dollars and declaring himself Prince Roy. When the British Royal Navy tried to evict Prince Roy in 1968, a judge ruled that the platform was outside British territorial waters and therefore beyond government control. The British government subsequently extended its territorial waters from three to twelve nautical miles from the coast, which would include Sealand, but Prince Roy simultaneously extended Sealand's waters, claimed that this guaranteed Sealand's sovereignty. The island is now being put up for sale by Prince Roy's son, Prince Michael, who styles himself head of state. A firm of Spanish estate agents has valued the island at ?504 million (about 7 billion kronor), although Prince Michael told The Times of London that it is hard to gauge how much it will fetch in reality. The Pirate Bay says it is looking at alternatives to buying the former naval platform. "If we do not get enough money required to buy the micronation of Sealand, we will try to buy another small island somwhere and claim it as our own country," the organization says on its website. James Savage From rforno at infowarrior.org Sat Jan 13 00:18:44 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 13 Jan 2007 00:18:44 -0500 Subject: [Infowarrior] - FW: National Archives Announces New "Service" In-Reply-To: Message-ID: (via IP) ------ Forwarded Message From: Carl It is perhaps of no great shock to anybody that a deal has been reached between the National Archives and a private contractor, for digitization of our national heritage. As these things always go, the private sector will add lots of value to this otherwise unusable bunch of useless data in return for certain assurances from the government. Here's the press release: http://www.archives.gov/press/press-releases/2007/nr07-41.html As is of course required for any government procurement, a copy of the contract is available for everybody to look at: http://www.archives.gov/iarchives/iarchives-digitization-agreement.html The digitization effort is being provided an honest-to-goodness web 2.0 .com startup: http://www.footnote.com/ "Millions of original documents - most never seen on the web before." And, if you read the footnote.com terms of service, you'll note that our national heritage has been re-classified as adults-only. You have to be 18 to get an account and under no circumstances may anybody under 13 be allowed to look at archival documents: http://www.footnote.com/termsandconditions.php The National Archives receives a copy of all the digital media for their archives, but the contract prohibits the Internet Archive (or anybody else for that matter) from having a copy of that data. It is amazing to me how often the government goes down the road of trying to privatize public information. From rforno at infowarrior.org Sat Jan 13 00:46:53 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 13 Jan 2007 00:46:53 -0500 Subject: [Infowarrior] - Legislation introduced in response to U.S. attorney appointments Message-ID: Legislation introduced in response to U.S. attorney appointments Friday, Jan 12, 2007 http://www.arkansasnews.com/archive/2007/01/12/WashingtonDCBureau/339592.htm l By Aaron Sadler Stephens Washington Bureau WASHINGTON - Days after the attorney general named a former White House official to serve an interim U.S. attorney in Little Rock, Sen. Mark Pryor added his name Thursday to a bill to restrict the attorney general's appointment power. Pryor, D-Ark., joined Sens. Patrick Leahy, D-Vt., and Dianne Feinstein, D-Calif., in introducing legislation to change a provision of the Patriot Act that allows for indefinite appointments without Senate confirmation. The senators said the law circumvents the traditional process of Senate consent of executive branch appointments. In December, Pryor and Sen. Blanche Lincoln, D-Ark., protested the appointment of Tim Griffin as interim U.S. attorney for the Eastern District of Arkansas. Griffin, 38, is an Arkansas native who was White House deputy director of political affairs under Karl Rove. He also served as head of opposition research for the Republican National Committee. Pryor said Griffin should have to face the Senate for a confirmation vote, especially because of his political connections. "Arkansas has learned first hand the unintended consequence of a little-known provision in the Patriot Act," Pryor said. "Unfortunately, the spirit and intent in which this provision was constructed has been abused and needs to be corrected." Griffin declined to comment Wednesday on the proposed legislation. The Patriot Act, reauthorized last year, gives attorneys general power to fill vacancies for an indefinite period of time. Before that, the attorney general could make interim appointments for no more than 120 days. Before 1986, the district courts within which vacancies arise had authority to appoint interim U.S. attorneys. Pryor's legislation would again give district courts interim appointment authority. "It appears that the administration has chosen to use this provision, which was intended to help protect our nation, to circumvent the transparent constitutional Senate confirmation process (and) reward political allies," Pryor said. President Bush can appoint Griffin permanently, triggering the confirmation process; or, conceivably, Griffin can serve indefinitely. The Griffin appointment is not the only one being questioned by senators, according to a joint statement from Feinstein, Leahy and Pryor. They said several U.S. attorneys have been asked by the Department of Justice to resign without cause. They are unaware of the specific number who have resigned. "We believe that this use of expanded executive authority to appoint interim replacements indefinitely undermines essential constitutional checks and balances," Feinstein said. Leahy, chairman of the Senate Judiciary Committee, called the moves "political gerrymandering." Former Eastern District attorney Bud Cummins had announced plans to step down months before Griffin's nomination. The Eastern District consists of 41 Arkansas counties, including the cities of Little Rock and Pine Bluff. From rforno at infowarrior.org Sat Jan 13 22:07:54 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 13 Jan 2007 22:07:54 -0500 Subject: [Infowarrior] - Military Expands Intelligence Role in U.S. Message-ID: January 14, 2007 Military Expands Intelligence Role in U.S. By ERIC LICHTBLAU and MARK MAZZETTI http://www.nytimes.com/2007/01/14/washington/14spy.html?ei=5094&en=203bd3d1f 0cd9644&hp=&ex=1168750800&partner=homepage&pagewanted=print WASHINGTON, Jan. 13 ? The Pentagon has been using a little-known power to obtain banking and credit records of hundreds of Americans and others suspected of terrorism or espionage inside the United States, part of an aggressive expansion by the military into domestic intelligence gathering. The C.I.A. has also been issuing what are known as national security letters to gain access to financial records from American companies, though it has done so only rarely, intelligence officials say. Banks, credit card companies and other financial institutions receiving the letters usually have turned over documents voluntarily, allowing investigators to examine the financial assets and transactions of American military personnel and civilians, officials say. The F.B.I., the lead agency on domestic counterterrorism and espionage, has issued thousands of national security letters since the attacks of Sept. 11, 2001, provoking criticism and court challenges from civil liberties advocates who see them as unjustified intrusions into Americans? private lives. But it was not previously known, even to some senior counterterrorism officials, that the Pentagon and the Central Intelligence Agency have been using their own ?noncompulsory? versions of the letters. Congress has rejected several attempts by the two agencies since 2001 for authority to issue mandatory letters, in part because of concerns about the dangers of expanding their role in domestic spying. The military and the C.I.A. have long been restricted in their domestic intelligence operations, and both are barred from conducting traditional domestic law enforcement work. The C.I.A.?s role within the United States has been largely limited to recruiting people to spy on foreign countries. Carl Kropf, a spokesman for the director of national intelligence, said intelligence agencies like the C.I.A. used the letters on only a ?limited basis.? Pentagon officials defended the letters as valuable tools and said they were part of a broader strategy since the Sept. 11 attacks to use more aggressive intelligence-gathering tactics ? a priority of former Defense Secretary Donald H. Rumsfeld. The letters ?provide tremendous leads to follow and often with which to corroborate other evidence in the context of counterespionage and counterterrorism,? said Maj. Patrick Ryder, a Pentagon spokesman. Government lawyers say the legal authority for the Pentagon and the C.I.A. to use national security letters in gathering domestic records dates back nearly three decades and, by their reading, was strengthened by the antiterrorism law known as the USA Patriot Act. Pentagon officials said they used the letters to follow up on a variety of intelligence tips or leads. While they would not provide details about specific cases, military intelligence officials with knowledge of them said the military had issued the letters to collect financial records regarding a government contractor with unexplained wealth, for example, and a chaplain at Guant?namo Bay erroneously suspected of aiding prisoners at the facility. Usually, the financial documents collected through the letters do not establish any links to espionage or terrorism and have seldom led to criminal charges, military officials say. Instead, the letters often help eliminate suspects. ?We may find out this person has unexplained wealth for reasons that have nothing to do with being a spy, in which case we?re out of it,? said Thomas A. Gandy, a senior Army counterintelligence official. But even when the initial suspicions are unproven, the documents have intelligence value, military officials say. In the next year, they plan to incorporate the records into a database at the Counterintelligence Field Activity office at the Pentagon to track possible threats against the military, Pentagon officials said. Like others interviewed, they would speak only on the condition of anonymity. Military intelligence officers have sent letters in up to 500 investigations over the last five years, two officials estimated. The number of letters is likely to be well into the thousands, the officials said, because a single case often generates letters to multiple financial institutions. For its part, the C.I.A. issues a handful of national security letters each year, agency officials said. Congressional officials said members of the House and Senate Intelligence Committees had been briefed on the use of the letters by the military and the C.I.A. Some national security experts and civil liberties advocates are troubled by the C.I.A. and military taking on domestic intelligence activities, particularly in light of recent disclosures that the Counterintelligence Field Activity office had maintained files on Iraq war protesters in the United States in violation of the military?s own guidelines. Some experts say the Pentagon has adopted an overly expansive view of its domestic role under the guise of ?force protection,? or efforts to guard military installations. ?There?s a strong tradition of not using our military for domestic law enforcement,? said Elizabeth Rindskopf Parker, a former general counsel at both the National Security Agency and the C.I.A. who is the dean at the McGeorge School of Law at the University of the Pacific. ?They?re moving into territory where historically they have not been authorized or presumed to be operating.? Similarly, John Radsan, an assistant general counsel at the C.I.A. from 2002 to 2004 and now a law professor at William Mitchell College of Law in St. Paul, said, ?The C.I.A. is not supposed to have any law enforcement powers, or internal security functions, so if they?ve been issuing their own national security letters, they better be able to explain how they don?t cross the line.? The Pentagon?s expanded intelligence-gathering role, in particular, has created occasional conflicts with other federal agencies. Pentagon efforts to post American military officers at embassies overseas to gather intelligence for counterterrorism operations or future war plans has rankled some State Department and C.I.A. officials, who see the military teams as duplicating and potentially interfering with the intelligence agency. In the United States, the Federal Bureau of Investigation has complained about military officials dealing directly with local police ? rather than through the bureau ? for assistance in responding to possible terrorist threats against a military base. F.B.I. officials say the threats have often turned out to be uncorroborated and, at times, have stirred needless anxiety. The military?s frequent use of national security letters has sometimes caused concerns from the businesses receiving them, a counterterrorism official said. Lawyers at financial institutions, which routinely provide records to the F.B.I. in law enforcement investigations, have contacted bureau officials to say they were confused by the scope of the military?s requests and whether they were obligated to turn the records over, the official said. Companies are not eager to turn over sensitive financial data about customers to the government, the official said, ?so the more this is done, and the more poorly it?s done, the more pushback there is for the F.B.I.? The bureau has frequently relied on the letters in recent years to gather telephone and Internet logs, financial information and other records in terrorism investigations, serving more than 9,000 letters in 2005, according to a Justice Department tally. As an investigative tool, the letters present relatively few hurdles; they can be authorized by supervisors rather than a court. Passage of the Patriot Act in October 2001 lowered the standard for issuing the letters, requiring only that the documents sought be ?relevant? to an investigation and allowing records requests for more peripheral figures, not just targets of an inquiry. Some Democrats have accused the F.B.I. of using the letters for fishing expeditions, and the American Civil Liberties Union won court challenges in two cases, one for library records in Connecticut and the other for Internet records in Manhattan. Concerned about possible abuses, Congress imposed new safeguards in extending the Patriot Act last year, in part by making clear that recipients of national security letters could contact a lawyer and seek court review. Congress also directed the Justice Department inspector general to study the F.B.I.?s use of the letters, a review that is continuing. Unlike the F.B.I., the military and the C.I.A. do not have wide-ranging authority to seek records on Americans in intelligence investigations. But the expanded use of national security letters has allowed the Pentagon and the intelligence agency to collect records on their own. Sometimes, military or C.I.A. officials work with the F.B.I. to seek records, as occurred with an American translator who had worked for the military in Iraq and was suspected of having ties to insurgents. After the Sept. 11 attacks, Mr. Rumsfeld directed military lawyers and intelligence officials to examine their legal authorities to collect intelligence both inside the United States and abroad. They concluded that the Pentagon had ?way more? legal tools than it had been using, a senior Defense Department official said. Military officials say the Right to Financial Privacy Act of 1978, which establishes procedures for government access to sensitive banking data, first authorized them to issue national security letters. The military had used the letters sporadically for years, officials say, but the pace accelerated in late 2001, when lawyers and intelligence officials concluded that the Patriot Act strengthened their ability to use the letters to seek financial records on a voluntary basis and to issue mandatory letters to obtain credit ratings, the officials said. The Patriot Act does not specifically mention military intelligence or C.I.A. officials in connection with the national security letters. Some F.B.I. officials said they were surprised by the Pentagon?s interpretation of the law when military officials first informed them of it. ?It was a very broad reading of the law,? a former counterterrorism official said. While the letters typically have been used to trace the financial transactions of military personnel, they also have been used to investigate civilian contractors and people with no military ties who may pose a threat to the military, officials said. Military officials say they regard the letters as one of the least intrusive means to gather evidence. When a full investigation is opened, one official said, it has now become ?standard practice? to issue such letters. One prominent case in which letters were used to obtain financial records, according to two military officials, was that of a Muslim chaplain at Guant?namo Bay, Cuba, who was suspected in 2003 of aiding terror suspects imprisoned at the facility. The espionage case against the chaplain, James J. Yee, soon collapsed. Eugene Fidell, a defense lawyer for the former chaplain and a military law expert, said he was unaware that military investigators may have used national security letters to obtain financial information about Mr. Yee, nor was he aware that the military had ever claimed the authority to issue the letters. Mr. Fidell said he found the practice ?disturbing,? in part because the military does not have the same checks and balances when it comes to Americans? civil rights as does the F.B.I. ?Where is the accountability?? he asked. ?That?s the evil of it ? it doesn?t leave fingerprints.? Even when a case is closed, military officials said they generally maintain the records for years because they may be relevant to future intelligence inquiries. Officials at the Pentagon?s counterintelligence unit say they plan to incorporate those records into a database, called Portico, on intelligence leads. The financial documents will not be widely disseminated, but limited to investigators, an intelligence official said. ?You don?t want to destroy something only to find out that the same guy comes up in another report and you don?t know that he was investigated before,? the official said. The Counterintelligence Field Activity office, created in 2002 to better coordinate the military?s efforts to combat foreign intelligence services, has drawn criticism for some domestic intelligence activities. The agency houses an antiterrorist database of intelligence tips and threat reports, known as Talon, which had been collecting information on antiwar planning meetings at churches, libraries and other locations. The Defense Department has since tightened its procedures for what kind of information is allowed into the Talon database, and the counterintelligence office also purged more than 250 incident reports from the database that officials determined should never have been included because they centered on lawful political protests by people opposed to the war in Iraq. From rforno at infowarrior.org Sun Jan 14 12:08:13 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 14 Jan 2007 12:08:13 -0500 Subject: [Infowarrior] - Deletions in Army Manual Raise Wiretapping Concerns Message-ID: (c/o DanO) January 14, 2007 Deletions in Army Manual Raise Wiretapping Concerns By ERIC LICHTBLAU and MARK MAZZETTI http://www.nytimes.com/2007/01/14/washington/14spyside.html?_r=1&oref=slogin &pagewanted=print WASHINGTON, Jan. 13 ? Deep into an updated Army manual, the deletion of 10 words has left some national security experts wondering whether government lawyers are again asserting the executive branch?s right to wiretap Americans without a court warrant. The manual, described by the Army as a ?major revision? to intelligence-gathering guidelines, addresses policies and procedures for wiretapping Americans, among other issues. The original guidelines, from 1984, said the Army could seek to wiretap people inside the United States on an emergency basis by going to the secret court set up by the Foreign Intelligence Surveillance Act, known as FISA, or by obtaining certification from the attorney general ?issued under the authority of section 102(a) of the Act.? That last phrase is missing from the latest manual, which says simply that the Army can seek emergency wiretapping authority pursuant to an order issued by the FISA court ?or upon attorney general authorization.? It makes no mention of the attorney general doing so under FISA. Bush administration officials said that the wording change was insignificant, adding that the Army would follow FISA requirements if it sought to wiretap an American. But the manual?s language worries some national security experts. ?The administration does not get to make up its own rules,? said Steven Aftergood, who runs a project on government secrecy for the Federation of American Scientists. The Army guidelines were finalized in November 2005, and Mr. Aftergood?s group recently obtained a copy under the Freedom of Information Act. He said he was struck by the omission, particularly because of the recent debate over the National Security Agency?s domestic surveillance program. President Bush has asserted that he can authorize eavesdropping without court warrants on the international communications of Americans suspected of having ties to Al Qaeda. Like several other national security experts, Mr. Aftergood said the revised guidelines could suggest that Army lawyers had adopted the legal claim that the executive branch had authority outside the courts to conduct wiretaps. But Thomas A. Gandy, a senior Army counterintelligence official who helped develop the guidelines, said the new wording did not suggest a policy change. The guidelines were intended to give Army intelligence personnel more explicit and, in some cases, more restrictive guidance than the 1984 regulations, partly to help them respond to new threats like computer hackers. ?This is all about doing right and following the rules and protecting the civil liberties of folks,? Mr. Gandy said. ?It seeks to keep people out of trouble.? From rforno at infowarrior.org Sun Jan 14 12:24:43 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 14 Jan 2007 12:24:43 -0500 Subject: [Infowarrior] - Pentagon Viewing Americans' Bank Records Message-ID: Pentagon Viewing Americans' Bank Records Email this Story Jan 14, 7:19 AM (ET) By LOLITA BALDOR http://apnews.myway.com/article/20070114/D8ML1VU01.html WASHINGTON (AP) - The Pentagon and to a lesser extent the CIA have been using a little-known power to look at the banking and credit records of hundreds of Americans and others suspected of terrorism or espionage within the United States, officials said Saturday. Pentagon spokesman Bryan Whitman said Saturday the Defense Department "makes requests for information under authorities of the National Security Letter statutes ... but does not use the specific term National Security Letter in its investigatory practice." Whitman did not indicate the number of requests that have been made in recent years, but said authorities operate under the Right to Financial Privacy Act, the Fair Credit Reporting Act and the National Security Act. "These statutory tools may provide key leads for counterintelligence and counterterrorism investigations," Whitman said. "Because these are requests for information rather than court orders, a DOD request under the NSL statutes cannot be compelled absent court involvement." "It is our understanding that the intelligence community agencies make such requests on a limited basis," said Carl Kropf, a spokesman for the Office of the National Intelligence Director, which oversees all 16 spy agencies in the government. The national security letters permit the executive branch to seek records about people in terror and spy investigations without a judge's approval or grand jury subpoena. The Federal Bureau of Investigation, the lead agency on domestic counterterrorism and espionage, has issued thousands of national security letters since the attacks of Sept. 11, 2001. Whitman said Defense Department "counterintelligence investigators routinely coordinate ... with the FBI." The national security letters have prompted criticism and court challenges from civil liberties advocates who claim they invade the privacy of Americans' lives, even though banks and other financial institutions typically turn over the financial records voluntarily. The New York Times reported on expanded use of the technique by the Pentagon and CIA in an article posted Saturday on the Internet. The vast majority of national security letters are issued by the FBI, but in very rare circumstances they have been used by the CIA before and after 9/11, said a U.S. intelligence official who spoke to The Associated Press on condition of anonymity because of the issue's sensitivity. The CIA has used these non-compulsory letters in espionage investigations and other circumstances, the official said. "It is very uncommon for the agency to be issuing these letters," the official said. "The agency has the authority to do so, and it is absolutely lawful." Another government official, also speaking on condition of anonymity, said one example of a case in which the letters were used was the 1994 case of CIA officer Aldrich Ames, who eventually was found to have been selling secrets to the Soviet Union. None of the officials reached by the AP commented about the extent of use by the Defense Department agencies, but the Times said military intelligence officers have sent the letters in up to 500 investigations. --- Associated Press Writer Katherine Shrader contributed to this report. From rforno at infowarrior.org Sun Jan 14 12:27:24 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 14 Jan 2007 12:27:24 -0500 Subject: [Infowarrior] - Want an iPhone? Beware the iHandcuffs Message-ID: (also --- the fact the battery is not user-replacable makes this device a non-starter for me.......rf) January 14, 2007 Digital Domain Want an iPhone? Beware the iHandcuffs By RANDALL STROSS http://www.nytimes.com/2007/01/14/business/yourmoney/14digi.html?ei=5090&en= 2c5efe51f9d74dd8&ex=1326430800&partner=rssuserland&emc=rss&pagewanted=print STEVE JOBS, Apple?s showman nonpareil, provided the first public glimpse of the iPhone last week ? gorgeous, feature-laden and pricey. While following the master magician?s gestures, it was easy to overlook a most disappointing aspect: like its slimmer iPod siblings, the iPhone?s music-playing function will be limited by factory-installed ?crippleware.? If ?crippleware? seems an unduly harsh description, it balances the euphemistic names that the industry uses for copy protection. Apple officially calls its own standard ?FairPlay,? but fair it is not. The term ?crippleware? comes from the plaintiff in a class-action lawsuit, Melanie Tucker v. Apple Computer Inc., that is making its way through Federal District Court in Northern California. The suit contends that Apple unfairly restricts consumer choice because it does not load onto the iPod the software needed to play music that uses Microsoft?s copy-protection standard, in addition to Apple?s own. Ms. Tucker?s core argument is that the absence of another company?s software on the iPod constitutes ?crippleware.? I disagree. It is Apple?s own copy-protection software itself that cripples the device. Here is how FairPlay works: When you buy songs at the iTunes Music Store, you can play them on one ? and only one ? line of portable player, the iPod. And when you buy an iPod, you can play copy-protected songs bought from one ? and only one ? online music store, the iTunes Music Store. The only legal way around this built-in limitation is to strip out the copy protection by burning a CD with the tracks, then uploading the music back to the computer. If you?re willing to go to that trouble, you can play the music where and how you choose ? the equivalent to rights that would have been granted automatically at the cash register if you had bought the same music on a CD in the first place. Even if you are ready to pledge a lifetime commitment to the iPod as your only brand of portable music player or to the iPhone as your only cellphone once it is released, you may find that FairPlay copy protection will, sooner or later, cause you grief. You are always going to have to buy Apple stuff. Forever and ever. Because your iTunes will not play on anyone else?s hardware. Unlike Apple, Microsoft has been willing to license its copy-protection software to third-party hardware vendors. But copy protection is copy protection: a headache only for the law-abiding. Microsoft used to promote its PlaysForSure copy-protection standard, but there must have been some difficulty with the ?for sure? because the company has dropped it in favor of an entirely new copy-protection standard for its new Zune player, which, incidentally, is incompatible with the old one. Pity the overly trusting customers who invested earlier in music collections before the Zune arrived. Their music cannot be played on the new Zune because it is locked up by software enforcing the earlier copy-protection standard: PlaysFor(Pretty)Sure ? ButNotTheNewStuff. The name for the umbrella category for copy-protection software is itself an indefensible euphemism: Digital Rights Management. As consumers, the ?rights? enjoyed are few. As some wags have said, the initials D.R.M. should really stand for ?Digital Restrictions Management.? As consumers become more aware of how copy protection limits perfectly lawful behavior, they should throw their support behind the music labels that offer digital music for sale in plain-vanilla MP3 format, without copy protection. Apple pretends that the decision to use copy protection is out of its hands. In defending itself against Ms. Tucker?s lawsuit, Apple?s lawyers noted in passing that digital-rights-management software is required by the major record companies as a condition of permitting their music to be sold online: ?Without D.R.M., legal online music stores would not exist.? In other words, however irksome customers may find the limitations imposed by copy protection, the fault is the music companies?, not Apple?s. This claim requires willful blindness to the presence of online music stores that eschew copy protection. For example, one online store, eMusic, offers two million tracks from independent labels that represent about 30 percent of worldwide music sales. Unlike the four major labels ? Universal, Warner Music Group, EMI and Sony BMG ? the independents provide eMusic with permission to distribute the music in plain MP3 format. There is no copy protection, no customer lock-in, no restrictions on what kind of music player or media center a customer chooses to use ? the MP3 standard is accommodated by all players. EMusic recently celebrated the sale of its 100 millionth download; it trails only iTunes as the largest online seller of digital music. (Of course, iTunes, with 2 billion downloads, has a substantial lead.) Among the artists who can be found at eMusic are Barenaked Ladies, Sarah McLachlan and Avril Lavigne, who are represented by Nettwerk Music Group, based in Vancouver, British Columbia. All Nettwerk releases are available at eMusic without copy protection. But when the same tracks are sold by the iTunes Music Store, Apple insists on attaching FairPlay copy protection that limits their use to only one portable player, the iPod. Terry McBride, Nettwerk?s chief executive, said that the artists initially required Apple to use copy protection, but that this was no longer the case. At this point, he said, copy protection serves only Apple?s interests . Josh Bernoff, a principal analyst at Forrester Research, agreed, saying copy protection ?just locks people into Apple.? He said he had recently asked Apple when the company would remove copy protection and was told, ?We see no need to do so.? Apple?s statement is a detailed treatise on the subject, compared with what I received when I asked the company last week whether it would offer tracks without copy protection if the publisher did not insist on it: the Apple spokesman took my query and never got back to me. David Pakman, the C.E.O. of eMusic, said the major labels have watched their revenues decline about $10 billion since a 2001 peak; meanwhile, revenue earned by the independents has held steady. He said his service offers music from 9,800 labels, each of which has embraced downloads in MP3 format. Only four labels still cling to copy protection, even though piracy has not declined, and those are the four major labels. Mr. McBride, of Nettwerk, predicted that in 2007 the major labels would finally move to drop copy protection in order to provide iPod owners the option of shopping at online music stores other than iTunes; by doing so, he added, they would ?break the monopoly of Apple? that dictates terms and conditions for music industry suppliers and customers. Some encouraging signs have appeared recently. Dave Goldberg, the head of Yahoo Music, persuaded EMI to try some experiments last month with MP3 downloads ? a Norah Jones single here, a Reliant K single there. With sales of physical CDs falling faster than digital music sales are growing, he said, the major labels ?have got to make it easier for people to do the right thing? ? that is, to buy recorded music unencumbered with copy protection rather than to engage in illegal file-sharing. IN the long view, Mr. Goldberg said he believes that today?s copy-protection battles will prove short-lived. Eventually, perhaps in 5 or 10 years, he predicts, all portable players will have wireless broadband capability and will provide direct access, anytime, anywhere, to every song ever released for a low monthly subscription fee. It?s a prediction that has a high probability of realization because such a system is already found in South Korea, where three million subscribers enjoy direct, wireless access to a virtually limitless music catalog for only $5 a month. He noted, however, that music companies in South Korea did not agree to such a radically different business model until sales of physical CDs had collapsed. Pointing to South Korea, where copy protection has disappeared, Mr. Goldberg invoked the pithy aphorism attributed to the author William Gibson: ?The future is here; it?s just not widely distributed yet.? Randall Stross is the author of ?The Wizard of Menlo Park: How Thomas Alva Edison Invented the Modern World,? which will be published in March by Crown. From rforno at infowarrior.org Sun Jan 14 20:59:08 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 14 Jan 2007 20:59:08 -0500 Subject: [Infowarrior] - FW: spy coins oopsie? In-Reply-To: Message-ID: (c/o lyger) ------ Forwarded Message http://www.thestar.com/News/article/170886 January 13, 2007 Jim Bronskill Canadian Press OTTAWA . It seems there's no danger of your spare change spying on you after all. A U.S. government defence agency has suddenly retracted its claim that Canadian coins containing tiny transmitters were planted on at least three American contractors who visited Canada. It's the latest twist in an intriguing cash caper. (from pogo, 'course) From rforno at infowarrior.org Mon Jan 15 00:32:56 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 15 Jan 2007 00:32:56 -0500 Subject: [Infowarrior] - Documents Borne by Winds of Free Speech Message-ID: January 15, 2007 Link by Link Documents Borne by Winds of Free Speech By TOM ZELLER Jr. http://www.nytimes.com/2007/01/15/technology/15link.html?pagewanted=print A showdown is scheduled for a federal courtroom in Brooklyn tomorrow afternoon, where words like ?First Amendment? and ?freedom of speech? and ?prior restraint? are likely to mix seamlessly with references to ?BitTorrent? and ?Wiki.? It is a messy plot that pits Eli Lilly, the pharmaceutical giant at the center of several articles in The New York Times suggesting that the company tried to hide or play down the health risks of its leading antipsychotic drug, Zyprexa, and lawyers representing various individuals, organizations and Web sites ? all arguing that their online speech has been gagged. The case has attracted the attention of the Electronic Frontier Foundation, the venerable digital rights group based in San Francisco, and one of its lawyers, Fred von Lohmann, who is now representing an anonymous Internet user caught up in the legal fracas. ?One of the core missions of the foundation?s 16-year history has been to establish that when you go online, you take with you all the same civil rights with you had with you in prior media,? said Mr. von Lohmann. ?But of course, you need to fight for that principle.? ? The quick background: It all began with Dr. David Egilman of Massachusetts, who was a consulting witness in ongoing litigation against Lilly. Dr. Egilman had in his possession a trove of internal Lilly documents ? not all of them flattering to the company ? sealed by the court as part of that litigation. Comes James B. Gottstein, a lawyer from Alaska, who was pursuing unrelated litigation for mentally ill patients in his state. He somehow got wind (and precisely how is the subject of separate legal jujitsu) that Dr. Egilman had some interesting documents. Mr. Gottstein sends Dr. Egilman a subpoena for copies. Hell begins breaking loose. In a letter dated Dec. 6, Dr. Egilman informed Lilly?s lawyers, as was required by the order sealing the documents, that he had been subpoenaed. Lilly?s lawyers expressed their deep displeasure in a Dec. 14 letter to Mr. Gottstein, and politely told him to back off. In a response a day later, Mr. Gottstein informed them, among other things, that it was too late, and that some of the material had already been produced. It seems Mr. Gottstein was also apparently in a sharing mood, which is how hundreds of pages ended up with a Times reporter, Alex Berenson ? and about a dozen or so other individuals and organizations. This is also how copies of the documents ended up on various Web servers ? and when that happened, things changed. While surely painful for Lilly, the online proliferation began flirting with some bedrock principles of free speech and press, as well as some practical realities that looked a fair bit like toothpaste out of its tube. Nonetheless, last month, United States District Judge Jack B. Weinstein ordered Mr. Gottstein to provide a list of recipients to whom he had distributed the contraband pages, and to collect each copy back. The Times, which politely declined to oblige, has since been left out of the legal wrangling, but on Dec. 29, the court temporarily enjoined an expansive list ? 14 named individuals, two health advocacy groups (MindFreedom International and the Alliance for Human Research Protection), their Web sites, and a site devoted to the Zyprexa issue ? not just from ?further disseminating these documents.? They were specifically ordered to communicate the injunction to anyone else who had copies, and enjoined from ?posting information to Web sites to facilitate dissemination of these documents.? That?s right ? it appeared that even writing on their Web sites something like, ?Hey, there?s a site in Brazil where you can get those Zyprexa documents,? would run afoul of the injunction. The order was extended by Judge Weinstein on Jan. 4, and tomorrow the court will revisit the issue at length. As Mr. von Lohmann and the Electronic Frontier Foundation see it, the injunction is simply untenable. Whatever the legal merits of Lilly?s claims against Mr. Gottstein and Dr. Egilman for violating the seal, the court?s power to stifle the ever-growing chain of unrelated individuals and Web sites who, after one or two degrees of remove, had nothing to do with the Lilly litigation, cannot extend to infinity. Very quickly, Mr. von Lohmann argues, you are dealing with ordinary citizens who are merely trading in and discussing documents of interest to public health. ?Judges have a natural inclination that if documents have been stolen under their watch, they want to get them back,? said Mr. von Lohmann, whose John Doe client was a contributor to the site zyprexa.pbwiki.com ? a wiki where a hive of users compiled and contributed links and information relating to the Zyprexa case. ?But there are some limits to how many degrees of separation the court can reach.? There is also a traditionally high bar set for placing prior restraint on the press ? which, whether Judge Weinstein recognizes it or not, very much includes a colony of citizen journalists feeding a wiki. Of course, the other, slightly more absurd side to all this is that attempting to stop the documents from spreading is, by now, a Sisyphean task. ?The court is trying to get the genie back into the bottle until it can sort out what?s going on through the course of litigation, which takes place at non-Internet speed,? said Jonathan Zittrain, a professor of Internet governance and regulation at Oxford and a founder of the Berkman Center for Internet & Society at Harvard Law School. ?Perhaps the court thinks that whoever is adding to the wiki is among the parties to the original case,? Professor Zittrain said. ?That?s understandable, but it puts the court in a no-win situation. It?s left issuing an order that sounds like no one in the world is allowed to post the documents.? For its part, even The Times, which often posts original documents for its readers, tried to put the things online when Mr. Berenson wrote his first article, but the raw pages ? more than 350 individual image files weighing in at over 500 megabytes ? proved unwieldy. George H. Freeman, vice president and general counsel for The Times, said, ?The Times fulfilled its role by doing a lot of research and then highlighting and including the most important issues and documents in a series of well-placed news articles.? ? For now, copies of the Lilly documents sit defiantly on servers in Sweden, and under a domain registered at Christmas Island, the Australian dot in the ocean 224 miles off the coast of Java. ?Proudly served from outside the United States,? the site declares. There are surely others. On his TortsProf blog (snipurl.com/Torts), William G. Childs, an assistant professor at Western New England School of Law in Springfield, Mass., put it this way in a headline: ?Judge Tries to Unring Bell Hanging Around Neck of Horse Already Out of Barn Being Carried on Ship That Has Sailed.? From rforno at infowarrior.org Mon Jan 15 09:48:18 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 15 Jan 2007 09:48:18 -0500 Subject: [Infowarrior] - UK terror alert system dubbed a 'shambles' Message-ID: Alert system dubbed a 'shambles' By Mark Ward Technology Correspondent, BBC News website http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/2/hi/technol ogy/6262719.stm MI5 has overhauled an e-mail terror alert system for the public following detective work by privacy activists. Digital detective work by campaigners revealed that the alerting system did little to protect the identities of anyone signing up. They found that data gathered was being stored in the US leading to questions about who would have access to the list of names and e-mail addresses. THe Cabinet Office denies the changes were a response to the investigation. Data scramble The public e-mail alert system was announced on 9 January and will send messages to subscribers when threat levels change. The move followed the success of similar public information systems started by MI5 and the Home Office in August. Despite the announcement no sign-up form for the service was available on the MI5 website at the time of the unveiling. This was despite claims from the Home Office that the system had been under development for some time. This changed on the evening of 9 January when a web form appeared and this kicked off an investigation by activists behind the SpyBlog to see how it worked. What they found led the group to describe the e-mail alert list as a "shambles" and drove them to suggest that the system had been put together in a hurry. The activists discovered that the whole system had been contracted and some of it was being run by a company called Mailtrack that specialises in handling large e-mail mailing lists. More worryingly when people signed up to use the alert system, the standard encryption software had been disabled. This would have scrambled personal data, such as name and e-mail address, to stop others eavesdropping. Also the computer system to manage the list was based in the US on a server run by Seattle-based firm What Counts. SpyBlog researchers suggested that this put it at risk of being snooped on or inspected by US law enforcement authorities. "We would not release data to anyone without a subpoena," David Geller, managing director of What Counts, told the BBC News website. He said the information being collected for the mailing list was similar to that collected by many organisations, such as newspapers, to keep customers informed about updates or special offers. "It's such a benign use of e-mail," he said, "but we would always encourage people to move it to their own country." Following its digital detective work, SpyBlog monitored the MI5 website to see if any changes were made. On the evening of 12 January, changes were made that ended the connection with What Counts and started the use of an encryption system to scramble data. A spokeswoman for the Cabinet Office said the changes made to the service, including bringing the data to the UK, were due to happen before SpyBlog investigated. This was to help cope with the large numbers of people signing up. "Moving the data to the UK will enable faster e-mail delivery to subscribers, most of whom are in the UK and will enable the Security Service to use Mailtrack's latest technology." said a statement issued by the Cabinet Office. SpyBlog noticed that one of the digital security certificates used in the scrambling process between the MI5 site and a user's browser while they sign up was only issued two days after the mailing list was unveiled. SpyBlog said it would be contacting the Information Commissioner over the way the alert system has been set up. The Cabinet Office said: "We are confident that the technical arrangements for this service are entirely compliant with the Data Protection Act". Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/6262719.stm Published: 2007/01/15 13:19:43 GMT ? BBC MMVII From rforno at infowarrior.org Mon Jan 15 19:33:41 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 15 Jan 2007 19:33:41 -0500 Subject: [Infowarrior] - FBI: Terrorists Monitoring Public Webcams Message-ID: Guess we should just shut down the Intertube and make the world safer for all......-rf FBI: Terrorists Monitoring Public Webcams Jim Bronskill The Canadian Press http://www.groundsupportmagazine.com/article/article.jsp?id=2441&siteSection =1 OTTAWA (CP) -- Key U.S. security agencies warn that terrorists might exploit pictures of sensitive facilities such as airports that can be routinely viewed by the public through Internet feeds. A confidential assessment jointly prepared by the FBI and the U.S. Homeland Security Department says online webcams could be a valuable tool for extremists determined to attack critical targets. The agencies urge government organizations and private-sector partners to ''review the information available on their websites, and balance the public need for information with security concerns.'' The Jan. 10 assessment, obtained by The Canadian Press, was prompted by a recent Internet posting that provided a link to a live webcam at an Alaska airport. The assessment says the webcam site allowed the viewer to control the camera, providing the ability to zoom in on the airport terminal and cargo areas. Airport authorities disabled the camera after being notified of the posting. Security officials have focused on bolstering air security since the 9-11 jetliner attacks on New York and Washington. ''The extremist website posting indicates continued terrorist interest in the aviation sector, and suggests that webcams may be a useful planning tool against critical infrastructure targets,'' says the joint assessment. The Edmonton International Airport took security into account when designing its web camera feature, said Jim Rudolph, a spokesman for the air facility. Airport cameras offers three views, including two distant shots of runways, but with no ability to zoom in on people or vehicles. ''From a security point of view, we do regard them as being fairly benign,'' said Rudolph. Webcams have become a widespread and inexpensive means of allowing curious Internet surfers to view real-time feeds of everything from baby eagles to the traffic at busy intersections. The assessment notes many cameras run by individuals, businesses and government agencies transmit images of weather conditions, famous city squares or geographic highlights, and have little or no surveillance value. ''Webcams at U.S. critical infrastructure locations, however, may allow the open observation of security measures, guard shift changes, and pedestrian and vehicular traffic patterns.'' FBI Special Agent Richard Kolko said that given the countless cameras now on the Internet, there's a need to educate law-enforcement officers as to how they might be misused. ''Sometimes something that's sitting in front of you that's obvious might not be recognizable as something you need to be more alert to,'' he said Thursday from Washington. ''This bulletin helps provide that educational service to them.'' Former CSIS officer David Harris said webcam feeds raise the possibility that facilities are unwittingly equipping their adversaries with tactical information. He suggested Internet cameras are now luxuries, meaning an end to the virtual eyes trained on airports and other public installations. ''That kind of openness was fun while it lasted, but I'm wondering how workable it is today - whether the convenience, or the aesthetic enjoyment, of having these webcam pictures really is justifiable in light of the threats we face,'' said Harris, a security consultant with Insignis Strategic Research. ''I find myself more and more amazed at how relaxed as a society we can be in North America.'' Harris also wonders whether there is adequate scrutiny of the personnel who operate such devices. ''What kind of screening and clearing arrangements are there for those people who are monitoring these systems, installing them and otherwise responsible for them?'' he said. ''Who exactly is watching the watchers on that level?'' From rforno at infowarrior.org Tue Jan 16 00:50:18 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Jan 2007 00:50:18 -0500 Subject: [Infowarrior] - Thwart Terrorists With a High-Tech Aircraft That Snoops Message-ID: Europe Hopes to Thwart Terrorists With a High-Tech Aircraft That Snoops http://www.washingtonpost.com/wp-dyn/content/article/2007/01/15/AR2007011501 048_pf.html By Molly Moore Washington Post Foreign Service Tuesday, January 16, 2007; A16 PARIS -- Imagine stepping aboard Europe's anti-terrorist plane of the future. At the door, a hand-held electronic nose reputedly 30 times more sensitive than a dog's snout sniffs passengers for dangerous chemicals and vapors. After takeoff, computers monitoring cabin conversations pick up suspicious words in Seat 9B, fingernail-size video cameras detect nervous facial tics on the passenger in 21F, and a hidden microphone records questionable noises from the passenger in the rear toilet. Buzzers or flashing lights on a computer screen warn the crew and pilot of potential trouble in each spot. If a hijacker manages to bypass the fingerprint-activated locks on the cockpit door and grabs the controls, an internal computer takes over and diverts the plane from high-rise buildings, a nuclear plant or any other pre-programmed no-fly zone. The SAFEE project -- Security of Aircraft in the Future European Environment -- is the first coordinated international effort to create an airplane system capable of thwarting hijackings and terrorist attacks. It is under development in classified laboratories in 11 European countries and Israel. Much of the technology is in advanced stages of development, though systems for accurately analyzing facial expressions remain problematic. The director of the $50 million program, Daniel Gaultier, works in a modernist, mirrored building overlooking the Seine River, where entry to his office is controlled by the same kind of fingerprint lock that the plane's cockpit would have. He describes the system -- being developed largely in secret by the European Commission (the European Union's executive arm) and 31 aircraft, avionics, computer and security companies and university research centers -- as "a last defense against attack" in a post-9/11 world. The project faces serious opposition. Human rights officials are concerned about passenger privacy, pilot groups are fearful of computers usurping their authority, and airline marketers wonder about the eventual price tag. "The eavesdropping is incredible," Sophia in't Veld, a Dutch member of the European Parliament, said in a telephone interview from Washington, where she was meeting with members of Congress on anti-terrorism and privacy issues. "We have to sacrifice some privacy and some freedom, but people have to have the proper means of redress to defend themselves against unnecessary invasion of privacy or abuses of data by public authorities." "The trade-off between technology and human rights is a tricky and tough area," Gaultier agreed. "When there's a crisis, everyone will accept it. Six months after the crisis, everyone will forget. You always have to be careful how you deal with passenger rights." The use of potentially intrusive monitoring systems -- such as those that would record passenger movements and facial expressions and eavesdrop on private conversations and toilet visits -- is a particularly sensitive issue in Europe. Watchdog commissions here have engaged in transatlantic battles over U.S. rules requiring airlines to report personal data about incoming passengers to U.S. authorities. Testing of most of the technologies in simulators is to begin this fall and continue through early next year, Gaultier said. The package of systems found to work is unlikely to be available on commercial aircraft for as long as a decade because most would need to be incorporated into the airframes of planes under construction. The cost of retrofitting existing aircraft would be prohibitively high, according to Gaultier. None of the systems is more controversial than the onboard video and audio sensors designed to detect erratic or suspicious behavior. Some critics argue that the systems could be prone to false alarms or prove unrealistic for commercial use. Researchers at Britain's BAE Systems are attempting to compile a database of algorithms to allow computers to differentiate between the "micro-expressions" and facial tics of a person nervous about flying and a person nervous because he's about to detonate a bomb. Researchers at the University of Reading in England, meanwhile, are working on the system that would quickly analyze such data and deliver it to the crew and the pilot. "Airlines are afraid of this product," Gaultier said. "They have to face marketing it to passengers." As to whether this technology can be perfected to operate as envisioned, Gaultier said: "We're just getting started. It needs a lot more research." Gaultier said crew members would not monitor actual videos but would respond to computer-generated signals warning of a potential problem in a specific seat or other location. He said the video images could be destroyed at the end of each flight. As for other intrusions, "No video in the toilet," he said, "though they would have microphones in the toilet." The monitoring devices could also be used for detecting drunken or other unruly passengers, he said. Gaultier's company, Sagem D?fense S?curit?, is developing technology to improve security in communications between pilots and control towers and to prevent cyber hacking into airplane systems, especially when commercial aircraft begin introducing onboard Internet services. Another French company, Thales Avionics, is testing a new collision-avoidance system that would build on existing short-range systems that warn a pilot when a plane is in imminent danger of crashing. The new system could be programmed to avoid not only dangerous terrain such as mountains, but tall buildings or cities hosting vulnerable events such as the Olympics or political summits. Gaultier refers to the system as "never again the twin towers." He added, however, that "pilots will think that's an intrusion" because the system would take control out of their hands in the event of a hijacking or other emergency and allow the aircraft's computer system to guide the plane. Other pieces of the SAFEE system would detect gases from a bomb being assembled on a plane and use laser beams to detect potentially dangerous chemicals that had evaded airport security checks. But even with the new protections, Gaultier acknowledged, the system cannot guarantee an end to terrorist attacks. "Security level zero never exists," he said. "It's crazy to say, 'I have a system that provides 100 percent security.' " From rforno at infowarrior.org Tue Jan 16 00:52:58 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Jan 2007 00:52:58 -0500 Subject: [Infowarrior] - Pirates of the Canadians Message-ID: http://www.theglobeandmail.com/servlet/story/RTGAM.20070112.wpirates13/BNSto ry/Entertainment/home Pirates of the Canadians GAYLE MACDONALD >From Saturday's Globe and Mail It was the kind of letter that can ruin a guy's day. Late in November, Twentieth Century Fox fired off a blunt, one-page missive to Ellis Jacob, the Toronto-based chief executive of Cineplex Entertainment, Canada's biggest cinema chain. Bruce Snyder, Fox's Hollywood-based president of domestic distribution, had spent the last few weeks steaming mad after his team pinpointed Canadian theatres ? primarily in Montreal ? as the source of illegal camcording of a steady stream of Fox blockbusters, including Borat, Eragon and Night at the Museum. Snyder was sick of it. In the Nov. 30 letter, he warned Jacob, a friend and business associate for 20 years, to do something ? or he would. Then he threatened to do something unprecedented in Canadian distribution history: Fox could stop sending copies of all its films to Cineplex Entertainment's 130 movie houses, with close to 1,300 screens. Or, Fox might decide to delay the Canadian release of popular films until a few weeks after their U.S. release. In the letter, Snyder fumed that his company had discerned that, at one point during 2006, Canadian theatres were the source for nearly 50 per cent of illegal camcords across the globe: ?Much like an out-of-control epidemic, those Canadian camcords ... have become a leading source of worldwide Internet film piracy.? Jacob, whose company is the world's fourth-largest theatre chain in terms of revenue and fifth-biggest measured by locations/screens, felt physically ill. More so, he readily admits, because he recognized Snyder was absolutely right. Cineplex Entertainment ? in conjunction with the Canadian Motion Picture Distributors Association (CMPDA), the RCMP and other movie chains such as Empire and AMC ? have been lobbying the federal government for years to make it a criminal offence to pirate films. But so far their efforts have fallen on deaf ears. Sophisticated thieves toting black-leather bags with remote zooms, monitor devices and infrared sound receivers, and wearing sweatshirts or jackets with special holes designed to surround the lens of a camera, are having a field day. For the third year in a row, the U.S. government has placed Canada on its ?watch list? for a lack of IPR (intellectual-property rights) enforcement, which means this country is in the same company as notorious film-piracy hubs such as Lebanon, China, the Philippines and Russia. ?We're doing everything we can, but we have problems with the government not doing enough,? says Jacob. ?We've caught people camcording in our theatres, but all we can do is tell them to leave, and they show up the next day again. ?In the States, you're criminally charged because it's theft. Here, if someone steals five DVDs from Blockbuster, law enforcement swoops down. But someone leaves my theatre with a pirated video in his pocket, and we can't get the police to come,? he says. ?We want people to come to the theatre and enjoy the experience. We don't want to turn theatres into airport check-ins, but it might have to get to that point.? Reached by phone at his office in Beverly Hills, Calif., Snyder says he understands Jacob's frustration with Canada's lax laws. But he adds that unless Cineplex, other Canadian movie chains and the government crack down on film piracy, he will have to take matters into his own hands. Snyder is also considering pushing Canada's theatrical release behind the U.S. date by a week or two. ?At least we would then have a running start before we have to start competing with ourselves.? The U.S. Motion Picture Association (MPA) claims that in 2005 piracy cost American studios $6.1-billion (U.S.). In Canada, the CMPDA estimates its members lost $118-million (U.S.) the same year. ?What drove us to write that letter was the blatant and continuing camcording of our movies, primarily now in Montreal, but previously in Toronto,? says Snyder, whose company, along with Fox Searchlight, is one of the largest distributors in the world. ?Canada is now the prime culprit in the world. Once we started busting people in New York, Detroit and Chicago, they quickly figured out the place to be is in Canada. There simply are not enough teeth in your laws.? In 2005, U.S. President George W. Bush signed the Family Entertainment and Copyright Act, which made camcording in a theatre a federal felony. John Fithian, president of the U.S. National Association of Theater Owners, adds that 38 of the 50 states have specific state laws that impose criminal sanctions against camcorder pirates, both fines and jail time. But in Canada, the theft of intellectual property is basically treated as a ?soft crime,? says CMPDA president Doug Frith. ?Canada has done nothing to remedy its lack of domestic enforcement and complete absence of border enforcement. ?We're very frustrated with the legislative vacuum we have here,? adds Frith, who points out that theatre operators have no right to detain an individual they detect camcording a motion picture, or to confiscate their recording. ?We're the laughing stock when it comes to piracy in the world.? Frith says government bureaucrats try to placate him by saying that under the Copyright Act exhibitors have the ability to charge someone criminally. ?But here's the catch. Under the Copyright Act, you have to prove that an individual camcording in the theatre is doing it for distribution purposes. That's almost impossible. ?Front-line employees catch a guy sitting in the front row camcording Mission: Impossible III, they call police and they're told it's a matter for the RCMP because [the] Copyright [Act] is federal. ?We don't want to have to prove the economic loss from distribution. We want it to be a Criminal Code activity to be caught camcording. Period.? The RCMP readily concedes there has been a radical growth in film piracy in this country in recent years. With help from Interpol, it has also found a clear link between organized crime and film piracy, often more profitable than drug trafficking. ?If money is involved, organized crime is going to be involved,? says Andris Zarins, the RCMP's national intellectual property crime co-ordinator. With film piracy, the rewards can be huge, while the risks of any meaningful law enforcement are currently low, Zarins adds. Take the example of one of the few film pirates Canada has actually arrested and prosecuted. Several months ago, police in Richmond, B.C., raided a small business in a strip mall, seizing thousands of counterfeit DVDs. It arrested the owner, 46-year-old Chiu Lau, who was fined (for his third time in three years) under the Copyright Act. Last Remembrance Day, Lau pleaded guilty to 83 counts under the Copyright Act. He got a $5,000 fine and a 12-month conditional sentence. A further wrist slap? He was confined to his home from 11 p.m. to 7 a.m. ?Minimal fines of $5,000 or $6,000 are a joke,? says Frith. ?These guys view it as a cost of doing business. If we raid them on Friday, they're back in business on Monday morning.? Contrast that to the arrest of Hollywood's so-called ?Prince of Piracy.? Last month, Johnny Ray Gasca, 36, was sentenced to seven years in prison for copyright infringement after multiple arrests and a 16-month manhunt. And prior to that in New York, the FBI arrested 13 members of two large-scale international movie-piracy rings that had been under surveillance for three years. If convicted, each could face up to five years in prison. Last October, New York Mayor Michael Bloomberg also vowed to find, sue and shut down landlords who knowingly house people who sell pirated DVDs. Last summer, Toronto police ? with the help of the CMPDA ? busted a major counterfeit DVD operation in another suburban strip mall, seizing 140 DVD-CD burners, and 20,000 copies of counterfeit movies. They arrested four people. Frith estimates the seized burners could have produced more than three-million pirated discs in one year, worth about $17-million (Canadian). ?We want law enforcement to be able to go after those individuals ? to be able to seize cash in the till, to go to their homes, to their cars. I'm not blaming the RCMP. They have their priorities, what with border security and terrorism, but we have a legislative and an enforcement vacuum. We have to allow other police jurisdictions to assist the copyright industry.? Fox's Snyder is particularly irked at the persistent amount of camcording he and his distribution team have been able to track directly back to several of Cineplex's Montreal theatres. (Fox and other studios use forensic watermarking to know the exact time, date and auditorium where a copy was made.) ?The reality is in 2005, 20 per cent of all identified camcordings occurred in Canada,? says Frith. ?That's a huge number. And it's growing. ?These aren't individuals who want to make a few extra bucks,? he adds. ?They're extremely sophisticated organizations, who use the latest tools, are well organized, tech savvy and well funded. The scam attracts this calibre of crook because the pay is good. A good camcording of a film can fetch $5,000 to $7,000 from pirate distributors. Make two or three a weekend, Frith points out, and ?you're earning between $500,000 and $700,000 a year.? But there are plenty of amateurs in the game as well. Most people who view pirated movies don't pay for them. They download them for free over the Internet at websites such as BitTorrent or Shareaza. There are some non-techie diehards, though, who still buy bootleg DVDs, out of car trunks, in roadside stalls, flea markets, downtown shops and suburban strip malls, in every city ? and most towns ? across Canada. Often, the quality of these recordings is abysmal, with people chatting in the background or heads popping up in the picture when a cinemagoer makes a beeline for the concession stand. But some are good enough for the less discerning movie fan. But enterprising chaps like Gary ? a 37-year-old Durham, Ont., man ? have found ways to make pirated DVDs they claim are as good as anything coming off the shelves at Wal-Mart. Gary ? not his real name ? heads into his local Blockbuster the instant a feature film is released on DVD. He burns the movie, usually making up to seven copies, the first night. He then sells his pirated DVDs for $10 a piece to 150 of his closest friends. He says it's a great side business to his full-time job, paying for all the little extras (like more sophisticated software to make better pirated versions). Does he feel any guilt? Not a bit. ?I look at what they charge in the stores, $24.99, and it makes me sick. My copies are among the cheaper ones,? he says, referring to competitors who charge up to $15 for a bootleg DVD. ?There are people who go through the General Motors plant with hockey bags full of them. ?For a while I did black-market DVDs ? but they're generally bad quality and customers got upset with them,? adds Gary, who purchased handheld versions from a woman in a Markham strip mall who had them shipped in containers from China. ?Those tapes stunk real bad, too,? Gary says with a laugh. ?That woman's been arrested four times.? Gary says he has his standards. ?I'd never download them off the Internet and make copies,? he says. ?That leaves a record.? Another Toronto resident says he buys pirated DVDs from his buddies who regularly tape movies at the Alliance Atlantis cinema in the Beaches neighbourhood. They go in with camcorders for the Saturday matinees. Like Gary, this guy says he feels no remorse for essentially buying a piece of stolen property, adding that, ?Hollywood is filled with a bunch of fat cats.? And the pace at which pirated copies of new theatrical releases are found for sale as DVDs or on the Internet is dizzying. In 2003, the pirate DVD of Pirates of the Caribbean did not appear until 65 to 75 days after theatrical release. Last year, the first pirate DVD purchase was made 13 hours after Poseidon's first screening. The first pirate download was 42 hours after the movie made its big-screen debut. In the past 12 months, Fox sales manager Bert Livingston says he has sent technology specialists, training personnel and the latest anti-piracy equipment to Canada to help theatres try to catch the so-called ?cammers? (people who shoot films covertly in theatres). ?We've tried everything. We were hoping to try to stop it. But it just did not happen,? says Livingston. ?If we stop it in one theatre, they simply move to another theatre about five miles further out into the suburbs.? An MPA analysis of counterfeit discs in 2005 revealed close to 75 per cent of all films illegally camcorded in Canada were recorded in theatres in and around Montreal, recently identified as the No. 1 city in the world for surreptitious camcording. The reason? Pirates can easily create both English- and French-language masters. The RCMP's Zarins says there is a major investigation under way in Montreal now. ?Our members are working closely with the CMPDA on this. We partner with the private sector as much as we can.? A crackdown can't come too soon for Snyder, who says he's willing to take a short-term financial hit by holding back his pictures to wake up Canadian government officials and lawmakers to the severity of the problem. ?We'll give Cineplex a pass the first time we find someone camcording, or it hits the Internet,? says Snyder. ?But the second time it happens, we will no longer be playing Fox pictures ? or Fox Searchlight pictures ? there for an indefinite period of time. ?We need our partners in exhibition to protect our films,? adds Snyder. ?But if they won't ? or can't ? we won't put our movies at risk by putting them in their theatres.? From rforno at infowarrior.org Tue Jan 16 09:47:28 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Jan 2007 09:47:28 -0500 Subject: [Infowarrior] - Privately, Hollywood admits DRM isn't about piracy Message-ID: Privately, Hollywood admits DRM isn't about piracy http://arstechnica.com/news.ars/post/20070115-8616.html 1/15/2007 9:59:18 AM, by Ken Fisher For almost ten years now I have argued that digital rights management has little to do with piracy, but that is instead a carefully plotted ruse to undercut fair use and then create new revenue streams where there were previously none. I will briefly repeat my argument here before relating a prime example of it in the wild. The theory Access control technologies such as DRM create "scarcity" where there is immeasurable abundance, that is, in a world of digital reproduction. The early years saw tech such as CSS tapped to prevent the copying of DVDs, but DRM has become much more than that. It's now a behavioral modification scheme that permits this, prohibits that, monitors you, and auto-expires when. Oh, and sometimes you can to watch a video or listen to some music. The basic point is that access control technologies are becoming more and more refined. To create new, desirable product markets (e.g., movies for portable digital devices), the studios have turned to DRM (and the law) to create the scarcity (illegality of ripping DVDs) needed to both create the need for it and sustain it. Rather than admit that this is what they're doing, they trot out bogus studies claiming that this is all caused by piracy. It's the classic nannying scheme: "Because some of you can't be trusted, everyone has to be treated this way." But everybody knows that this nanny is in it for her own interests. Like all lies, there comes a point when the gig is up; the ruse is busted. For the movie studios, it's the moment they have to admit that it's not the piracy that worries them, but business models which don't squeeze every last cent out of customers. In a nutshell: DRM's sole purpose is to maximize revenues by minimizing your rights so that they can sell them back to you. The history History repeats itself, especially the bad parts. What I find most puzzling, however, is how history hasn't taught the movie industry this lesson yet. In 1982, then-MPAA head Jack Valenti testified before the House of Representatives on the emerging phenomenon of VCR ownership. He famously said, "I say to you that the VCR is to the American film producer and the American public as the Boston Strangler is to the woman home alone." Valenti said this in response to a claim that the VCR would be the greatest friend the American film producer ever had. Valenti was vehement in his opposition to the idea that the VCR could be a good thing. He, and many in the industry, believed that it was fundamentally wrong to allow the public to make decisions for themselves about how to use a VCR. They even expressed worry that multiple people could watch the same movie on a VCR, but not all of them would have to pay. The idea of Joe User buying a movie for a fixed price and then inviting friends over to see it was anathema to the industry. Yet by the late 1990s, sales of VHS movies were generating more revenue than movie ticket sales. DVD, the successor to VHS and Betamax, greatly widened the gap thanks to outstanding profit margins. The "Boston Strangler" was nowhere in sight. Of course, Hollywood lost the battle over the VCR, and its enemy became the best friend it ever had... that is, until behavior-modifying DRM was born, and Hollywood saw another chance to take a crack at the holy grail. The practice As a quick aside, let's put this piracy excuse to rest. You can easily find almost any DVD online, for free, because CSS has long been cracked and the movies uploaded. All of these new DRM schemes can't change that one simple fact: at least for the DVD market, a pirate's lifestyle is a matter of downloading some easily obtainable software. There is simply no evidence whatsoever that DRM slows piracy. In fact, all of the evidence suggests the opposite, and arguments that DRM "keeps honest people honest" are frankly insulting. If they're already honest, they don't need DRM. So given the windfall generated by the VCR, which was followed by an even greater explosion in revenue thanks to DVD, why aren't popular services like the iTunes Store being embraced? At a time when TV networks are seeing ratings boosts and fattened profits thanks to downloadable video, how come Disney is still the only movie studio to sell new releases on iTunes? If we believe Ronald Grover's sources in his BusinessWeek article of last week, the problem is liberal DRM and not piracy, and this is a startling admission. According to him, an unnamed studio executive said that a major reason why studios weren't jumping on board with the iTunes Store and other similar services is that their DRM is too lax. "[Apple's] user rules just scare the heck out of us." It's not piracy that's the concern, it's their ability to control how you use the content you purchase. As it turns out, five devices authorized for playback is too many, and the studios apparently believe that this is "just as bad" as piracy. Hollywood believes that iTunes Store customers will add their buddies' devices to their authorization list, and like evil communists, they'll share what they have purchased. This makes little sense, because the way iTunes works, you can only issue so many device authorizations at a time. You could share with a friend, but then your friend would have to be authorized to play all of your purchased content, taking up an authorization. Inconvenient, huh? But is it a big problem? I can walk in to Best Buy right now, buy a DVD, and lend it to every person I know. Who hasn't lent a DVD to a friend or colleague? This is perfectly legal behavior, but you can see that Hollywood hopes to stop this kind of thing via DRM. Thanks to the DMCA, once copyrighted contents have been encrypted, your rights fly right out the window. It sounds like a bad Hollywood tale: "In a world... where DRM is liberal... there's only one fowl that's not foul... Chicken Little. And the Sky. Is. Falling." [ Discuss From rforno at infowarrior.org Tue Jan 16 12:55:26 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Jan 2007 12:55:26 -0500 Subject: [Infowarrior] - Shoe scanner kicks off on wrong foot Message-ID: Shoe scanner kicks off on wrong foot Posted 1/16/2007 11:58 AM ET E-mail | Save | Print | Reprints & Permissions http://www.usatoday.com/travel/news/2007-01-16-shoe-scanner_x.htm?csp=34 By Thomas Frank, USA TODAY ORLANDO ? A new era in aviation security began this morning when hundreds of select travelers at Orlando International Airport were screened by machines designed to let passengers keep their shoes on through airport checkpoints. But the machines didn't always work as travelers expected. Many people who spent a minute or so standing on a brand-new ShoeScanner before getting to a checkpoint had to remove their shoes anyway and put them through checkpoint X-rays because the ShoeScanner found metal in their footwear. ShoeScanners, which are planned for four other airports in coming weeks, can detect only explosives. "It's a waste of time," Tracey Grenkoski of Orlando said after spending more than a minute on a ShoeScanner only to be told she had to remove her high-heeled shoes at the checkpoint. "What's the point of me standing there if I still have to take my shoes off?" Grenkoski had plenty of company. Of 50 travelers who used the ShoeScanner in a one-hour period this morning in Orlando, 28 had to remove their shoes. ShoeScanners were intended to boost the fledgling Registered Traveler program, which promises a fast trip through airport security for people who voluntarily enroll by paying about $100 a year and passing a background check. The program, which has operated only in Orlando, will expand soon to Terminal 7 at New York's Kennedy International and in coming weeks to airports in Indianapolis, San Jose and Cincinnati. Verified Identity Pass, a Manhattan company that manages Registered Traveler programs for airports, presented the ShoeScanner last year to the Transportation Security Administration for approval. General Electric's GE Security, which makes the $200,000 machine, hoped it would be approved to screen shoes for both explosives and metal weapons. But the TSA approved the ShoeScanner only for explosives because it had no way of measuring the machine's ability to find metal weapons in shoes, said GE Security product manager Daniel Mahlum. The company is working with the TSA to get the ShoeScanner approved for detecting metal weapons, Mahlum said. Some Orlando travelers didn't mind having to remove their shoes after they'd been screened for explosives. "It doesn't make much [time] difference," Bob Halcrow said this morning, noting that even with a one-minute shoe scan, there was no line at Orlando's Registered Traveler lane while other security checkpoints had a 20-minute backup. From rforno at infowarrior.org Tue Jan 16 14:12:48 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Jan 2007 14:12:48 -0500 Subject: [Infowarrior] - White Paper: "I Am Who I Say I Am" In-Reply-To: Message-ID: (c/o dissent) White Paper: "I Am Who I Say I Am" http://www.pogowasright.org/article.php?story=20070116125901198 > Whether managing risk or avoiding threats, the impact the same ? public sector > organizations are spending a significant portion of their information > technology (IT) budgets on information security, as high as 10 percent in some > cases. > > The reason is clear ? recent headlines tell the story: > > ? Privacy breach puts U.S. total over 100 million1 > ? Another Government Security Breach2 > ? Security Breaches Afflict Most Enterprises, Government > ? Voter Information Exposed [to hackers] on Website > > The issue of information security is so pervasive that one Web site even > publishes a "Security Breach Weekend Roundup"5 without a hint of irony. That > said, the cost of preventing a security breach pales in comparison to the cost > of addressing such a breach after the fact. A recent study of 14 organizations > that experienced an IT security breach revealed 69.8 million in direct costs > associated with the breaches. From rforno at infowarrior.org Tue Jan 16 19:44:48 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Jan 2007 19:44:48 -0500 Subject: [Infowarrior] - Chertoff wants 'insider' threats studied Message-ID: Chertoff wants 'insider' threats studied By DAN CATERINICCHIA http://www.businessweek.com/ap/financialnews/D8MMJV0O5.htm Homeland Security Secretary Michael Chertoff on Tuesday asked business leaders to assess the potential conflict between national security demands and employee privacy laws regarding risks to the nation's critical infrastructure, such as water, energy and other utilities. "It's something businesses must reflect upon and strike the right balance between security with respect to their work force and the privacy workers expect," Chertoff told The Associated Press following remarks to the National Infrastructure Advisory Council. The council is a group of private sector executives and state and local government leaders who meet four times a year to provide the White House with advice about keeping important networks secure. The private sector controls about 85 percent of the nation's water, energy, transportation and other critical facilities. Chertoff said the council should explore the insider threat to critical infrastructure systems to identify "sleepers who could be the source of the threats." Internal threats are a risk at all 17 critical infrastructure sectors and represented the next logical step for the council to explore following threat assessments at the entrances and perimeters of facilities, says Robert Stephan, Assistant Secretary of Homeland Security for Infrastructure Protection. In addition to water, energy and transportation, the 14 other critical infrastructure sectors are: communications, chemical and hazardous materials, commercial facilities, dams, defense industrial base, emergency services, financial services, food and agriculture, government facilities, information technology, national monuments and icons, nuclear power plants, postal and shipping, and public health and health care. Erle A. Nye, chairman emeritus of Texas' biggest electricity producer TXU Corp., leads the council, whose members include executives from Intel Corp., Akamai Technologies Inc., IBM Corp., ConAgra Foods Inc., Symantec Corp. and others. The council on Tuesday presented final reports on how both electronic and traditional security measures are being used to protect infrastructure, and the prioritization of critical infrastructure demands for a pandemic in the United States. It takes between six months and one year to complete a report. From rforno at infowarrior.org Tue Jan 16 19:46:51 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Jan 2007 19:46:51 -0500 Subject: [Infowarrior] - U.S.: No Net governance changes expected Message-ID: U.S.: No Net governance changes expected By Anne Broache http://news.com.com/U.S.+No+Net+governance+changes+expected/2100-1028_3-6150 613.html Story last modified Tue Jan 16 15:44:04 PST 2007 WASHINGTON--Are tensions over the United States' historic influence over key Internet management functions a thing of the past? Two senior Bush administration officials involved in setting Net policy say that's the case. At a meeting here organized by the Federal Communications Bar Association, U.S. Ambassador David Gross and Assistant Secretary of Commerce John Kneuer said they view the question as settled: No United Nations body will be exercising additional control over tasks like handing out numeric Internet addresses or operating the root servers that power the Internet anytime soon. They said they were encouraged that the new leadership of the International Telecommunications Union, a U.N. agency, claims to be more interested in focusing on promoting cybersecurity and bridging the so-called digital divide than on setting up a new management structure for the Net, as some have called for in the past. "That's very much in harmony with our views," said Gross, whose chief responsibility is coordinating international communications and information policy. In a familiar refrain, the ambassador said that the United States doesn't believe it's appropriate for the ITU to take on expanded Internet management responsibilities because the system is fine as is. He predicted that future international meetings called Internet Governance Forums would center less on who's managing the Net's technical functions and more on issues like freedom of speech and multilingualism. The officials' rosy outlook likely stems in large part from remarks given in Geneva last week by new ITU Secretary-General Hamadoun Toure, whose term of office is scheduled to last until 2010. According to various press reports, Toure, an electrical engineer from Mali, said at his first press conference that it was not his intention for the ITU "to take over the governance of Internet." Rather, the international group plans to forge ahead with the existing set-up, headed largely by the nonprofit Internet Corporation for Assigned Names and Numbers (ICANN), which remains under the U.S. Department of Commerce's supervision. Whether those predictions will prove accurate remains to be seen. As recently as last fall's Internet Governance Forum in Greece, then-ITU Secretary-General Yoshio Utsumi accused the United States of using "self-serving justifications" to argue that the existing arrangement is the best. Representatives from countries such as Tunisia, Cuba, Iran, China and many less-developed nations also have criticized the current system, charging that it gives the United States undue influence over the day-to-day operations of the Internet. Some have suggested the need to create a new international "superstructure" to dull the United States' influence, and the topic is expected to be discussed at a U.N. summit in Brazil in late 2007. For years, the U.S. government has been saying it ultimately intends to shift ICANN, which has operated under the auspices of the U.S. Commerce Department since 1998, into the private sector with less government oversight. Assistant Secretary Kneuer indicated he also was pleased that the ITU planned to distance itself from the technical management debate but said "coordinating the transition of the (domain name system) to the private sector...remains important for us." CNET News.com's Declan McCullagh contributed to this report. From rforno at infowarrior.org Tue Jan 16 19:50:00 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Jan 2007 19:50:00 -0500 Subject: [Infowarrior] - Passports: The Clock Is Ticking for Winter Travelers Message-ID: January 14, 2007 Practical Traveler The Clock Is Ticking for Winter Travelers By MICHELLE HIGGINS http://www.nytimes.com/2007/01/14/travel/14pracpassport.html?8dpc=&_r=1&oref =slogin&pagewanted=print MORE than a year ago, the federal government decided it was going to require just about everyone entering the United States to present a passport ? even American citizens coming back from trips just across the border. Confusion ensued ? travel companies and border cities protested, start dates were pushed back, and air and sea requirements were broken up and put on different timetables. On Jan. 23, the first of the requirements is becoming reality. If you?re jetting off to Mexico or the Caribbean, you?ll need to pack a passport along with that bathing suit. In fact, nearly anyone coming into the United States by plane ? including Americans who have long returned with just a birth certificate or a driver?s license from Canada, Mexico, Panama and most Caribbean islands ? will need to present a passport at the airport. Those who don?t, the Department of Homeland Security says, will have to go through secondary screenings to verify their citizenship. No one has announced an estimate of how long those screenings will take, but, inevitably, that extra step will cause delays. It?s a big change for Americans who were used to a warmer welcome home ? adults could get by with their usual government-issued IDs; children needed just birth certificates. A 2005 study commissioned by the Caribbean Hotel Association concluded that an estimated 80 percent of visitors from the United States to Jamaica did not carry passports. Nor did roughly 30 percent of Americans going to Antigua and Barbuda, 27 percent to Aruba and 15 percent to Cura?ao. Nearly three-quarters of all Americans ? 73 percent ? don?t even have passports, the State Department says. Some people are about to be getting them in a hurry. One thing to keep in mind: In an effort to make sure their customers don?t put off vacations just because they don?t yet have passports, many hotels in the Caribbean and Mexico are offering rebates to guests who will have to pay fees to get them. The hotels include nine Marriott and Renaissance resorts (www.paradisebymarriott.com/passport), nine SuperClubs (www.superclubs.com/passport.asp) and 19 other hotels in Nassau and Paradise Island in the Bahamas (www.Nassauparadiseisland.com). Here is a guide to help you navigate the bureaucracy and get that passport in time. Your Trip Is in Eight Weeks If all goes well, you?ll have time to get your passport in the usual way ? processing an application typically takes six to eight weeks. But as the demand for passports grows, wait times could increase. In December, one million passport applications were processed, up 57 percent from the number in December 2005. To help handle the work, the government has hired new employees and added some new locations where people can file applications, bringing the total to roughly 9,000. But no one really knows if this will be enough. To apply for the first time, go in person to one of the many passport acceptance facilities around the country, including many post offices or libraries (you can find one by ZIP code at www.iafdb.travel.state.gov), with two photographs of yourself; proof of United States citizenship, like a certified birth certificate; and a valid form of photo identification, like a driver?s license. The fee is $97. If you mostly travel between the United States and Canada, there is a $50 alternative: the Nexus card, issued to pre-screened travelers under a joint program operated by the United States and Canada. You?re Leaving in Two Weeks You can always pay an extra $60 for expedited service, which typically cuts down waiting time to around two weeks. Be sure to clearly mark ?expedited? on the envelope if you?re mailing in your application, an option for adults who are simply renewing passports. (Renewals cost $67.) And consider paying for overnight delivery each way. For faster service, make an appointment to go in person, with proof of travel plans in hand, to one of 14 passport agencies in major cities, including New York, Houston and Los Angeles, by calling (877) 487-2778. Your passport could be issued that same day. You?re Leaving Tomorrow Your best bet is to use a private rush service. For anywhere from $130 to $200 on top of passport fees, these companies often can obtain passports in as little as 24 hours. You?ll still need appropriate documentation, and you?ll have to appear at a post office or other passport acceptance location, but the service will speed up the processing time. Rush companies have their limits, too. In recent years, some of the regional passport agencies have reduced the number of daily submissions rush companies are allowed, and some companies have had to turn applicants away. But if the first one you call can?t get you an appointment, there are many others to choose from. For a list go to www.napvs.org. American Express Vacations is working with It?s Easy Passport and Visa Services in New York to get its customers passports on the day of application, if necessary. Cost: $179 to $200 on top of regular fees. You?re Leaving Next Year Sure, you have plenty of time, but you might as well apply now. As early as Jan. 1 of next year, American citizens traveling between the United States and the rest of the Western Hemisphere by land or sea could be required to present valid passports. While recent legislative changes permit a later deadline, the State and Homeland Security Departments are working to meet all requirements as soon as possible. The change is expected to drive an even greater influx of passport applications. By applying now, you?ll avoid any potential backlogs. For travelers who don?t want to pay $97 for a first-time passport, the State Department also plans to introduce a passport card, possibly by the end of this year, good for travel by land or sea only to Canada, Mexico, the Caribbean and Bermuda. Projected costs are $10 for children and $20 for adults with a $25 processing fee for each. What About the Kids? If it?s your children who need the passports, there are extra rules. To apply for a passport for a child under 14, both parents must appear together with the child to sign the application. If that?s not possible, written and notarized permission from an absent parent or another documented explanation ? like proof of sole custody of a child, an adoption decree or the death certificate of a deceased parent ? must be supplied. Exact procedures are set out at www.travel.state.gov/passport. Older teenagers with their own government-issued IDs do not need a parent to accompany them to apply, but parental consent may be requested. The fee is $82 for children under 16. From rforno at infowarrior.org Tue Jan 16 21:47:26 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Jan 2007 21:47:26 -0500 Subject: [Infowarrior] - Google, British military discuss Google Earth use in attacks Message-ID: Google, British military discuss Google Earth use in attacks January 16, 2007 3:13 PM PST http://news.com.com/2061-10803_3-6150596.html?part=rss&tag=2547-1_3-0-20&sub j=news Google is talking with military agencies in Iraq after learning that terrorists attacking British bases in Basra appear to have been using aerial footage from Google Earth to pinpoint strikes, according to the United Kingdom's Daily Telegraph. Among documents seized in raids on insurgents' homes were printouts from photos taken from Google Earth that show the location of buildings, tents, latrines and lightly armored vehicles, the news site reported. On the back of one set of photos, someone had written the precise longitude and latitude of the Shatt Al Arab Hotel, where 1,000 Staffordshire Regiment soldiers are headquartered, the report said. "This is evidence, as far as we are concerned, for planning terrorist attacks," said an intelligence officer with the Royal Green Jackets battle group. "We believe they use Google Earth to identify the most vulnerable areas, such as tents." A Google spokesman said the satellite mapping information could be used for "good and bad" and can be accessed via numerous means. "Of course we are always ready to listen to governments' requests," he said. "We have opened channels with the military in Iraq, but we are not prepared to discuss what we have discussed with them. But we do listen and we are sensitive to requests." Royal Green Jackets soldiers based at Basra Palace base said they would consider suing Google if they were injured in any attacks in which Google Earth aerial shots were used. Posted by Elinor Mills From rforno at infowarrior.org Tue Jan 16 23:36:22 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Jan 2007 23:36:22 -0500 Subject: [Infowarrior] - Vast Data Collection Plan Faces Big Delay Message-ID: Vast Data Collection Plan Faces Big Delay By Ellen Nakashima Washington Post Staff Writer Wednesday, January 17, 2007; D01 The Treasury Department reported to Congress yesterday that a data-collection program to give counterterrorism analysts routine access to as many as 500 million cross-border financial transactions a year could not be implemented until 2010. The department had hoped to implement it by the end of this year. The Cross-Border Electronic Funds Transfer Program was part of the 2004 Intelligence Reform Act, and Congress directed the Treasury secretary to determine if the program would be effective in tracking terrorist financing. In a report to Congress to be released today, the Treasury Department concluded that the program was technologically feasible and has value, but said it needs to determine whether the counterterrorism benefit outweighs banks' costs of compliance and to address privacy concerns. The program is opposed by bankers, who view it as burdensome and invasive. Unlike another Treasury program, which uses administrative powers that bypass traditional banking privacy protections to tap into the vast global database of transactions maintained by the Brussels-based Society for Worldwide Interbank Financial Telecommunication, the cross-border plan is the result of legislation sought by Treasury and would require congressional oversight. Both programs were inspired by the Sept. 11, 2001, terrorist attacks. Banks and money services are required by law to keep records on all wire transfers of $3,000 or more. The proposed program would mandate that each of those transactions -- if they cross the U.S. border -- be reported to the Treasury Department's Financial Crimes Enforcement Network (FinCEN). The type of data captured would include the names and addresses of senders, the amount and dates of the transfers, the names and addresses of the beneficiaries and their financial institutions. Treasury officials said in interviews and in the report to Congress that the data would give analysts more information to ferret out illicit activity as they try to detect links between suspects. FinCEN said that Australia and Canada had used similar data effectively. Australia has used it to catch tax evaders and predict the movement of drugs into and out of the country. But those countries deal with much smaller numbers of transactions. Treasury receives more than 16 million currency transaction records and suspicious activity reports a year from banks and other financial institutions, which help officials track money launderers and terrorist activity. Bankers say the additional reporting requirement would be a tremendous burden. "We're talking about a volume of transactions that dwarfs anything that has been done in the name of [financial regulatory reporting] up to now," said Richard R. Riese, director of the American Bankers Association Center for Regulatory Compliance. Beyond the reporting burden, he said, privacy concerns are significant. "All this information will now end up in the hands of the U.S. government for them to sift through at their leisure without any apparent process to assure that it is being used for the most significant national security investigations," Riese said. He likened it to a "fishing expedition" -- "except that the government no longer has to go and put their hook in the water. We have to give all the fish." To streamline reporting, Treasury officials are recommending a "first in" and "last out" system so that only a single U.S. financial institution -- the last one in a transfer out of the country, or the first one in a transfer in -- would have to report each transaction. "It's another example of the U.S. government's pattern of sweeping up massive amounts of data that it can't possibly analyze, that is not likely to have any significant security benefit, but does threaten privacy" -- that of Americans and of foreigners doing business with Americans, said Barry Steinhardt, director of the American Civil Liberties Union technology project. European officials, too, raised privacy concerns. "If the program affects non-U.S. citizens, it should be developed in close cooperation with these other countries," said Sophie in't Veld, a member of the European Parliament from the Netherlands. Stephen R. Kroll, former Democratic special counsel for the Senate Banking Committee, said the statute "wasn't designed to require reporting of every wire transfer that goes in and out of America -- both because that's billions of transactions and because most of them are perfectly ordinary." He said the law was designed to give the Treasury Department power for "targeted data collection," aimed, for example, at a country where there is known terrorist activity. In an October interview, Robert W. Werner, who then was director of FinCEN, said most of the data collected would be "commercial oriented" transactions and "irrelevant" to FinCEN's mission to detect and prevent illicit activity. "The key is to have a system that allows you to be able to pull the relevant data without people worrying that irrelevant data is being browsed and used inappropriately," he said. FinCEN would also need to develop the technical capability to store and analyze the information, the study noted. FinCEN is considering setting up a "federated data warehouse" to store the data, which would be held separately from other financial records data. Officials said there would be strict rules to ensure that the data is not shared inappropriately, including audit trails to check for improper access. The program would be developed through a public rulemaking process over an extended period, officials said. "We know there will be costs. We believe there is value. How do those two play out?" said Eric Kringel, senior policy adviser at FinCEN. He said that as a regulatory body, FinCEN "would not want to proceed" without determining if the benefit is worth the cost. FinCEN has proposed taking a year to conduct a $1.1 million cost benefit analysis. Implementation would cost $32.6 million and take 3 1/2 years, officials said. From rforno at infowarrior.org Tue Jan 16 23:41:18 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Jan 2007 23:41:18 -0500 Subject: [Infowarrior] - Feds offer cybercrime tips to local cops Message-ID: Feds offer cybercrime tips to local cops By Declan McCullagh http://news.com.com/Feds+offer+cybercrime+tips+to+local+cops/2100-1028_3-615 0676.html Story last modified Tue Jan 16 19:55:04 PST 2007 Police trying to learn how to use the Internet to investigate everything from cyberstalking to spam and illegal hacking have some new advice, thanks to the U.S. Department of Justice. The department's Office of Justice Programs on Tuesday published what amounts to a manual for tech-challenged gumshoes, covering everything from how to track suspects through an Internet Relay Chat network to targeting copyright thieves on peer-to-peer networks. Local and state law enforcement have bungled some high-tech investigations recently. The Pennsylvania Supreme Court rejected prosecutors' attempts to seize newspaper reporters' hard drives, and the 8th Circuit Court of Appeals ruled that police illegally seized a computer in a methamphetamine investigation. A federal judge permitted an Internet service provider to sue police after it was raided because of Usenet posts its employees knew nothing about. The new 137-page manual (click for PDF) appears to represent the Justice Department's attempt to offer at least some basic technical and legal tips to law enforcement agencies that may not have computer experts on the payroll. "Criminals can trade and share information, mask their identity, identify and gather information on victims, and communicate with co-conspirators," the manual says. "Web sites, electronic mail, chat rooms, and file sharing networks can all yield evidence in an investigation of computer-related crime." The manual warns of the perils of assuming that the owner of a computer--especially Windows PCs, which can be vulnerable to security breaches--is responsible for what's actually on it. "Because investigations involving the Internet and computer networks mean that the sus?pect's computer communicated with other computers, investigators should be aware that the suspect may assert that the incriminating evidence was placed on the media by a Trojan program," it says. "A proper seizure and forensic examination of a suspect's hard drive may determine whether evidence exists of the presence and use of Trojan programs." Defendants in criminal cases have been known to raise what's become known as the Trojan defense. In a dawn raid, Arizona police stormed into the house of a 16-year-old boy named Matthew Bandy and accused him of downloading child pornography--which carried a maximum penalty of 90 years in prison. It turned out that, contrary to claims by police and Maricopa County District Attorney Andrew Thomas, the Bandy's home computer was thoroughly infected by malware. After being contacted by reporters, the Maricopa County Attorney's Office offered the boy a plea bargain without jail time. The Trojan defense was also tried by an eighth-grade math teacher in Georgia, but with less success. In November, the 11th U.S. Circuit Court of Appeals upheld the teacher's conviction on federal child pornography charges. Copyright ?1995-2007 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Wed Jan 17 09:01:48 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Jan 2007 09:01:48 -0500 Subject: [Infowarrior] - Doomsday Clock to be moved closer to midnight Message-ID: Doomsday Clock to be moved closer to midnight * David Byers * January 16, 2007 http://www.theaustralian.news.com.au/story/0,20867,21067189-2703,00.html THE END of the World is closer than at any time since the Cold War, a group of scientists is set to declare this week. The keepers of a symbolic Doomsday Clock - a world-famous symbol designed by the US-based Bulletin of Atomic Scientists to chart how close we are to Armaggedon - have announced they are moving its hands forward. According to the University of Chicago-based organisation, worsening climate change and the increasing threat of nuclear war are threatening our survival. The clock's hands will be moved forward next Wednesday. The clock, which has appeared on the Bulletin of Atomic Scientists magazine's front cover since 1947, is currently set at seven minutes to midnight - with midnight marking global catastrophe. In a news release previewing next Wednesday's event, which will be co-hosted by the British physicist Stephen Hawking, the organisation would not say exactly how far the clock would be moved forward - but explained that a change was necessary because of "worsening nuclear, climate threats" to the world. "The major new step reflects growing concerns about a 'Second Nuclear Age' marked by grave threats, including: nuclear ambitions in Iran and North Korea, unsecured nuclear materials in Russia and elsewhere, the continuing 'launch-ready' status of 2,000 of the 25,000 nuclear weapons held by the US and Russia; escalating terrorism; and new pressure from climate change for expanded civilian nuclear power that could increase proliferation risks," it said. The clock was last pushed forward by two minutes to seven minutes to midnight in 2002, amid concerns about the proliferation of nuclear, biological and other weapons and the threat of terrorism in the aftermath the attacks on September 11, 2001. The last time it was closer than that to midnight was in 1988, when the Cold War was beginning to show its first signs of coming to an end and the clock showed 11.54pm. With the time set to be put forward again, it is inevitable that it will be at a closer point to midnight than at any time since that year - and perhaps closer. When it was created by the magazine's staff in 1947, it was initially set at seven minutes to midnight and has moved 17 times since then. It was as close as two minutes to midnight in 1953 following U.S. and Soviet hydrogen bomb tests - and as far away as 17 minutes to midnight in 1991 in a wave of optimism as the Soviet Communist regime collapsed and the superpowers reached agreement on a nuclear arms reductions. From rforno at infowarrior.org Wed Jan 17 10:06:35 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Jan 2007 10:06:35 -0500 Subject: [Infowarrior] - Study: Economic impact of OSS on ICT in the EU Message-ID: Study on the: Economic impact of open source software on innovation and the competitiveness of the Information and Communication Technologies (ICT) sector in the EU Final report Prepared on November 20, 2006 Lead contractor: UNU-MERIT, the Netherlands Subcontractors: Universidad Rey Juan Carlos, Spain University of Limerick, Ireland Society for Public Information Spaces, France Business Innovation Centre of Alto Adige-S?dtirol, Italy Prepared by: Rishab Aiyer Ghosh, MERIT http://ec.europa.eu/enterprise/ict/policy/doc/2006-11-20-flossimpact.pdf From rforno at infowarrior.org Wed Jan 17 10:13:31 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Jan 2007 10:13:31 -0500 Subject: [Infowarrior] - Inside MySpace.com Message-ID: Inside MySpace.com January 16, 2007 By David F. Carr Booming traffic demands put a constant stress on the social network's computing infrastructure. Yet, MySpace developers have repeatedly redesigned the Web site software, database and storage systems in an attempt to keep pace with exploding growth - the site now handles almost 40 billion page views a month. Most corporate Web sites will never have to bear more than a small fraction of the traffic MySpace handles, but anyone seeking to reach the mass market online can learn from its experience. < - > http://www.baselinemag.com/print_article2/0,1217,a=198614,00.asp From rforno at infowarrior.org Wed Jan 17 11:43:27 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Jan 2007 11:43:27 -0500 Subject: [Infowarrior] - ISOHUNT shut down Message-ID: Update, Jan. 16, 2007 http://www.isohunt.com/ Lawyers from our primary ISP decided to pull our plug without any advance notice, as of 14:45 PST. No doubt related to our lawsuit brought by the MPAA, but we don't have more information at this time until people responsible comes to work tomorrow. We will be back in operation once we sort out this mess with our current ISP, or we get new hardware ready at our new ISP. Sit back and enjoy the rest of the internet in the mean time, while it last. For your torrent searching needs, try Google for now by searching for "SEARCH TERMS ext:torrent". You can also come hang around our IRC channel (SSL on port +7000). We'll update on this page and on IRC when we have more information. From rforno at infowarrior.org Wed Jan 17 15:05:32 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Jan 2007 15:05:32 -0500 Subject: [Infowarrior] - Secret Court to Govern Wiretapping Plan Message-ID: Secret Court to Govern Wiretapping Plan Jan 17 2:34 PM US/Eastern By LARA JAKES JORDAN Associated Press Writer http://www.breitbart.com/news/2007/01/17/D8MN7KQ00.html WASHINGTON (AP) -- The Justice Department, easing a Bush administration policy, said Wednesday it has decided to give an independent body authority to monitor the government's controversial domestic spying program. In a letter to the leaders of the Senate Judiciary Committee, Attorney General Alberto Gonzales said this authority has been given to the Foreign Intelligence Surveillance Court and that it already has approved one request for monitoring the communications of a person believed to be linked to al-Qaida or an associated terror group. The court orders approving collection of international communications _ whether it originates in the United States or abroad _ was issued Jan. 10, according to the two-page letter to Sens. Patrick Leahy, D- Vt., and Arlen Specter, R-Pa. "As a result of these orders, any electronic surveillance that was occurring as part of the Terrorist Surveillance Program will now be conducted subject to the approval of the Foreign Intelligence Surveillance Court," Gonzales wrote in the letter, a copy of which was obtained by The Associated Press. "Accordingly, under these circumstances, the President has determined not to reauthorize the Terrorist Surveillance Program when the current authorization expires," the attorney general wrote. The Bush administration secretly launched the surveillance program in 2001 to monitor international phone calls and e-mails to or from the United States involving people suspected by the government of having terrorist links. The White House said it is satisfied that the new guidelines meet its concerns about national security. "The Foreign Intelligence Surveillance Court has put together its guidelines and its rules and those have met administration concerns about speed and agility when it comes to responding to bits of intelligence where we may to be able to save American lives," White House press secretary Tony Snow said. Snow said he could not explain why those concerns could not have been addressed before the program was started. He said the president will not reauthorize the present program because the new rules will serve as guideposts. From rforno at infowarrior.org Wed Jan 17 21:06:06 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Jan 2007 21:06:06 -0500 Subject: [Infowarrior] - Pew Report: The internet and campaign 2006 Message-ID: The internet and campaign 2006 http://www.pewinternet.org/PPF/r/135/press_release.asp 1/17/2007 | ReleaseRelease The number of Americans who cited the internet as their primary source of campaign news in 2006 doubled since the last mid-term election Twice as many Americans used the internet as their primary source of news about the 2006 campaign compared with the most recent mid-term election in 2002. Some 15% of all American adults say the internet was the place where they got most of their campaign news during the election, up from 7% in the mid-term election of 2002. A post-election survey by the Pew Internet & American Life Project and the Pew Research Center for The People & The Press shows that the 2006 race also produced a notable class of online political activists. Some 23% of those who used the internet for political purposes ? the people we call campaign internet users ? actually created or forwarded online original political commentary or politically-related videos. ?The vanguard of YouTubers and bloggers has become influential in politics,? said Pew Internet Project Director Lee Rainie, one of the authors of the Project?s report on its national survey. ?Those who wish to engage voters around a particular issue or candidate have many more tools at their disposal today than they did just four years ago.? Indeed, 20% of campaign internet users say they got political news and information from blogs, while 24% say they visited issue-oriented websites. The growing importance of the internet in the nation?s political life is tied at least in part to the spread of broadband connections in American homes. Some 17% of Americans had broadband connections at home at the time of the 2002 midterm campaign and it rose to 45% by November 2006. Younger broadband users ? those under age 36 ? were more likely to cite the internet than newspapers as their main source of political news. ?Young broadband users seem to be replacing time spent with newspapers with time spent with online news outlets, while older broadband users go online for political information as a supplement to other media like newspapers and television news,? said Pew Internet?s John Horrigan, the Associate Director for Research and co-author of the report. ?Younger users especially appreciate the extra information and the variety of perspectives they get online.? The 2006 election survey shows that convenience is the top reason people use the internet to get political news information and that the majority of campaign internet users go to the websites of mainstream news organizations. At the same time, though, a majority of internet users go to non-traditional sites such as blogs, humor and satire sites like The Daily Show, international sites, alternative sites, candidate and government sites. Republican and Democratic voters were equally likely to say that the internet was their main source of election news. In contrast, there were notable differences between Republican and Democratic voters in their preferences for other news sources. For instance, Democratic voters were more likely than Republicans to cite newspapers and certain broadcast and cable news operations such as CBS, ABC and CNN as their main sources of news, while Republicans were more likely to favor the Fox cable TV News and radio. These findings come from a survey of 2,562 adults, aged 18 and older. Some 200 of the completed interviews were conducted on cell phones among American adults who only have cell phones and do not have landline phone connections. Some 1,578 of those interviewed were internet users. The margin of error on the full sample is +/- 2%. For results based Internet users, the margin of sampling error is +/- 3%. The Pew Internet Project is a non-partisan, non-profit research organization that is an initiative of the Pew Research Center established to explore the social impact of the internet. The Project takes no positions on policy issues. http://www.pewinternet.org/PPF/r/199/report_display.asp From rforno at infowarrior.org Wed Jan 17 21:09:16 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Jan 2007 21:09:16 -0500 Subject: [Infowarrior] - TSA: No-Fly List Being Checked and Cut Message-ID: No-Fly List Being Checked and Cut By BEVERLEY LUMPKIN Associated Press Writer http://www.wtopnews.com/?nid=116&sid=1035672# WASHINGTON (AP) - The Bush administration is checking the accuracy of a watch list of suspected terrorists banned from traveling on airliners in the U.S. and will probably cut the list in half, the head of the Transportation Security Administration said Wednesday. Kip Hawley told Congress that the more accurate list, combined with a new passenger screening system, should take care of most incidents of people wrongly being prevented from boarding a flight or frequently being picked out for additional scrutiny. A "no-fly" list of suspected terrorists and criminals considered too dangerous to travel on commercial airliners in this country has existed for decades. But since the terrorist attacks of Sept. 11, 2001, the list expanded. Tightened security procedures have led to closer scrutiny of air travelers and resulted in many complaints. The TSA has been working with intelligence agencies and the FBI to improve the watch list. Before the 9/11 attacks, almost every intelligence agency had its own list of undesirables and resisted sharing it with other agencies. Even cutting the list in half is "nice but not all that meaningful," said Barry Steinhardt, an attorney with the American Civil Liberties Union. He noted that various estimates of the list's size, which is classified, have ranged from 50,000 to 350,000 names. "Cutting a list of 350,000 names is not all that impressive," Steinhardt added. At a hearing of the Senate Commerce Committee, Hawley ran into inquiries from lawmakers with family members or friends who had encountered problems at airport checkpoints. Among them was Sen. Ted Stevens, R-Alaska, who complained that his wife, Catherine, was being identified as "Cat" Stevens and frequently stopped due to confusion with the former name of the folk singer now known as Yusuf Islam, whose name is on the list. In 2004 he was denied entry into the U.S., but officials declined to explain why. Hawley explained that Secure Flight, the new passenger screening program, which he hopes will be running in 2008, would make such problems "a thing of the past." Hawley said his agency sends correctives to the airlines. "Unfortunately, it depends airline by airline how their individual systems work as to how effectively that's done," he said. Hawley was questioned by Sen. Jay Rockefeller, D-W.Va., about the lack of screening for passengers on private aircraft, which Rockefeller called "very disturbing." Hawley said there are many security measures in place on the ground around general aviation terminals, but that the department is considering the longer-term issue of whether such private flight passengers should be subjected to individual screening. Senators also asked Hawley about a provision recommended by the 9/11 Commission, and passed by the House last week, that would require 100 percent physical inspection of all air cargo loaded onto passenger planes. The Senate has yet to act on the measure. "We prefer not to have a 100 percent requirement on anything," Hawley said. "Because you tend to be focused then on, how do we accomplish what is written in the law, as opposed to a smarter security that says, okay, we're in a risk-based business, how are we going to stop the bomb from being in here?" Also Wednesday, the Homeland Security Department launched a new program for passengers who feel wronged to try correcting the list. The program will give travelers "a clearly-defined process" to report problems, said Homeland Security Secretary Michael Chertoff in a written statement. Beginning Feb. 20, the program, dubbed Traveler Redress Inquiry Program, will serve as a central processing point for all inquiries about Homeland Security agencies' databases. (Copyright 2007 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.) From rforno at infowarrior.org Wed Jan 17 21:58:56 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Jan 2007 21:58:56 -0500 Subject: [Infowarrior] - Music industry threatens ISPs over piracy Message-ID: Music industry threatens ISPs over piracy By Nic Fildes Published: 18 January 2007 http://news.independent.co.uk/business/news/article2162919.ece The music industry opened up a new front in the war on online music piracy yesterday, threatening to sue internet service providers that allow customers to illegally share copyrighted tracks over their networks. The International Federation of the Phonographic Industry, or IFPI, said it would take action against internet companies that carry vast amounts of illegally shared files over their networks. It stressed that it would prefer not to pursue such a strategy and is keen to work in partnership with internet providers. John Kennedy, the chairman of the IFPI, said he had been frustrated by internet companies that have not acted against customers involved in illegal activity. He warned that litigation against ISPs would be instigated "in weeks rather than months". Barney Wragg, the head of EMI's digital music division, said the industry had been left "with no other option" but to pursue ISPs in the courts. The IFPI wants ISPs to disconnect users who refuse to stop exchanging music files illegally. Mr Kennedy said such activity is in breach of a customer's contract with the ISP and disconnecting offenders the IFPI had identified would significantly reduce illegal file sharing. Mr Kennedy said talks with internet companies have been ongoing over the past year, but no action has been taken. "I realised I was being filibustered ... if they still want to filibuster, their time will run out," he said. The IFPI took legal action against 10,000 individuals in 18 countries during 2006. It won a spate of significant legal victories against peer-to-peer platforms such as Kazaa that was forced to pay a $115m (?58m) settlement. A spokesman for the Internet Service Providers Association said ISPs are "mere conduits of information" that can not be held liable for offences committed by customers. "ISPs cannot inspect every packet of data transmitted over their networks," he said. Geoff Taylor, the executive vice-president and general counsel of IFPI, said that ISPs are in the best position to stop copyright infringements. "While it might be possible to argue that an ISP is exempt from liability for damages, that does not mean rights holders can't obtain an injunction to stop infringements of their copyright," he said. A spokeswoman for Tiscali, a UK ISP, said the onus is on the IFPI to prove that the user is engaged in illegal activity and that the music organisation should share the cost of resolving disputes. Last year, due to a lack of evidence, Tiscali refused to close the accounts or hand over the details of 17 customers who the British Phonographic Industry claimed were involved in illegal file sharing. During 2006, global digital music sales doubled to about $2bn on the back of an 89 per cent surge in music downloads to 795 million. The success of the digital music market has been underlined by bands like Koopa which is expected to score a Top-40 hit this week despite having no record label or any physical copies of their CD on sale. From rforno at infowarrior.org Wed Jan 17 22:25:17 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Jan 2007 22:25:17 -0500 Subject: [Infowarrior] - "Doomsday Clock" Moves Two Minutes Closer To Midnight Message-ID: "Doomsday Clock" Moves Two Minutes Closer To Midnight http://www.thebulletin.org/weekly-highlight/20070117.html 17 January 2007 | 10:14 PM Bulletin of the Atomic Scientists Adjusts Clock From 7 to 5 Minutes Before Midnight; ? Deteriorating? Global Situation Cited on Nuclear Weapons and New Factor: Climate Change. WASHINGTON, D.C. and LONDON, ENGLAND /// January 17, 2007 /// The Bulletin of the Atomic Scientists (BAS) is moving the minute hand of the Doomsday Clock two minutes closer to midnight. It is now 5 minutes to midnight. Reflecting global failures to solve the problems posed by nuclear weapons and the climate crisis, the decision by the BAS Board of Directors was made in consultation with the Bulletin?s Board of Sponsors, which includes 18 Nobel Laureates. BAS announced the Clock change today at an unprecedented joint news conference held at the American Association for the Advancement of Science in Washington, DC, and the Royal Society in London. In a statement supporting the decision to move the hand of the Doomsday Clock, the BAS Board focused on two major sources of catastrophe: the perils of 27,000 nuclear weapons, 2000 of them ready to launch within minutes; and the destruction of human habitats from climate change. In articles by 14 leading scientists and security experts writing in the January-February issue of theBulletin of the Atomic Scientists (http://www.thebulletin.org), the potential for catastrophic damage from human-made technologies is explored further. Created in 1947 by the Bulletin of the Atomic Scientists, the Doomsday Clock has been adjusted only 17 times prior to today, most recently in February 2002 after the events of 9/11. By moving the hand of the Clock closer to midnight ? the figurative end of civilization ? the BAS Board of Directors is drawing attention to the increasing dangers from the spread of nuclear weapons in a world of violent conflict, and to the catastrophic harm from climate change that is unfolding. The BAS statement explains: "We stand at the brink of a Second Nuclear Age. Not since the first atomic bombs were dropped on Hiroshima and Nagasaki has the world faced such perilous choices. North Korea?s recent test of a nuclear weapon, Iran?s nuclear ambitions, a renewed emphasis on the military utility of nuclear weapons, the failure to adequately secure nuclear materials, and the continued presence of some 26,000 nuclear weapons in the United States and Russia are symptomatic of a failure to solve the problems posed by the most destructive technology on Earth." The BAS statement continues: "The dangers posed by climate change are nearly as dire as those posed by nuclear weapons. The effects may be less dramatic in the short term than the destruction that could be wrought by nuclear explosions, but over the next three to four decades climate change could cause irremediable harm to the habitats upon which human societies depend for survival." Stephen Hawking, a BAS sponsor, professor of mathematics at the University of Cambridge, and a fellow of The Royal Society, said: "As scientists, we understand the dangers of nuclear weapons and their devastating effects, and we are learning how human activities and technologies are affecting climate systems in ways that may forever change life on Earth. As citizens of the world, we have a duty to alert the public to the unnecessary risks that we live with every day, and to the perils we foresee if governments and societies do not take action now to render nuclear weapons obsolete and to prevent further climate change." Kennette Benedict, executive director, Bulletin of the Atomic Scientists, said: "As we stand at the brink of a Second Nuclear Age and at the onset of unprecedented climate change, our way of thinking about the uses and control of technologies must change to prevent unspeakable destruction and future human suffering." Sir Martin Rees, president of The Royal Society, professor of cosmology and astrophysics , master of Trinity College at the University of Cambridge, and a BAS sponsor, said: "Nuclear weapons still pose the most catastrophic and immediate threat to humanity, but climate change and emerging technologies in the life sciences also have the potential to end civilization as we know it." Lawrence M. Krauss, professor of physics and astronomy at Case Western Reserve University, an a BAS sponsor, said: "In these dangerous times, scientists have a responsibility to speak truth to power especially if it might provoke actions to reduce threats from the preventable technological dangers currently facing humanity. To do anything else would be negligent." Ambassador Thomas Pickering, a BAS director and co-chair of the International Crisis Group, said: "Although our current situation is dire, we have the means today to successfully address these global problems. For example, through vigorous diplomacy and international agencies like the International Atomic Energy Agency, we can negotiate and implement agreements that could protect us all from the most destructive technology on Earth?nuclear weapons." Highlights of the new statement from the Bulletin of Atomic Scientists include the following: * "The second nuclear era, unlike the dawn of the first nuclear age in 1945, is characterized by a world of porous national borders, rapid communications that facilitate the spread of technical knowledge, and expanded commerce in potentially dangerous dual-use technologies and materials. The Pakistan-based network that provided nuclear technologies to Libya, North Korea, and Iran, is an example of the new challenges confronting the international community." * "Sixteen years after the end of the Cold War, following substantial reductions in nuclear weapons by the United States and Russia, the two major powers have now stalled in their progress toward deeper reductions in their arsenals." * "More than 1400 metric tons of highly enriched uranium and approximately 500 tons of plutonium are distributed worldwide at some 140 sites, in unguarded civilian power plants and university research reactors, as well as in military facilities." * "Global warming poses a dire threat to human civilization that is second only to nuclear weapons. Through flooding and desertification, climate change threatens the habitats and agricultural resources that societies depend upon for survival. As such, climate change is also likely to contribute to mass migrations and even to wars over arable land, water, and other natural resources." * "The prospect of civilian nuclear power development in countries around the world raises further concerns about the availability of nuclear materials. Growth in nuclear power is anticipated to be especially high in Asia, where Japan is planning to bring on line five new plants by 2010, and China intends to build 30 nuclear reactors by 2020." * "Several factors are driving the turn to nuclear power? aging nuclear reactors, rising energy demands, a desire to diversify energy portfolios and reduce reliance on fossil fuels, and the need to reduce carbon emissions that cause climate change. Yet expansion of nuclear power increases the risks of nuclear proliferation." The BAS statement also outlines a number of steps that, if taken immediately, could help to prevent disaster, including the following: * Reduce the launch readiness of U.S. and Russian nuclear forces and completely remove nuclear weapons from the day-to-day operations of their militaries. * Reduce the number of nuclear weapons by dismantling, storing, and destroying more than 20,000 warheads over the next 10 years, as well as greatly increasing efforts to locate, store, and secure nuclear materials in Russia and elsewhere. * Stop production of nuclear weapons material, including highly enriched uranium and plutonium?w hether in military or civilian facilities. * Engage in serious and candid discussion about the potential expansion of nuclear power worldwide. While nuclear energy production does not produce carbon dioxide, it does raise other significant concerns, such as the health and environmental hazards of nuclear waste, the production of nuclear materials that can be diverted to the production of weapons, and the safety and security of the plants themselves. ABOUT BAS AND THE CLOCK The Bulletin of the Atomic Scientists was founded in 1945 by University of Chicago scientists who had worked on the Manhattan Project and were deeply concerned about the use of nuclear weapons and nuclear war. In 1947 the Bulletin introduced its clock to convey the perils posed by nuclear weapons through a simple design. The Doomsday Clock evoked both the imagery of apocalypse (midnight) and the contemporary idiom of nuclear explosion (countdown to zero). In 1949 Bulletin leaders realized that movement of the minute hand would signal the organization?s assessment of world events. The decision to move the minute hand is made by the Bulletin?s Board of Directors in consultation with its Board of Sponsors, which includes 18 Nobel Laureates. The Bulletin?s Doomsday Clock has become a universally recognized indicator of the world?s vulnerability to nuclear weapons and other threats. Additional information is available on the Web at http://www.thebulletin.org. CONTACT: Patrick Mitchell, (703) 276-3266 or pmitchell at hastingsgroup.com. EDITORS NOTE: A streaming audio replay of the news event will be available on the Web at http://www.thebulletin.org as of 6 p.m. ET and 11 p.m. in London/2300 GMT on January 17, 2007. From rforno at infowarrior.org Wed Jan 17 22:35:15 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Jan 2007 22:35:15 -0500 Subject: [Infowarrior] - President Calls for Genetic Privacy Bill Message-ID: January 18, 2007 President Calls for Genetic Privacy Bill By SHERYL GAY STOLBERG http://www.nytimes.com/2007/01/18/washington/18privacy.html?pagewanted=print WASHINGTON, Jan. 17 ? President Bush on Wednesday urged Congress to pass long-stalled legislation to safeguard genetic privacy, a measure experts say would encourage millions of Americans to undergo testing that could lead to prevention and treatment of cancer and other diseases. ?If a person is willing to share his or her genetic information, it is important that that information not be exploited in improper ways,? Mr. Bush said at the National Institutes of Health. ?And Congress can pass good legislation to prevent that from happening.? He added, ?We want medical research to go forward without an individual fearing personal discrimination.? For years, scientists and patients? advocates have pushed for legislation barring employers and insurance companies from discriminating based on the results of genetic tests. A so-called genetic discrimination bill passed the Senate unanimously in 2003, but died in the House. The bill was reintroduced in the House this week. With Congress now under Democratic control, the bill?s backers are optimistic . They include Dr. Francis S. Collins, director of the National Human Genome Research Institute at the health institutes, who participated in a roundtable discussion with Mr. Bush on Wednesday. Dr. Collins said Mr. Bush?s statement, along with the possibility of Congressional action, ?gives us renewed hope that all Americans will finally receive the protections they need to benefit from gene-based medicine.? From rforno at infowarrior.org Wed Jan 17 22:39:37 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Jan 2007 22:39:37 -0500 Subject: [Infowarrior] - Computer Privacy in Distress Message-ID: Computer Privacy in Distress http://www.wired.com/news/columns/1,72510-0.html By Jennifer Granick 02:00 AM Jan, 17, 2007 Circuit Court columnist Jennifer Granick Circuit Court My laptop computer was purchased by Stanford, but my whole life is stored on it. I have e-mail dating back several years, my address book with the names of everyone I know, notes and musings for various work and personal projects, financial records, passwords to my blog, my web mail, project and information management data for various organizations I belong to, photos of my niece and nephew and my pets. In short, my computer is my most private possession. I have other things that are more dear, but no one item could tell you more about me than this machine. Yet, a rash of recent court decisions says the Constitution may not be enough to protect my laptop from arbitrary, suspicionless and warrantless examination by the police. At issue is the Fourth Amendment, which protects individuals from unreasonable searches and seizures by government agents. As a primary safeguard against arbitrary and capricious searches, property seizures and arrests, the founding fathers required the government to first seek a warrant from a judge or magistrate. The warrant has to specifically describe the place to be searched and the items to be seized. Searches and seizures without such a warrant are presumed to be unconstitutional. There are times, of course, when it would be unreasonable, burdensome, ineffective or just plain silly to require police to get a warrant before searching, so courts have carved out many, many exceptions to the warrant requirement. The fundamental thread in these decisions is a subtle and case-specific determination of what is "reasonable" conduct by law enforcement. Because reasonable minds can differ on reasonable courses of action, the resulting Fourth Amendment law is complicated, sometimes contradictory and very fact-dependent. Computers pose special Fourth Amendment search problems because they pack so much information in such a small, monolithic physical form. As a result, courts are grappling with how to protect privacy rights during searches of computers. Three digital search topics in particular are converging in interesting, and foreboding, ways. First, there are several new cases that suggest that agents can search computers at the border (including international airports) without reasonable suspicion or a warrant, under the routine border search exception to the warrant requirement. Second, a recent case in the 9th U.S. Circuit Court of Appeals has held that private employees have no reasonable expectation of privacy, and thus no Fourth Amendment rights, in their workplace computers (gulp!). Third and finally, the 9th Circuit is struggling, and failing, to define ways to judicially supervise police searches of computers to ensure that law enforcement gets the information it needs, while leaving undisturbed any private information on unrelated matters that may be on the same disk drive. Together the computer search cases can paint a scary picture. But if you read the decisions carefully, there is ample room for courts to follow up with more nuanced opinions that protect computer privacy and allow reasonable government access. For example, the border search exception allows "routine" searches without reasonable suspicion or a warrant. "Non-routine" searches still require reasonable suspicion. Is the examination of computers at the border a routine or non-routine search? The cases so far don't answer this question head on. Future cases will have to. The Supreme Court has said that the definition depends on the "dignity and privacy interests" implicated by a search. Thus, strip searches and cavity searches are non-routine, but searches of vehicles and baggage are routine. Given the sensitivity of information stored on a computer, the way people tend to archive everything, how long a comprehensive search takes and the likelihood of discovering contraband with such a search, courts may well find that computer searches are allowed at the border only based on reasonable suspicion, not as a baseless fishing expedition. I hope for the best, as I do in United States v. Ziegler, the case that found private employees have no reasonable expectation of privacy in their workplace computers. Defense attorneys have asked for a rehearing, and the court may do better next time. Ziegler is important, because if employees have no protected privacy rights, then the government can enter a private workplace, without cause, without a warrant, with or without the employer's consent and search employee computers. The business might try to sue, but the employee would not have the right either to challenge the government's actions in court, or to suppress any discovered evidence. Similarly, defense attorneys in United States v. Comprehensive Drug Testing have asked the 9th Circuit for a new hearing, and the court has an opportunity to issue a more careful opinion in that case, which arose from the Balco doping scandal. The government is investigating whether 10 professional baseball players were illegally taking steroids. In the course of its probe, it obtained multiple warrants for the results of drug tests taken by the players. But it didn't just seize the results for the players under scrutiny -- it grabbed the entire database, with samples from hundreds of other athletes. Lower courts ordered the government to return the information that was not related to the Balco-linked players, but the government appealed and the 9th Circuit ruled in its favor. The facts of the case are complicated, but the proper result is clear: In every computer or database search case, information responsive to the warrant is going to be intermingled with information about other matters. Warrants should not only state whether the computers will be removed from the premises, and how the search will be done, but should also establish a way agents will try to segregate private information from the data they are entitled to obtain pursuant to the warrant. Otherwise, we will find that the government can use a smaller investigation as a stalking horse to obtain information about a vast number of other people. These Fourth Amendment trends should be closely followed. Of course, there's a chance that the courts will not recognize the different scope of privacy interests at stake in computer searches, or will not be adept at crafting a rule that gives enough leeway and guidance to law enforcement, while also protecting privacy. At that point, the Constitution may fail us, and we will have to turn to Congress to create rules that are better adapted for the information age. - - - Jennifer Granick is executive director of the Stanford Law School Center for Internet and Society, and teaches the Cyberlaw Clinic. From rforno at infowarrior.org Wed Jan 17 22:43:12 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Jan 2007 22:43:12 -0500 Subject: [Infowarrior] - CIS is hiring: Residential Fellow Message-ID: CIS is hiring: Residential Fellow The Fellow will be directly and primarily responsible for one or more of the intellectual property 'impact' cases being litigated by the FUP and/or the Cyberlaw Clinic. The Fellow will also assist on other litigation and work with students in the Cyberlaw Clinic on cases and projects on an as-needed basis. In addition, the Fellowship may provide the opportunity for the pursuit of individual research and scholarship in preparation to enter the academic teaching market. The Center for Internet and Society (CIS) at Stanford Law School is offering a one-year Fellowship (2007-2008) to work in conjunction with its Fair Use Project and Cyberlaw Clinic on public interest litigation involving copyright and technology issues. The CIS is a leading center for the study of the relationship between the public interest, law and technology. CIS was founded by Professor of Law Lawrence Lessig and is headed by Executive Director Jennifer S. Granick. The Fair Use Project is a new CIS initiative launched in 2006 thanks to a generous gift from Google, Inc. Headed by Executive Director Anthony Falzone, the FUP?s mission is to clarify, define and expand the bounds of fair use. The FUP?s primary focus is litigation. It represents clients in non-commercial and commercial cases that present compelling issues of fair use and associated principles. Similarly, it provides legal representation to documentary filmmakers who comply with recognized fair use principles, providing assistance during production as well as a commitment to provide defend them should litigation arise. The Cyberlaw Clinic is an in-house clinic taught by CIS Executive Director and attorney Jennifer Granick. It consists of eight to twelve students assisting in the direct representation of clients in matters involving security, privacy, free speech scientific innovation and technology, as well as policy analysis and public information campaigns. Illustrative litigation includes representing a company that distributes peer-to-peer file sharing software in a lawsuit filed by the recording industry; protecting the rights of Internet publishers to speak anonymously on- line; and protecting speech interests against claims of intellectual property infringement. The Fellow will be directly and primarily responsible for one or more of the intellectual property 'impact' cases being litigated by the FUP and/or the Cyberlaw Clinic. The Fellow will also assist on other litigation and work with students in the Cyberlaw Clinic on cases and projects on an as-needed basis. In addition, the Fellowship may provide the opportunity for the pursuit of individual research and scholarship in preparation to enter the academic teaching market. Qualifications: 2-5 years of post-law school civil litigation experience with substantial experience in intellectual property matters; Excellent writing and analytic skills; Demonstrated ability to direct litigation of impact cases; and Demonstrated ability to work in a self-directed and entrepreneurial environment. The position is for 12 months, with the possibility of renewal for a second twelve months. The start date is flexible, anytime from July 2007 to September 2007. At least two years of post-law school civil litigation experience is required. Salary will be approximately $40,000 per year, with benefits. Interested applicants should submit a cover letter, resume, writing sample and a list of references to: Jennifer S. Granick Center for Internet & Society Crown Quadrangle 559 Nathan Abbott Way Stanford, CA 94305-8610 Applications may also be submitted by email to the following address: granick at stanford.edu. Applicants must also apply online via the Stanford Jobs website at http://jobs.stanford.edu/find_a_job.html; Job number 23428. Applications will be accepted until the position is filled. Preferred submission deadline is January 31, 2007. From rforno at infowarrior.org Wed Jan 17 22:49:01 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Jan 2007 22:49:01 -0500 Subject: [Infowarrior] - Gonzales raps 'activist' judges Message-ID: Gonzales raps 'activist' judges Attorney general says federal jurists should defer to president's will The Associated Press Updated: 8:07 a.m. ET Jan 17, 2007 http://www.msnbc.msn.com/id/16668110/ WASHINGTON - Attorney General Alberto Gonzales says federal judges are unqualified to make rulings affecting national security policy, ramping up his criticism of how they handle terrorism cases. In remarks prepared for delivery Wednesday, Gonzales says judges generally should defer to the will of the president and Congress when deciding national security cases. He also raps jurists who ?apply an activist philosophy that stretches the law to suit policy preferences.? The text of the speech, scheduled for delivery at the American Enterprise Institute, was obtained Tuesday by The Associated Press. It outlines, in part, what qualities the Bush administration looks for when selecting candidates for the federal bench. ?We want to determine whether he understands the inherent limits that make an unelected judiciary inferior to Congress or the president in making policy judgments,? Gonzales says in the prepared speech. ?That, for example, a judge will never be in the best position to know what is in the national security interests of our country.? Challenges to Bush policies Gonzales did not cite any specific activist jurists, or give examples of national security cases, in his prepared text. The Justice Department is appealing an August decision by U.S. District Judge Anna Diggs Taylor in Detroit, who ruled the government?s warrantless surveillance program unconstitutional and ordered it stopped immediately. The Justice Department appealed her decision and the 6th U.S. Circuit Court of Appeals in Cincinnati has ruled that the administration can keep the program in place during the appeal. Attorneys representing terrorism suspects held at Guantanamo Bay are challenging the legality of a law, signed by President Bush in October, that authorizes military trials. Those challenges raise the possibility that trials will be struck down by a federal appeals court or the Supreme Court. Gonzales, a former Texas Supreme Court justice, has in the past warned about judges who inject their personal beliefs in cases. But his prepared remarks Wednesday mark his sharpest words over concerns about the federal judiciary ? the third, and equal, branch of government. Judges who ?apply an activist philosophy that stretches the law to suit policy preferences, they actually reduce the credibility and authority of the judiciary,? Gonzales says. ?In so doing, they undermine the rule of law that strengthens our democracy.? Even so, Gonzales characterized efforts to retaliate against unpopular rulings as misguided, noting a failed South Dakota proposal to sue or jail judges for making unpopular court decisions. He also called for Congress to consider increasing the number of federal judges to handle heavy workloads, and to offer them higher salaries to lure and keep the best jurists on the bench. ? 2007 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. URL: http://www.msnbc.msn.com/id/16668110/ From rforno at infowarrior.org Wed Jan 17 23:46:47 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 17 Jan 2007 23:46:47 -0500 Subject: [Infowarrior] - 28 hours later, Warcraft gets its first Level 70 Message-ID: 28 hours later, Warcraft gets its first Level 70 Posted Jan 17th 2007 8:55AM by Jared Rea Filed under: PC, Online, RPGs, MMO Well, that wasn't much of a race. After being on store shelves for little more than a day, World of Warcraft: The Burning Crusade has gained its first level 70 in French player, Gullerbone. Clocking in at 28 hours, Gullerbone's journey from the lowly plain of mortals known as level 60 to the god-esque status of 70 seems almost disappointing for a task estimated to take most players a few months at the very least. Somewhere, in the halls of Blizzard, someone has slapped their forehead. For the curious, Gullerbone goes deeper into the method of his leveling madness in an interview with World of Raids. While his act of gaming fortitude is commendable, we're just glad that no babies died in the process this time. Gullerbone can now look forward to sitting on his hands, waiting for the rest of the folks on his server to catch up so that he can actually do something worth his level. Congratulations! From rforno at infowarrior.org Thu Jan 18 08:50:45 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Jan 2007 08:50:45 -0500 Subject: [Infowarrior] - Review: Six Rootkit Detectors Protect Your System Message-ID: Review: Six Rootkit Detectors Protect Your System While many security suites have a basic level of detection, these standalone tools will do a search-and-destroy on the rootkits that may be hiding in your system. By Serdar Yegulalp, InformationWeek Jan. 16, 2007 URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=196901062 In October 2005, Windows expert Mark Russinovich broke the news about a truly underhanded copy-protection technology that had gone horribly wrong. Certain Sony Music CDs came with a program that silently loaded itself onto your PC when you inserted the disc into a CD-ROM drive. Extended Copy Protection (or XCP, as it was called) stymied attempts to rip the disc by injecting a rootkit into Windows ? but had a nasty tendency to destabilize the computer it shoehorned itself into. It also wasn't completely invisible: Russinovich's own RootkitRevealer turned it up in short order. Before long, Sony had a whole omelette's worth of egg on its face, and the word rootkit had entered the vocabulary of millions of PC users. The concept of the rootkit isn't a new one, and dates back to the days of Unix. An intruder could use a kit of common Unix tools, recompiled to allow an intruder to have administrative or root access without leaving traces behind. Rootkits, as we've come to know them today, are programs designed to conceal themselves from both the operating system and the user ? usually by performing end-runs around common system APIs. It's possible for a legitimate program to do this, but the term rootkit typically applies to something that does so with hostile intent as a prelude toward stealing information, such as bank account numbers or passwords, or causing other kinds of havoc. Many antivirus and security-software manufacturers have since added at least some rudimentary level of rootkit detection to their products, but there have been a number of free, standalone rootkit detection tools that have been in use for some time. In this article, I examine six of the more prevalent standalone applications, and talk about their relative merits and abilities. To test them out, I used them to scan a system for three varieties of rootkit: Fu or FuTo, which can "stealth" any process; the AFX Windows Rootkit 2003, which can hide processes and folders from the system; and Vanquish, which is similar to AFX but uses a slightly different concealment mechanism. How They Work The detectors themselves typically work by comparing different views of the system and seeing where there's a mismatch. One of the original ways to perform this kind of detection was to dump a complete list of all the files on the volume while inside the operating system, then boot to the Recovery Console and dump another file list, then compare the two. If a file shows up in the second list but not in the first and isn't a Windows file kept hidden by default, it's probably a culprit. More recent rootkit detectors use variations on this scheme that don't require exiting the operating system to get usable results. I've also looked at these applications in a more general light and tried to consider how useful the program is likely to be in the future: how easy the detector is to use; how easy it is to interpret the results; how often the detector was updated; and so on. Remember that rootkits, like viruses, are a moving target. An anti-rootkit program that protects you today might be defenseless tomorrow against a whole new variety of threat ? in fact, many rootkit makers write their programs to specifically avoid detection by some existing programs. < - > http://www.informationweek.com/shared/printableArticle.jhtml?articleID=19690 1062 From rforno at infowarrior.org Thu Jan 18 10:49:24 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Jan 2007 10:49:24 -0500 Subject: [Infowarrior] - RIP, Art Buchwald Message-ID: Columnist Art Buchwald Dies at Age 81 Jan 18 10:03 AM US/Eastern http://www.breitbart.com/news/2007/01/18/D8MNOOSG0.html By DARLENE SUPERVILLE Associated Press Writer WASHINGTON (AP) -- Columnist Art Buchwald, who chronicled the life and times of Washington with a wry wit for over four decades and endeared himself to many with his never-give-up battle with failing kidneys, is dead at 81. Buchwald's son, Joel, who was with his father, disclosed the satirist's death, saying he had passed away quietly at his home late Wednesday with his family. Buchwald had refused dialysis treatments for his failing kidneys last year and was expected to die within weeks of moving to a hospice on Feb. 7. But he lived to return home and even write a book about his experiences. "The last year he had the opportunity for a victory lap and I think he was really grateful for it," Joel Buchwald said. "He had an opportunity to write his book about his experience and he went out the way he wanted to go, on his own terms." Neither Buchwald nor his doctors could explain how he survived in such grave condition, and he didn't seem to mind. The unexpected lease on life gave Buchwald time for an extended and extraordinarily public goodbye, as he held court daily in a hospice salon with a procession of family, friends and acquaintances. "I'm going out the way very few people do," he told The Associated Press in April. Buchwald said in numerous interviews after his decision became public that he was not afraid to die, that he was not depressed about his fate and that he was, in fact, having the time of his life. ___ Associated Press writer Connie Cass contributed to this story. Copyright 2007 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. AP: BREAKING ? WORLD ? U.S. ? POL ? BIZ ? ENT ? TECH ? LIFE ? SCI ? ODD ? SPORTS OTHER TOP STORIES HEADLINE DATE SOURCE Columnist Art Buchwald Dies at Age 81 Jan 18 9:48 AM US/Eastern AP 'Bullywood' star speaks of fellow contestants' racism Jan 17 9:15 PM US/Eastern AFP Russia media scorns massive 'terror' alert Jan 18 6:02 AM US/Eastern AFP NBC News Chief Takes Swipe at O'Reilly Jan 18 9:20 AM US/Eastern AP Man Pleads Not Guilty to Kidnap of Teen Jan 18 9:52 AM US/Eastern AP 3 Teens Arrested in Beating Sho From rforno at infowarrior.org Thu Jan 18 16:13:20 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Jan 2007 16:13:20 -0500 Subject: [Infowarrior] - Buchwald's Farewell Column, Written to Be Released at Death Message-ID: Buchwald's Farewell Column, Written to Be Released at Death By E&P Staff Published: January 18, 2007 2:50 PM ET NEW YORK Art Buchwald wrote a final column that he asked not be distributed until after he died. The piece was penned on Feb. 8, 2006, after Buchwald decided to check into a hospice. He eventually left the hospice, of course, and resumed his syndicated column. Buchwald died last night at the age of 81. Here's the farewell column, courtesy of Tribune Media Services: *** GOODBYE, MY FRIENDS By Art Buchwald Tribune Media Services Several of my friends have persuaded me to write this final column, which is something they claim I shouldn't leave without doing. There comes a time when you start adding up all the pluses and minuses of your life. In my case I'd like to add up all the great tennis games I played and all of the great players I overcame with my now famous "lob." I will always believe that my tennis game was one of the greatest of all time. Even Kay Graham, who couldn't stand being on the other side of the net from me, in the end forgave me. I can't cover all the subjects I want to in one final column, but I would just like to say what a great pleasure it has been knowing all of you and being a part of your lives. Each of you has, in your own way, contributed to my life. Now, to get down to the business at hand, I have had many choices concerning how I wanted to go. Most of them are very civilized, particularly hospice care. A hospice makes it very easy for you when you decide to go. What's interesting is that everybody has his or her own opinion as to how you should go out. All my loved ones became very upset because they thought I should brave it out -- which meant more dialysis. But here is the most important thing: This has been my decision. And it's a healthy one. The person who was the most supportive at the end was my doctor, Mike Newman. Members of my family, while they didn't want me to go, were supportive, too. But I'm putting it down on paper, so there should be no question the decision was mine. I chose to spend my final days in a hospice because it sounded like the most painless way to go, and you don't have to take a lot of stuff with you. For some reason my mind keeps turning to food. I know I have not eaten all the eclairs I always wanted. In recent months, I have found it hard to go past the Cheesecake Factory without at least having one profiterole and a banana split. I know it's a rather silly thing at this stage of the game to spend so much time on food. But then again, as life went on and there were fewer and fewer things I could eat, I am now punishing myself for having passed up so many good things earlier in the trip. I think of a song lyric, "What's it all about, Alfie?" I don't know how well I've done while I was here, but I'd like to think some of my printed works will persevere -- at least for three years. I know it's very egocentric to believe that someone is put on earth for a reason. In my case, I like to think I was. And after this column appears in the paper following my passing, I would like to think it will either wind up on a cereal box top or be repeated every Thanksgiving Day. So, "What's it all about, Alfie?" is my way of saying goodbye. E&P Staff (letters at editorandpublisher.com) From rforno at infowarrior.org Thu Jan 18 16:22:15 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Jan 2007 16:22:15 -0500 Subject: [Infowarrior] - Lawmakers Grill AG Over Wiretaps Message-ID: Lawmakers Grill AG Over Wiretaps By Roy Mark http://www.internetnews.com/bus-news/article.php/3654716 U.S. Attorney General Alberto Gonzales was grilled by the Senate Judiciary Committee today over the Bush administration's abrupt change of direction on warrantless wiretapping of calls and e-mails between Americans and suspected foreign terrorists. In a letter to the Congressional leaders of the Intelligence and Judiciary Committees yesterday, Gonzales said "any surveillance" would now be conducted subject to the approval of the Foreign Intelligence Surveillance Court, a secret panel authorized by the 1978 Foreign Intelligence Surveillance Act (FISA). FISA requires the government to seek a warrant from the special court before conducting a search or electronic surveillance related to foreign terrorism or espionage. Prior to Wednesday, the Bush administration contended that it is entitled to intercept calls and e-mails without a warrant because of the president's constitutional power as commander-in-chief during times of war. In his opening remarks to the Senate Judiciary Committee Thursday morning, Gonzales said, "Court orders issued last week by a judge of the Foreign Intelligence Surveillance Court will enable the government to conduct electronic surveillance? subject to the approval of the FISA Court." Gonzales added the surveillance is limited to "where there is probable cause to believe that one of the communicants is a member or agent of al Qaeda or an associated terrorist organization." Democrats on the panel wanted to know why it took the Bush administration five years to change its mind on warrantless wiretaps. Gonzales said the administration "felt we could not do what we needed to do to protect this country" under the limits of FISA in the initial days following the Sept. 11, 2001, terrorist attacks on the United States. "We did not know if FISA was sufficient until the very moment the judge approved this," Gonzales said. "We weren't sure FISA was adequate to do what we had to do." Sen. Charles Schumer (D-N.Y.) pushed Gonzales for more details on how the program would work, wanting to know if the new FISA orders for wiretaps are directed at individuals or groups of individuals. "Is there any intention to do this on an individual basis or is this a broad brush approach?" Schumer asked Gonzales. "If it is very broad, it's not very much protection of our rights guaranteed under the Constitution." Gonzales refused to disclose any details of the new FISA orders, but insisted, "All terrorist surveillance will all be done by orders issued in the FISA court." Schumer replied, "I'm telling you I'm not very satisfied with your answers." Senate Judiciary Chairman Patrick Leahy (D-Vermont) was also not pleased with Gonzales' answers. "The law is the law and no one is above the law -- not the president, not you," he told Gonzales. A firestorm of controversy, criticism and lawsuits over the administration's wiretap policies erupted after the New York Times revealed in December 2005 that the White House authorized the National Security Agency to conduct warrantless wiretaps among people in the U.S. suspected of terrorist connections. The Electronic Frontier Foundation (EFF) quickly followed up the story with a class-action lawsuit against AT&T, claiming the carrier violated the law by assisting in the NSA's controversial program. AT&T, according to the lawsuit, provided federal eavesdroppers access to a database of caller information. The American Civil Liberties Union (ACLU) also filed a lawsuit on behalf of prominent journalists, scholars, attorneys and organizations that claim the program is disrupting their communications with clients and sources. In August, U.S. District Judge Anna Diggs Taylor of Detroit ordered the White House to cease all warrantless wiretapping of calls between Americans and suspected foreign terrorists, rejecting Bush's claim that he had the inherent power to authorize the program. The decision is under appeal. A senior Department of Justice official told reporters Wednesday the new direction of the White House "will likely have a significant impact one way or the other [on pending litigation]. Obviously, it's up to the courts in those cases to decide what the significance of the order is. And they'll have an opportunity to do that." As for what happens next, White House press secretary Tony Snow said in a briefing Wednesday, "The [wiretap] program pretty much continues. The Foreign Intelligence Surveillance Court has put together its guidelines and its rules, and those have met administration concerns about speed and agility when it comes to responding to bits of intelligence where you may be able to save American lives." Gonzales added Thursday, "This is something we could do to bring the program under a court order. Electronic surveillance during a time of war will continue." From rforno at infowarrior.org Thu Jan 18 16:22:17 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Jan 2007 16:22:17 -0500 Subject: [Infowarrior] - Attorney general mum on spy program court orders Message-ID: Attorney general mum on spy program court orders By Anne Broache http://news.com.com/Attorney+general+mum+on+spy+program+court+orders/2100-10 28_3-6151209.html Story last modified Thu Jan 18 12:43:58 PST 2007 WASHINGTON--Attorney General Alberto Gonzales' appearance before a key U.S. Senate committee Thursday yielded little new information about the Bush administration's sudden revelation that it would seek court approval for its domestic eavesdropping activities. At a U.S. Department of Justice oversight hearing scheduled before the government announcement on Wednesday, Senate Judiciary chairman Patrick Leahy (D-Vt.) and ranking Republican Arlen Specter said they were pleased to hear that future activities associated with a controversial National Security Agency operation known as the Terrorist Surveillance Program would undergo review by judges on the secret Foreign Intelligence Surveillance Court. Alberto Gonzales Alberto Gonzales But many critical questions about the scope and content of the court orders remain unanswered, committee members said. "To ensure the balance necessary to achieve both security and liberty for our nation, the president must also fully inform Congress and the American people about the contours of the Foreign Intelligence Surveillance Court order authorizing this surveillance program and of the program itself," Leahy said. Few, however, probed for those details at Thursday's hearing, where questioning spanned everything from the Iraq war to violent crime statistics to online child exploitation. Aside from Specter, no Republicans asked questions about the surveillance activities, and some Democrats also focused their inquiries elsewhere. Although Specter said he was concerned about what shape the court orders took, only one senator present directly posed that question. Sen. Chuck Schumer (D-N.Y.) grilled the attorney general on whether the orders described in his Wednesday letter (click for PDF) amounted to a blanket warrant for the entire eavesdropping program or were tailored to particular targets. Even Intelligence Committee members who had received closed-door briefings didn't seem to have a good feel for that information, he said. "If it's a very broad-brush approval--and again, because it's secret, we have no way of knowing--it doesn't do much good," Schumer said. Gonzales said he could reveal only that the orders "meet the legal requirements" under the Foreign Intelligence Surveillance Act (FISA), a 1978 law that governs eavesdropping when at least one end of the communications is inside the United States. Perhaps others were hoping the court itself would help shed light on its activities. Specter and Leahy highlighted their joint request on Wednesday to presiding FISA court judge Colleen Kollar-Kotelly for copies of the orders, which are typically kept confidential. According to Gonzales' letter, an unnamed FISA court judge on January 10 issued orders that authorized government wiretapping of communications when at least one end is inside the United States and one of the communicants is likely to be a member or agent of al-Qaida or associated terrorist groups. Whether that information will be released to Congress--much less to the public--remains uncertain. In a letter dated January 17 and distributed to reporters Thursday, Kollar-Kotelly said she had no objection to furnishing the documents to the committee but because classified information is involved, she would have to refer their request to the Justice Department. "If the executive and legislative branches reach agreement for access to this material," she wrote, "the court will, of course, cooperate with the agreement." Pressed by Leahy on whether he would object to the court orders being shared with Congress, Gonzales first said he'd have to take it up with his "principals." "Are you saying that you might object to the court giving us decisions that you publicly announced?" Leahy asked. "Are we a little Alice in Wonderland here?" "I would say it's not my decision to make," Gonzales replied. He added that he couldn't remember exactly what was in the orders but that they undoubtedly include "operational details" that would need to be kept under wraps. Schumer, Specter and Sen. Russ Feingold (D-Wisc.) each questioned why the Bush administration hadn't approached the court sooner if it had truly begun exploring that option in spring 2005, as it said in its Wednesday letter. "This is a very complicated application," Gonzales replied. "In many ways it's innovative in terms of the orders granted by the judge. It's not the kind of thing you just pull off the shelf. We worked on it a long time." Copyright ?1995-2007 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Thu Jan 18 20:47:55 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Jan 2007 20:47:55 -0500 Subject: [Infowarrior] - Vulnerability tallies surged in 2006 Message-ID: Vulnerability tallies surged in 2006 Robert Lemos, SecurityFocus 2007-01-17 http://www.securityfocus.com/print/news/11436 Flaws in Web applications boosted the bug counts for 2006 by more than a third over the previous year, according to data obtained by SecurityFocus from the four major vulnerability databases. On Monday, the Computer Emergency Response Team (CERT) Coordination Center released its final tally of the number of flaws the organization processed in 2006. Counting both public sources and private submissions directly to the CERT Coordination Center, the group logged 8,064 vulnerabilities last year, an increase of 35 percent over the number of flaws reported in 2005. The three other major flaw databases--the National Vulnerability Database, the Open-Source Vulnerability Database, and the Symantec Vulnerability Database--recorded jumps anywhere from 20 to 35 percent in 2006 compared to 2005. The greatest factor in the skyrocketing number of vulnerabilities is that certain types of flaws in community and commercial Web applications have become much easier to find, said Art Manion, vulnerability team lead for the CERT Coordination Center. "The best we can figure, most of the growth is due to fairly easy-to-discover vulnerabilities in Web applications," Manion said. "They are easy to find, easy to create, and easy to deploy." The burgeoning flaw counts for 2006 should come as no surprise to most security researchers. A jump in the number of vulnerabilities recorded by the same four databases in 2005 had also been blamed on easy-to-find bugs in Web applications. In the first half of 2006, more than three quarters of all software flaws affected online applications, according to security firm Symantec, the owner of SecurityFocus. And a report released in October by the Common Vulnerabilities and Exposures (CVE) Project found that the top-three categories of flaws were specific to Web programs and accounted for 45 percent of the bugs reported in the first nine months of the year. Simply searching through source code or using Google code search can turn up a large number of potential security issues, allowing even novice flaw finders to pinpoint possible security holes. The maintainers of the flaw databases have been inundated with submissions found by would-be vulnerability researchers who use simple string-matching programs find potential issues in open-source applications, said Steven Christey, the editor of the CVE Project maintained by The MITRE Corp., a non-profit government contractor. "Many people are doing 'grep and gripe' research," Christey said, referring to the flexible search program grep commonly part of Unix-like systems. "They are doing a regular expression search, looking for patterns. If they get a match they will report it to the public, but sometimes what ends up happening is they are reporting false positives." While novices are focusing on Web applications, other researchers have started focusing on other parts of the operating system as well as popular applications. Tools, known as fuzzers, have become an increasingly popular way to check software for problems caused by the input data given to the program. Such tools have been so successful in finding flaws that some researchers have resorted to the controversial tactic of releasing a bug every day for an entire month to garner attention to the issues. "You have an emerging levels of sophistication for vulnerability researchers," Christey said. "You have a lot of people who are able to find the low-hanging fruit. But for major software, it seems to be getting more difficult for top researchers to find these issues--they have to work harder, spend more time, spend more resources, (and) do more complex research." Web flaws boost bug counts Easy-to-find vulnerabilities in Web applications significantly boosted the number of flaws found in 2006, exceeding the previous year by anywhere from 20 percent to 50 percent. 2006 2005 2004 2003 2002 2001 CERT/CC 8,064 5,990 3,780 3,784 4,129 2,437 NVD 6,604 4,877 2,367 1,281 1,959 1,672 OSVDB 8,500+* 7,187 4,629 2,632 2,184 1,656 Symantec 4,883 3,766 2,691 2,676 2,604 1,472 *OSVDB has estimated from data processed so far that there will be at least 20 percent more vulnerabilities logged in 2006 compared to 2005. Sources: Computer Emergency Response Team Coordination Center (CERT/CC), National Vulnerability Database, Open-Source Vulnerability Database, and the Symantec Vulnerability Database. The surge in vulnerabilities in 2006 does not necessarily mean that the Internet is a less safe place for computer users. Many of the Web applications in which flaws were found are community projects not typically used by major companies, said Brian Martin, content manager for the Open-Source Vulnerability Database. "For the personal sites and the mom-and-pop stores that rely on the software, it certainly affects them," Martin said. "But larger companies likely aren't affected." Applications written in the popular dynamic Web programming language, PHP, appeared to account for 43 percent of the total vulnerabilities reported in 2006. The language is typically used in community-created software and smaller Web sites, but a number of notable Internet giants, such as Yahoo! and Google, also use PHP. While Web applications may account for the boost in vulnerability numbers, the smaller number of flaws found in operating systems and client-side applications typically pack a bigger punch. "From a core operating system standpoint, we are more secure, but the reality is that malicious code has not gone away," said Oliver Friedrichs, director of security response for Symantec. "Malware is still getting on your system, it is just not using core operating system vulnerabilities to do it." And, while they make up a small fraction of the overall number of vulnerabilities, previously unknown--or zero-day--flaws targeted by active attacks became a big trend in 2006, Friedrichs pointed out. "The real threat with a zero-day is they are frequently used in a very targeted fashion against companies and enterprises to steal information, where a simple web vulnerability on the Internet does not have as much of a material impact," he said. From rforno at infowarrior.org Thu Jan 18 23:33:40 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 18 Jan 2007 23:33:40 -0500 Subject: [Infowarrior] - Senators Demand Details on New Eavesdropping Rules Message-ID: Senators Demand Details on New Eavesdropping Rules By DAVID JOHNSTON and SCOTT SHANE Published: January 19, 2007 http://www.nytimes.com/2007/01/19/washington/19justice.html?_r=1&oref=slogin WASHINGTON, Jan. 18 ? Lawmakers demanded more information on new rules for governing a domestic surveillance program on Thursday, a day after the Bush administration announced that it had placed the National Security Agency eavesdropping under court supervision. Senators from both parties who had long criticized the eavesdropping without court warrants said at a Judiciary Committee hearing that they welcomed the change but wanted details. They said they wanted to be sure that the new rules adequately protected Americans? privacy. A central question is whether the court will approve eavesdropping case by case, its traditional practice, or will it issue broader orders that provide additional government leeway in selecting targets. A Congressional official who has been briefed on the new procedures called it a hybrid of individual warrants and broader approval. Some lawmakers wanted to know why the administration had waited five years from the start of the program to put it under the supervision of the secret intelligence court and asked whether the administration might decide on its own to revive eavesdropping without warrants if the court denied a request. At the hearing, Attorney General Alberto R. Gonzales, a chief defender of the program, tried, apparently without success, to quell the flood of questions. The session quickly became a forum for senators to say the administration was withholding pertinent information about the decision. House Democrats raised similar concerns. Pressed repeatedly for details, Mr. Gonzales offered little new information and would not agree to provide more documents to explain the decision. He declined to answer questions about why the administration had reversed itself after saying for more than a year that the program could not operate effectively under court supervision. ?There was a reason why we didn?t do this as an initial matter shortly after the attacks of Sept. 11,? said Mr. Gonzales, who was White House counsel. Referring to the Foreign Intelligence Surveillance Act, or FISA, the law that created the secret court, he added, ?The truth of the matter is we looked at FISA and we all concluded there?s no way we can do what we have to do to protect this country under the strict reading of FISA.? Later, Mr. Gonzales said, after he became attorney general in 2005, he started reviewing whether the program might be brought under the court?s supervision. Justice Department officials said they had worked on the ?innovative, complex orders? for two years. On Jan. 10, an unidentified judge of the court approved the first new order. The next day, National Security Agency officials called the House and Senate intelligence committees to outline the new system, and Justice Department officials briefed some committee staff members on Friday, Congressional officials said. A senior administration official involved in formulating the policy expressed frustration with the criticism on Capitol Hill. He said Democrats had repeatedly said the program was valuable but should be conducted under FISA. Now that that has happened, the official said, ?People ought to take yes for an answer.? He added that even if the critics are suspicious of the administration, ?I don?t think there?s any basis for being suspicious of the FISA court,? which has approved the system. At the hearing, Mr. Gonzales said the rules protected national security by allowing continued eavesdropping, but required the government to halt quickly the monitoring of people who were not found to be doing anything wrong. With Justice Department officials unwilling to provide lawmakers with documents, lawmakers explored other ways to obtain information. In response to a request from the Judiciary Committee chairman, Patrick J. Leahy, Democrat of Vermont, the presiding judge of the foreign intelligence surveillance court, Colleen Kollar-Kotelly, a federal district judge in the District of Columbia, said the court would be willing to turn over to the panel its classified orders. But Judge Kollar-Kotelly wrote in a letter that her court would cooperate only ?if the executive and legislative branches reach agreement for access to this material.? Mr. Gonzales, asked by Mr. Leahy whether he would object to the disclosure of the documents to Congress, replied that he hoped to keep operational aspects of the program secret. Mr. Gonzales said that before he answered the question he would need to consult his ?principal,? apparently a reference to President Bush. Mr. Leahy expressed skepticism, saying: ?I don?t think I fully understand that. Are you saying that you might object to the court giving us decisions that you?ve publicly announced? Are we a little Alice in Wonderland here?? Mr. Gonzales replied: ?I?m not saying that I have objection to its being released. What I?m saying is it?s not my decision to make.? Some lawmakers said the administration should have changed course much sooner. ?It is a little hard to see why it took so long,? said Senator Arlen Specter, Republican of Pennsylvania. Senator Charles E. Schumer, Democrat of New York, asked about the court?s approval of the surveillance orders. ?I?d like to know,? Mr. Schumer said, ?if there is an intention to do this on an individual basis or on a case-by-case basis where 5, 6, 10, 20, 100 individuals are involved or is it broader brush than that? Because if it is very broad-brush approval, again because it?s secret, we have no way of knowing, it doesn?t do much good.? Mr. Gonzales said, ?They meet the requirements under FISA.? The Justice Department has tried to streamline the application for warrants under the surveillance law, creating a computerized system called Turbo FISA. From rforno at infowarrior.org Fri Jan 19 20:48:59 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 19 Jan 2007 20:48:59 -0500 Subject: [Infowarrior] - No-Fly To Be Cleaned; Secure Flight Delayed Message-ID: ...amazing what happens -- and how quickly -- when you're no longer the majority in town and run the risk of damning hearings, investigations, and oversight.... --rf No-Fly To Be Cleaned; Secure Flight Delayed http://blog.wired.com/27bstroke6/2007/01/nofly_to_be_cle.html The airport security watchlists that a few short years ago were so secret the government wouldn't acknowledge they even existed now being cleaned of erroneous listings, a top Homeland Security official told Congress Wednesday. Additionally, the long-delayed, beleaguered upgrade to the current watchlist checking by airlines -- first known as CAPPS II then Secure Flight -- won't be deployed until sometime in 2008, Transportation Security Administration chief Kip Hawley said. TSA is mandated by Congress to fix the current system. The TSA has labored to find a way to have government agents, rather than airline computer systems, compare travelers to the lists. But the logistics of connecting airline databases to the government's system combined with successive privacy scandals over the project's secret use of airline data and dreams of using private data sources to verify and rate travelers' risk has stymied the program since first announced in 2002. < - > From rforno at infowarrior.org Fri Jan 19 20:50:43 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 19 Jan 2007 20:50:43 -0500 Subject: [Infowarrior] - Judge rules in favor of RIAA, XM ready for battle Message-ID: Judge rules in favor of RIAA, XM ready for battle Posted Jan 19th 2007 7:23PM by Darren Murph Filed under: Portable Audio http://www.engadget.com/2007/01/19/judge-rules-in-favor-of-riaa-xm-ready-for -battle/ Not like this is altogether surprising by any means, but a US District Judge has ruled that a lawsuit in which "record companies allege XM Radio is cheating them by letting consumers store songs can proceed toward trial." Deborah A. Batts has decided to not throw out the case which Atlantic, BMG Music, Capitol Records, and "other music distribution companies" filed against XM, and claims that the Audio Home Recording Act of 1992 does "not protect the company in this instance." Essentially, the judge ruled that special handheld recording devices, marketed as XM+MP3 players (you know, like the Inno), are not at all like "radio-cassette players," and then proceeded to explain how "recording songs played over free radio doesn't threaten the market for copyrighted works as does the use of a recorder which stores songs from private radio broadcasts." Aside from our apparent inability to understand why source A is less illegal than source B, we're completely on the same page with Ms. Batts, but nevertheless, she also asserted that XM is attempting to be "both a broadcaster and a distributor, while only paying to be the former," but completely disregards the extra fees that satellite radio firms pay to record labels in comparison to "free" stations. But if you think XM is downtrodden, you'd be sorely mistaken, as the company simply stated that it "looked forward to making its case (read: winning) in court." Now that's the spirit. From rforno at infowarrior.org Fri Jan 19 23:36:08 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 19 Jan 2007 23:36:08 -0500 Subject: [Infowarrior] - FISA-approved surveillance may not be a civil-liberties coup. Message-ID: Gonzales' Trojan Horse FISA-approved surveillance may not be a civil-liberties coup. By Patrick Radden Keefe Posted Friday, Jan. 19, 2007, at 2:22 PM ET http://www.slate.com/id/2157857/ When Attorney General Alberto Gonzales sent a cryptic, four-paragraph letter to the Senate judiciary committee Wednesday, maintaining that from now on, the Bush administration will conduct its domestic surveillance program "subject to the approval of the Foreign Intelligence Surveillance Court," it looked like the administration was backing down. "Bush Retreats," the Washington Post declared, adding that the letter marked the president's "latest step back from the expansive interpretation of executive power." But civil libertarians and administration foes should keep the Champagne on ice for the moment, because while Gonzales' letter looks like a surrender, it may prove to be a Trojan horse. A close read of the administration's Delphic pronouncements on this about-face reveals a major, unresolved contradiction: The National Security Agency surveillance program and the FISA system, as it currently exists, are fundamentally incompatible. Any hasty reconciliation of the two will involve either a dramatic revision of our espionage activities or a very creative reading of the wiretapping statute. For this marriage to work, one of them must be compromised. The question is, which one? Critics have raised questions about the timing of this particular policy change, and it surely is no accident that Gonzales released the letter one day before appearing in front of the Senate judiciary committee, and two weeks before scheduled oral arguments in a 6th Circuit appeal of a trial court's finding that the wiretapping program is unconstitutional. It's tempting to see this reversal as just the latest instance of the administration suddenly abandoning its most adamantly held positions in the face of impending censure by the courts. But whereas the transfer of Jose Padilla from military prison to the criminal justice system or the release of Yaser Hamdi represented tangible, verifiable concessions by the Bush administration, just what precisely will change about the day-to-day operation of the surveillance program remains entirely unclear. In his letter, Gonzales says that on Jan. 10 of this year, a judge on the Foreign Intelligence Surveillance Court "issued orders authorizing the Government to target for collection international communications into or out of the United States where there is probable cause to believe that one of the communicants is a member or agent of al Qaeda or an associated terrorist association." This sounds promising. One of the glaring problems with the warrantless wiretapping program as it existed until now was that it relied not on probable cause, as determined by a judge, but on what CIA Director Michael V. Hayden?who initiated the program when he was head of the NSA in 2001?called a "subtly softer trigger." But Gonzales goes on to say that "any electronic surveillance that was occurring as part of the Terrorist Surveillance Program will now be conducted with FISA court approval." And here things get a little fishy. According to reports, the NSA program is a wholesale, rather than retail, operation: It scans the communications of tens of thousands of people and analyzes staggering volumes of phone calls and e-mails. A "subtly softer trigger" is shorthand for "not very discriminating." That explains why the administration couldn't clear the program through the FISA system in the first place: FISA (and, uh, the Fourth Amendment) require individualized warrants. In a January 2006 press conference, President Bush explained, "I said, look, is it possible to conduct this program under the old law? And people said, it doesn't work." So, if the surveillance program and the FISA were utterly incompatible a year ago?so incompatible, in fact, that the White House opted to break the law, rather than try to amend it?then how are things different today? Let's dispense with the less plausible scenario first: that the NSA just decided to call it quits where large-scale data mining and link analysis were concerned, and return to old-fashioned one-wiretap-at-a-time spying. While there's compelling evidence that these wholesale espionage techniques are inefficient, it seems unlikely that the administration would abandon so ambitious an operation, for which it has already paid so considerable a political price. In a press briefing Wednesday, Tony Snow acknowledged that, "The program pretty much continues." And when a senior Justice Department official was asked in a background briefing whether the program itself had changed or whether it had just been made more bureaucratically acceptable, he replied, "The objectives of the program haven't changed and the capabilities of the intelligence agencies to operate such a program have not changed as a result of these orders." If this new judicial oversight doesn't alter the program, such oversight must entail a novel reading of the FISA statute. In the background briefing, one of the Justice Department officials said, tellingly, that in securing a compromise that allows the program to continue under the wiretapping law, administration lawyers had drawn on "our own approach to the statute." The officials said several times that the solution they had arrived at was "innovative," and one wonders whether they managed to innovate their way around one of the keystones of the FISA system?the requirement that warrants be issued on a particularized basis. When Sen. Charles Schumer, D-N.Y., asked Gonzales point-blank during yesterday's hearing whether the order from the FISA judge was "a case-by-case basis order," Gonzales replied, as he did each time this question was posed, "I am not at liberty to talk about those specifics." If it's all right with the FISA court, it should be all right with you guys, Gonzales reiterated throughout the testimony. But then, the Jan. 10 orders had not come from the entire panel, or even from the FISA court's presiding judge, Colleen Kollar-Kotelly, but from one particular judge who happened to be on duty that day. These orders appear to be unappealable, and no one outside the FISA court and the administration knows what they say. The senators wanted to see the orders themselves, but Gonzales objected that they contain classified information. "Are you saying that you might object to the court giving us decisions that you've publicly announced?" Patrick Leahy, D-Vt., asked angrily. "Are we a little Alice in Wonderland here?" Basically, Gonzales replied. In this information vacuum, some have speculated that the judge's orders simply amount to a blanket authorization of the old wiretapping program?a sort of FISA-court-sanctioned license to violate the FISA. Rep. Heather A. Wilson, R-N.M., who sits on the House intelligence committee, said that the orders constituted a "programmatic approval" and lacked the FISA's safeguards for civil liberties. Another official told the Washington Post that "the change was 'programmatic,' rather than based on warrants targeting particular cases." A programmatic authorization would hardly signal a retreat by the administration. In fact, blanket FISA-court authorization was a feature in Arlen Specter's NSA bill, which was also erroneously marketed as a compromise. But there's also some indication that the orders aren't a blanket authorization. "These orders are not some sort of advisory opinion ruling on the program as a whole," one of the Justice Department officials said in the background briefing, and Specter says he has been briefed by administration lawyers and that the new arrangement is based on individualized warrants. The truth may lie somewhere in between. The Post reports that four other officials familiar with the program said it is "a hybrid effort that includes both individual warrants and the authority for eavesdropping on more broadly defined groups of people." Law professor and blogger Orin Kerr suggested that the answer may be "anticipatory warrants." These warrants can be approved by a judge in advance and stipulate a series of circumstances that will trigger the warrant into action. Kerr speculates that in arriving at their "innovative" theory, DOJ lawyers may have drawn on a case that was decided last March, United States v. Grubbs, in which the Supreme Court approved the use of anticipatory warrants. What is clear is that until the administration furnishes more detail about the new arrangement, any suggestion that the orders represent a compromise or retreat is premature. Judge Kollar-Kotelly wrote a letter to Sens. Leahy and Specter saying that she has "no objection to [the orders] being made available" to lawmakers, and Gonzales may have sparked enough rancor on both sides of the aisle that Congress will press the issue and demand to see them. But perhaps the most telling?and worrying?aspect of the hearings yesterday was Gonzales' insistence that while the administration is now submitting the surveillance program to the FISA system, he does not believe that it was ever illegal to go around FISA in the first place. As Sen. Schumer was quick to point out, the fact that the White House is billing its new friendliness to the FISA as a courtesy, and not a legal obligation, means there's no reason to believe the administration will feel bound by any new set of procedures, however secretive or accommodating. "Just as you instituted this program," Schumer said, "you could just go back to it if you get a decision you don't like." Patrick Radden Keefe, a fellow at the Century Foundation, is the author of Chatter, which is just out in paperback. Article URL: http://www.slate.com/id/2157857/ From rforno at infowarrior.org Sat Jan 20 10:45:20 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 20 Jan 2007 10:45:20 -0500 Subject: [Infowarrior] - Some common-sense digital privacy guidelines Message-ID: (not all-inclusive,but a helpful layperson's start........rf) January 20, 2007 Your Money Don?t Call. Don?t Write. Let Me Be. By DAMON DARLIN http://www.nytimes.com/2007/01/20/business/20money.html?_r=1&oref=slogin&pag ewanted=print The fears of the direct marketing industry came true. Once a do-not-call list was created, people did register, in droves. The list was created in 2003, not as a way to protect privacy, but to remove a powerful irritant from the lives of Americans. The Federal Trade Commission, which administers the list, says that more than 137 million phone numbers have been placed on the list by people tired of interruptions during dinner or their favorite TV show. The popularity of the do-not-call list unleashed a demand for other opt-out lists. A consumer can now opt out of the standard practice of their banks or loan companies selling their information to others. Other opt-outs stop credit card companies from soliciting consumers or end the flow of junk mail and catalogs. While most of the opt-outs are intended to make life less annoying, they can also have the side effect of protecting personal information that can be misused by identity thieves or unscrupulous merchants. ?Over the years, it has gotten so much easier to opt out,? said Ari Schwartz, deputy director of the Center for Democracy and Technology, a public interest group that lobbies Congress on privacy issues. ?There are still gray areas.? While financial companies have to provide an opportunity to opt out of sharing personal information, other kinds of companies do not. Some that tell you they will share the information do not offer the option to protect personal information (other than not doing business with the company). For those who just can?t take it anymore, here is a master list of where you can take control: PHONE SOLICITATIONS To stop them, go to donotcall.gov. Or call toll free, (888)382-1222, from the number you are going to restrict. Remember to register if you get a new phone number. You can register cellphone numbers as well. A listing is good for five years, after which you?ll have to repeat the process. But you need not worry about forgetting. You will know when you start receiving sales calls again. JUNK MAIL You can try to opt out of direct mail solicitations, but it will probably not work very well. A private organization, the Direct Marketing Association, handles that list and not every merchant with pages of hot leads is a rule-abiding member. If you want to give it a shot anyway, write the association, in care of the Mail Preference Service at P.O. Box 643, Carmel, N.Y. 10512. There is an online form at www.the-dma.org/consumers/offmailinglist.html. If you want to get more mail, there is also a place to sign up to get on the lists. E-MAIL Whatever you do, do not respond to an unsolicited e-mail message when it gives you the option to opt out of receiving more e-mail. That is a trick used by spammers to confirm they hit a live address. Once that happens, your address goes to a prime list and is sold to other spammers. You may even find legitimate businesses eventually using addresses on that list. So how do you prevent spam? Unfortunately, other than spam filters, there really is no good way. You can try to make it harder for spammers to get your address in the first place by never posting your address in public forums. Spammers employ software to scrape the sites of anything with that @ symbol. Instead spell it out in a unique way like ?the nameofthiscolumn at nytimes.com.? CREDIT CARD OFFERS Almost as annoying as the direct marketing call is the mailbox stuffed with credit card solicitations. The more you ignore their offers, the more you will receive. One way to stop the offers is to sign up for so many cards and run up such high levels of debt that you become a credit untouchable. That is not a good plan. Instead, call (888) 567-8688, but be ready to give out some personal information like your Social Security number. The major credit bureaus, like Experian, Equifax and TransUnion, that collect information on your borrowing habits let you opt out of what they call prescreened offers of credit at https://www.optoutprescreen.com. You can do it for a period of five years or permanently. Opting out of prescreened offers of credit might also be useful when you apply for a mortgage. When you seek a loan, the credit bureaus notice and they put you on a ?trigger list.? The information that you are a ripe prospect is then sold to other lenders in as little time as 24 hours. Suddenly, other lenders are calling. ?It hurts the image of our members,? said Harry Dinham, president of the National Association of Mortgage Brokers. His group also objects because it could be ?an avenue to identity theft.? He said, ?We actually don?t know who they sell it to.? Still, some callers may actually have better deals than the one your mortgage broker or bank is offering. ?Do you want to opt out and never learn how to save money,? asked Stuart Pratt, president of the Consumer Data Industry Association, a trade group. Will opting out protect your identity from thieves? Mr. Pratt said that ?lender data tells us that prescreened offers of credit result in lower levels of fraud.? Nonetheless, he did recommend using a paper shredder on the offers you do reject. CREDIT FREEZE The ultimate opt-out for your credit is a credit freeze. You?ll sometimes hear it recommended as a way to protect yourself from fraud because once you sign up to have your credit report frozen, no company can get access to your credit report without your expressed permission. That means no one can open up a credit card or take out a loan in your name. Think long and hard before you do this. It sounds great at first, but doing so can backfire. You might be buying an expensive flat-screen TV at a warehouse store and want to get the instant credit card to score another 5 percent discount. You will not be able to. But about half the states have passed laws making credit reporting companies quickly unfreeze a report, some in as little as five minutes. Not that preventing the opening of one more store account is a bad thing. Remember that everyone of those cards can hurt your credit score, which determines what your interest rate is when you borrow money. Use the credit freeze only if you are a true victim of identity theft, which means that some criminal has your personal information and is opening up credit card accounts, borrowing money or buying property with your credit history. If you suspect you may be a target, but have not been harmed yet, a better form of protection is asking the credit bureaus to flag your report with a fraud alert, which is supposed to make lenders take extra precautions. OTHER OPT-OUTS Your personal information is accessible in less obvious ways. For instance, your computer tracks where you have visited online. DoubleClick, a company that collects data for online advertisers, offers a way to prevent your computer from giving it information at http://www.doubleclick.com/us/about-doubleclick/privacy/dart-adserving.asp. But again, it is only a piecemeal solution. Other online advertising companies will still put ?cookies? on your computer to collect the same data. So the next-best solution is to frequently run software that cleans out cookies. You can get Spyware Blaster, Spybot, or Ad-Aware at www.download.com free. Your personal information, including parts of your Social security number, are available in publicly available data bases that you may never see. The most common ones offer a way to opt out of a listing. Nexis, one of the biggest, says you can opt out of its people-finding lists by going to www.lexisnexis.com/terms/privacy/data/remove.asp. Nexis does not make it easy because it requires that you prove you are a victim of identity theft before it will consider your application. The Center for Democracy and Technology provides addresses and forms for other companies, like ChoicePoint, that do not let you opt out online (http://opt-out.cdt.org). REAL ESTATE FILINGS You have to file deeds with the local government office and once you do, companies swoop in to compile lists of new homeowners from the public records. That?s why you get the discount coupons from Home Depot and other merchants right after you buy. Birth certificates and marriage licenses are also scraped for data. There is little you can do about it because the records are intended to be public. Any good lawyer can show you how to make it a little harder for personal information to be listed on a deed. But it will cost money, which is probably not worth it if all you are trying to do is stop solicitations from Swifty?s Mortgage Lending and Used Car Sales. E-mail: yourmoney at nytimes.com From rforno at infowarrior.org Sat Jan 20 20:47:27 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 20 Jan 2007 20:47:27 -0500 Subject: [Infowarrior] - Chinese Professor Cracks Fifth Data Encryption Algorithm Message-ID: Chinese Professor Cracks Fifth Data Encryption Algorithm SHA-1 added to list of "accomplishments" Central News Agency Jan 11, 2007 http://en.epochtimes.com/news/7-1-11/50336.html Associate professor Wang Xiaoyun of Beijing's Tsinghua University and Shandong University of Technology has cracked SHA-1, a widely used online data encryption algorithm. (Daniel Berehulak/Getty Images) TAIPEI?In five years, the U.S. government will cease to use SHA-1 (Secure Hash Algorithm) and convert to a new and more advanced computer data encryption, according to the article "Security Cracked!" from New Scientist . The reason for this change is that 41-years old associate professor Wang Xiaoyun of Beijing's Tsinghua University and Shandong University of Technology has already cracked SHA-1. According to a Beijing digest, this SHA-1 encryption includes the world's gold standard Message-Digest algorithm 5 (MD5). Before Professor Wang cracked it, the MD5 could only be deciphered by today's fastest supercomputer running codes for more than a million years. However, professor Wang Xiaoyun, a graduate of Shandong University of Technology's mathematics department, and her research team obtained results by using ordinary personal computers. In early 2005, Wang and her research team announced that they had succeeded in cracking SHA-1. In addition to the U.S. government, well known companies like Microsoft, Sun, Atmel, and others have also announced that they will no longer be using SHA-1. Two years ago, Wang convened an international data encryption conference to announce that her team had successfully cracked the four world-class standards of data encryption algorithms of MD5, HAVAL-1 28, MD4 and RIPEMD within 10 years. A few months later, she then cracked the even more advanced and difficult SHA-1. According to the article, Hash was Wang's area of research. Hash is the basis of MD5 and SHA-1, the two most extensive data encryption algorithms now used in the world. These two main algorithms are currently the crucial technology that electronic signatures and many other password securities use throughout the international community. They are widely used in banking, securities, and e-commerce. SHA-1 has been recognized as the cornerstone for modern Internet security. According to the article, in the early stages of Wang's research, there were other data encryption researchers who tried to crack it. However, none of them succeeded. This is why in 15 years Hash research had become the domain of hopeless research in many scientists' minds. Wang's method of cracking the encryptions differs from all others. Although encryption analysis usually cannot be done without the use of computers, according to Wang, the computer only assisted in cracking the algorithm. Most of the time, she calculated manually, and manually designed the methods. Wang said, "Hackers crack passwords with bad intentions. I hope efforts to protect against password theft will benefit [from this]. Password analysts work to evaluate the security of data encryption and to search for even more secure encryption algorithms." She added, "On the day that I cracked SHA-1, I went out to eat. I was very excited. I knew I was the only person who knew this world-class secret." Within ten years, Wang cracked the five biggest names in data encryption. Many people would think the life of this scientist must be monotonous. However she said, "That ten years was a very relaxed time for me." During her work, she bore a daughter and cultivated a balcony full of flowers. The only mathematics related habit in her life is how she remembers the license plates of taxi cabs. From rforno at infowarrior.org Sun Jan 21 01:24:12 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 21 Jan 2007 01:24:12 -0500 Subject: [Infowarrior] - Google plots e-books coup Message-ID: http://www.timesonline.co.uk/article/0,,2095-2557728,00.html The Sunday Times January 21, 2007 Google plots e-books coup Dominic Rushe GOOGLE and some of the world?s top publishers are working on plans that they hope could do for books what Apple?s iPod has done for music. The internet search giant is working on a system that would allow readers to download entire books to their computers in a format that they could read on screen or on mobile devices such as a Blackberry. With 380m people using Google each month, the move would give a significant boost to the development of e-books and have a big impact on the publishing industry and book retailers. Jens Redmer, director of Google Book Search in Europe, said: ?We are working on a platform that will let publishers give readers full access to a book online.? He did not believe taking books online would mean the end of the printed word but it would give readers more options when it came to buying. ?You may just want to rent a travel guide for the holiday or buy a chapter of a book. Ultimately, it will be the readers who decide how books are read,? he said. He added that after many years of setbacks the electronic book looked poised to go main-stream. Commuters in Japan were already reading entire novels on their mobile phones. Sony recently launched its Reader, a digital book device with an online book store stocking 10,000 titles. Amazon, the world?s largest online book seller, is also planning to launch an e-book service. One of Google?s partners, Evan Schnittman of Oxford University Press, said he foresaw a number of categories becoming popular downloads: ?Do you really want to go on holiday carrying four novels and a guide book?? The book initiative would be part of Google?s Book Search service and its partnership with publishers, which will make books searchable online with publishers? approval. At present, only a sample of each book is available online. Google users can search the book and see snippets relevant to their search; web links then guide readers to sites such as Amazon where they can buy a physical copy of the book. Major publishers such as Penguin, HarperCollins and Simon & Schuster are among those involved in the project. Redmer would not comment on timing or which publishers would be involved. Google said the project was likely to come to fruition ?sooner rather than later?. Google has an ambivalent relationship with the publishing industry. It is being sued by the Authors Guild and the Association of American Publishers over its deal with major libraries to scan their collections. Publishers argue the scheme infringes their copyright and Google should seek permission from them before scanning works, as they do in the partnership programme. Ben Vershbow of the Institute for the Future of the Book, a US think-tank, said: ?Google seems to be simultaneously petting the industry and saying everything is going to be all right if they just let everything go, but at the same time telling them: ?We have you guys up against the wall?.? From rforno at infowarrior.org Sun Jan 21 11:41:45 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 21 Jan 2007 11:41:45 -0500 Subject: [Infowarrior] - The Homeland Security Pageant Message-ID: The Homeland Security Pageant Inventors Unveil Devices to Thwart Terrorist Attacks http://www.washingtonpost.com/wp-dyn/content/article/2007/01/19/AR2007011901 577_pf.html By William Wan Washington Post Staff Writer Saturday, January 20, 2007; B01 First came duct tape. Then the airport liquid ban. And yesterday, officials unveiled the latest development in the country's war on terror: an American Idol-style contest for homeland security inventors. Six finalists. One stage. Ten minutes each to win the hearts of the judges and walk away with $50,000. Or perhaps more important, a phone call from one of the defense contractors sitting in the audience. Among the contestants: ? A Russian scientist with his biological weapons detector. "All of Western civilization is at war," he proclaimed. ? A team from Boston with a 300-degree steel furnace capable of killing biological threats. ? A former Ohio police officer, frustrated with law enforcement's unwieldy Web networks and offering a way to fix them. ? An inventor from Atlanta with an X-ray device able to detect everything from a vial of cocaine to nuclear waste. ? And the hometown favorite, the Baltimore creators of a virtual reality helmet with 180-degree peripheral vision, for military and disaster-response training. For two hours yesterday, they worked the stage at the Loews Annapolis Hotel, talking up their wares and how they might shield the nation from death and destruction. The idea for the contest was hatched last year by the Chesapeake Innovation Center, a county-owned nonprofit organization charged with bringing homeland security firms to Anne Arundel. As the fifth anniversary of the Sept. 11, 2001, terrorist attacks approached, the center's leaders wanted to contribute somehow -- to create something that would make the sobering, scary world a little bit safer. Business sponsors put up $25,000 toward the cash prize, and the state put up another $25,000. But the prize, many said, was almost incidental in an industry where contracts are measured by the million and sometimes billion. The high stakes had to do with the audience at yesterday's presentation: a rich assortment of security experts, military officials and defense contractors, all of them potential clients and investors. The group received 50 applications for its Defend America Challenge, ranging from three-page outlines to 80-page volumes. Six were invited for the finals -- a 10-minute presentation and a two-minute Q&A. And as they took to the stage yesterday, evil seemed to lurk everywhere: radioactive cargo containers, anthrax-tainted dollar bills, instant messages with secret instructions for mass destruction. And yet, despite the doomsday scenarios, the event had all the makings of a beauty pageant -- the fierce rivalry and accompanying camaraderie, the big smiles and slick packaging. Presentation, after all, would count for a quarter of contestants' scores. Before the contest started, Yuval Boger, the virtual reality guy from Baltimore, was talking up the hometown advantage. "Well, it's only human to check out the competition, to try to see how you'll measure up," he said. "And with all things being equal, maybe the judges will want to invest locally in Maryland rather than somewhere else." The X-ray man nearby, however, played down any rivalry. "I don't view it so much as direct competition with them," said Dolan Falconer, who had come from Atlanta to talk about an X-ray machine that could detect everything from explosives to radioactive waste. "We're all winners already for being selected as one of the six finalists." One company, BioDefense, had lugged along a working model of its massive mail decontamination machine. Sitting in the hotel lobby on the back of a Hummer was the 375-pound unit -- a large steel box that looked suspiciously like a washing machine. "When you're dealing with something like white powder in the mail, you don't know what it is. Best thing is to just kill it all," said company rep Jonathan Morrone. He thrust a few letters into the machine's mouth and pointed out the microwave plates, the 300-degree convection heaters and the ultraviolet light. Several in the audience hoped to test out the Baltimore virtual reality headgear. "We couldn't bring it," Boger said. The bulky equipment and computers would have taken too long to set up, and coping with long lines of people waiting to geek out on his company's system would have distracted from its main purpose -- winning. But mindful of the presentation component, Boger had brought another, more low-tech prop -- two cardboard toilet paper tubes -- to illustrate how normal virtual reality helmets can offer only tunnel vision compared with his company's high-resolution models. "You got to have the steak and the sizzle," he said with a sly smile. "You got to entertain them but tell them something substantial, too." Alexander Asanov, the Russian scientist, took a more gloom-and-doom approach, speaking of a "war with the extremists," in a sober voice thick with accent. "It is a war of ideas. It cannot be won by bullets; so we need to empower our ideas." Preferably his idea, he added, as he described technology that detects biomolecular threats like anthrax within minutes. In the end the winner was announced with a sealed envelope and a dramatic pause: It was Falconer, the X-ray man from Atlanta, who ended up taking home the oversized check. "I don't want to call it luck, because it took a lot of hard work, but on any given day, any of us could have won," he said graciously. Another $50,000 prize, for the best invention by a Maryland company, went to Boger's virtual reality helmet. There were smiles all around, business cards exchanged and all through the hotel ballroom a feeling that the nation was now perhaps a little safer. From rforno at infowarrior.org Sun Jan 21 11:44:56 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 21 Jan 2007 11:44:56 -0500 Subject: [Infowarrior] - Spam is back, and worse than ever Message-ID: Spam is back, and worse than ever Posted: Friday, January 19 at 05:00 am CT by Bob Sullivan http://redtape.msnbc.com/2007/01/spam_is_back_an.html If you feel like your inbox is suddenly overrun with spam again, you are right. Not long ago, there seemed hope that spam had passed its prime. Just last December, the Federal Trade Commission published an optimistic state-of-spam report, citing research indicating spam had leveled off or even dropped during the previous year. Instead, it now appears spammers had simply gone back to the drawing board. There's more spam now than ever before. In fact, there's twice as much spam now as opposed to this time last year. And the messages themselves are causing more trouble. About half of all spam sent now is "image spam," containing server-clogging pictures that are up to 10 times the size of traditional text spam. And most image spam is stock-related, pump-and-dump scams which can harm investors who don't even use e-mail. About one-third of all spam is stock spam now. "Traditional methods have failed spammers, so they are resorting to more and more sophisticated tactics," said Dave Mayer, a product manager at IronPort, which makes anti-spam products. The tactics are working. There are 62 billion spam messages sent every day, IronPort says, up from 31 billion last year. Now, spam accounts for three of every four e-mails sent, according to another anti-spam firm, MessageLabs. Image spam is a big part of the resurgence of unwanted e-mail. By using pictures instead of words in their messages, spammers are able to evade filters designed to detect traditional text-based ads. New computer viruses have contributed to the uptick, also, particularly a surprisingly prolific Trojan horse program called "SpamThru" that turns home computers into spam-churning "bots." Some small organizations are having real trouble with the spam surge, IronPort officials say. One county government office called the firm after its mail server shut down. "(It) could not even slowly process mail," said IronPort spokeswoman Suzanne Matick. "They ended up with no mail going to their 7,500 users for seven days." She declined to identify the agency, citing confidentiality agreements. Of course, there wouldn't be this much spam if it didn't work. Concentrated stock spamming has the ability to send share prices of penny stocks soaring, said Graham Cluley, a consultant for computer security firm Sophos. "They absolutely storm up in value. And then there's the inevitable fall," he said. Last summer, California-based Southern Cosmetics was forced to issue warnings to investors after spam campaigns touting shares of the company. During one such campaign, the firm?s stock value rose from below 1 cent per share to a high of 6.6 cents. The Securities and Exchange Commission has prosecuted some spam pump-and-dumpers, and on other occasions, has suspended trading in firms after it spotted a spam campaign. But the agency can hardly keep up with millions of stock spams each day. Attempts to manipulate stock prices through e-mail are nothing new, said John Reed Stark, chief of the Securities and Exchange Commission?s Office of Internet Enforcement. But despite the agency?s ?hefty track record of bringing cases? against spammers, the technique persists. No clicks required Stock spam is effective because no Web link is required, Cluley said. In old-fashioned spam, criminals generally try to trick recipients into clicking on a link and buying something. Many e-mail programs now block direct Web links from e-mails, rendering click-dependent spam much less effective. But stock messages merely have to make the recipient curious enough about a company to motivate him or her to buy a few shares through a broker. There is another element that helps perpetuate stock spam, Stark said ? he believes speculators unrelated to the original spam sometimes try to ?play the momentum? surrounding a spam campaign ? either getting in early on a pump-and-dump campaign to profit as shares rise, or by ?shorting? stocks, betting that they will fall after the spam campaign flames out. ?There are all these people pushing the envelope in sometimes desperate ways to try to make money,? Stark said. Image spam, which seems not inseparable from stock spam, can arrive entirely devoid of text, but that?s not common. Most messages have what appears to be nonsense text pasted above and below the image. Experts call this "word salad," or "good word poisoning." Below this story, we've pasted some examples of what we call "spam haiku." Here?s one: ?I thought I was Train cars derail, catch fire in KentuckyMassive fireIdol begins this week!? 'Word salad,' or not-so-random text The word jumble is generally borrowed from news headlines or classic books like Charles Dickens' ?David Copperfield,? the text of which are often available online. The seemingly random text actually serves and important purpose -- to foil or confuse word-based spam filtering. Many spam filters determine the likelihood that a message is spam based on the individual words in the body of the e-mail. The presence of obviously spamish words like ?Viagra? or ?sexy? tilts filters to categorize a mail as spam and block it or route it to a junk mail folder. But because normal conversational words tend to persuade filters that a message is legitimate, spammers paste in bits and pieces of text to fool the filters. There's debate about how well that trick works, but there's no debate about how much word salad there is ? it?s everywhere. Spammers continually refine and combine their techniques, said Doug Bowers, senior director of anti-abuse engineering at Symantec. The firm recently found spam attached to legitimate newsletters that appear to be from big companies, including a Viagra ad atop a 1-800-Flowers e-mail newsletter and another on an NFL fantasy league letter. Such e-mails are simply spam masquerading as authentic, with real content borrowed from legitimate companies. They are similar to phishing e-mails, and so are much more likely to be opened by recipients than traditional spam, Bower said. "They craft an e-mail that looks like a newsletter, but change as little as a single line and insert an image," Bower said. "As in phishing, they are copying the look and feel of the legitimate e-mail." One way companies are combating image spam is to turn off all images arriving in inboxes. But that can be a draconian measure, as it will cut off pictures of grandchildren, too. 'Never invest based on spam' Consumers can sometimes spot image spam without opening the message, thanks to hyped-up subject lines like this: ?MHII.OB Best terms and conditions for your investments.? Spotting spam before you open it is a plus -- sometimes spam messages contain small images that report back to the sender as soon as a message is opened, teaching the spammer that your e-mail address is valid. More spam is sure to follow. But in some cases there is no way to tell if a message is spam without opening it. So for now, the best defense consumers have is their delete key -- and a heavy helping of skepticism when investing based on anonymous tips. The SEC?s Stark puts it bluntly: ?Never invest based on spam.? SOME SAMPLE ?SPAM HAIKU? EXAMPLE 1: This is directly from a Harry Potter book; deep sleep. I found myself out in public, in the middle of the match, and I saw, in front of me, a wand sticking out of a boys pocket. I had not been allowed a wand since before Azkaban. I stole it. Winky didn?t EXAMPLE 2 Many others are just jibberish Brother simon, simons wife maria garcia. Known remarks has ties san jose california idaho. The charred remains woman! Wife maria garcia who both been charged accessory. People in elmore county the charred remains, woman her? Raul solario solorio date. EXAMPLE 3 This is truly word salad Male build, medium race. Sons aged, four were found inside burned out vehicle. May have fled michoacan be traveling with his brother. Out vehicle on august, each. Dangerous if you, any concerning. Of ten most wanted fugitive, jorge, alberto? Garcia who both been charged! Most wanted fugitive jorge alberto. Either head or chest considered armed extremely. EXAMPLE 4: Clearly compiled from various news sources an extremely guiltyIdol begins this week! Train cars derail, catch fire in KentuckyMassive fireNigeria clashes prompt Shell evacuationsgoing to be an architect, EXAMPLE 5: Hard to say where this comes from Christian saint video graphics chip amiga mato. Human if, an article link led you. Poetsaint christian saint video graphics chip amiga mato, grosso. By randy ho singer! Human if an article, link led you. Meanings etymology and see can refer toin. Modified, december all text available under terms gnu. The free denisefrom to navigation searchlook up in wiktionary. Saint video graphics chip, amiga mato grosso, brazilthis. EXAMPLE 6 This is a jumbled passage from Charles Dickens? ?David Copperfield?Confused blind way, to recall how I had felt, and what sort of boy boys especially the smaller ones were visited with similar a child, and the natural reliance of a child upon superior years determination to do better tomorrow. Mr. Creakle cuts a joke was the same with the places at the desks and forms. It was the confused blind way, to recall how I had felt, and what sort of boy boil. On seeing the master enter, the old woman stopped with the was standing opposite, staring so hard, and making me blush in MAIN PAGE From rforno at infowarrior.org Sun Jan 21 19:02:17 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 21 Jan 2007 19:02:17 -0500 Subject: [Infowarrior] - The Press at War and the War on the Press Message-ID: The Press at War and the War on the Press http://www.freepress.net/news/20485 >From Dangerous Intersection, January 13, 2007 By Erich Vieth I?m still reporting from the National Conference for Media Reform, from Memphis. The conference is sponsored by Free Press. This afternoon I attended a panel discussion exploring the issues set forth in the title of this post. The moderator, Geneva Overholser (of the University of Missouri School of Journalism), warned that when we criticize the press, we should not be too general. There are, after all, many good people doing honorable work in the profession. The first speaker was Sonali Kolhatkar, who is a host and producer of a popular morning drive time program called Uprising she is also the co-director of a nonprofit organization, Afghan Women?s Mission. Kolhatkar noted that the media goes where the violence goes, then moves on. At the present time, Afghanistan ?is blowing up.? There are suicide bombs, as well as no liberation of Afghanistan women (a prime selling point for the war). Nonetheless, the media (and thus, the American public) no longer cares. She criticized the term ?war on terror.? You can?t have a war ?on an abstract noun.? The second speaker was Paul Rieckhoff, who is the Executive Director and founder of the Iraq and Afghanistan veterans of America. Rieckhoff was an infantry officer in Iraq from 2003-2004 . He was one of the first Iraq veterans to publicly criticize the war. We?ve written about Paul before. Rieckhoff described the war in Iraq as a ?war of disconnect.? For instance, ?you never see a dead American soldier on TV.? In fact, you rarely hear the American soldiers? perspective. You never hear the perspective of the Iraqis. After the attack on Falluja, for instance, the press did not report on the perspective of the Iraqi citizens or business people. According to Rieckhoff, our media failed our soldiers by failing to ask the administration important questions. When Rieckhoff returned home in 2004, the number one story in the media was Janet Jackson?s breast. American soldiers commonly referred to Afghanistan as Forgetistan. Why is there such a disconnect? Perhaps it?s because less than 1% of Americans have served in either Iraq or Afghanistan. In World War II, 10 to 12% of the population served in the war. According to the White House, the media coverage of the war was flawed because the media allegedly only told the stories about the bad things that were happening. Reich offered response: ?If you only want good stories, go to Disneyland.? Rieckhoff is a harsh critic of embedding, which he describes as a ?shrewd move? by the administration.? What happens when one embeds? ?You compromise a large part of your journalistic integrity. You can?t cover my story while I?m covering your ass.? Rieckhoff does not agree with the characterization of this war as a ?war on terror.? This characterization is ?bullshit. Terror is not the enemy; it?s a tactic.? In Afghanistan and Iraq, our soldiers enjoyed in unprecedented ability to communicate back home. They could be in a firefight, then be blogging an hour later. But not if the military finds out. ?The Department of Defense shuts down these blogs as soon as they pop up.? Rieckhoff was asked whether he suffered any repercussions for speaking out. He indicated that it is dangerous for veterans to speak out. It was especially dangerous in the earlier days, before the war effort soured. When Rieckhoff went public with his criticism, people in the military were okay with him ?on the down low.? Now members of the military can be more openly supportive of what Rieckhoff has done. Nonetheless, ?It is risky to speak out.? Rieckhoff is mindful that he might have to go back to a wreck as part of the Administration?s recently announced ?surge.? He recommended that those in the audience nonetheless encourage veterans to speak out. Rieckhoff warns that the military very much distrusts the press, and that it will take a lot of work to convince them otherwise. He also warns that the blame game has already started. In the military this is what you call a CYA drill. His concluding advice: ?Don?t let the administration blame the media or the Iraqis.? The next speaker was Helen Thomas, the noted news service reporter who has served for 57 years as a correspondent in the White House press corps. Thomas stated that the American press corps has lost his way. Reporters failed to ask the right questions, ?despite the shifting rationales for the war that were offered by the administration, all of them untrue.? Any reporter who dared to ask challenging questions were ridiculed. They were asked things like ?Who the hell are you to ask that question?? Because of this resistance, ?We gave up our one weapon: skepticism.? The Iraq war has drained our treasury, destroyed Iraq and destroyed American credibility. We ?lost our Halo as visionaries for a better mankind.? In the meantime, the White House became a disinformation mill. For example, it has been uncovered that the military paid reporters to write for Iraqi media.. The media continues to get it wrong. Bush is allowed to issue signing statements indicating that he will not abide by the law. He listens in on our phone calls and opens our mail. He sends people to secret prisons ?to be tortured possibly.? Fact gathering has suffered. ?Soundbites cannot replace a good solid story.? Where is the liberal vigorous press, asks Thomas. ?I say bring em on.? Thomas reminded the audience ?A free press is indispensable for a democracy. You can?t have a free country without a free press.? Ultimately, Thomas is an optimist, based upon the recent election and other developments. ?The truth cannot be buried.? She notes that the message has gotten out of the people now, and that Bush?s support has almost entirely vanished. The next speaker was Eric Boehlert, an author (Lapdogs: How the Press Rolled over for Bush (2006)) and a senior fellow at Media Matters for America. Boehlert echoed Overholser?s concern that criticisms of the media should not be too general. Good things are happening too. Nonetheless, ?this war could not have been sold without the help of the press.? He argued that the press was ?timid? and that the press ?fell down? for this war on terror.? In his opinion, Iraq is ?the most serious press failing in the last half-century.? What is the basis for his claim? March 6, 2003 is a good illustration. It was still 10 days prior to the invasion, and Bush held a so-called press conference. This was the press conference where Bush used a ?cheat sheet? to decide who he was going to call on her questions. He made a comment during the press conference that ?this is scripted,? laughing that is, was a joke. The problem, however, was that the press conference was scripted. ?It was classic kabuki theater.? Bush provided almost no information about why we were attacking Iraq. ?Anyone tuning in to get an explanation for the imminent invasion got no answer.? Nor were there any follow-up questions. It was during this press conference that Bush made 13 references to Al Qaeda. How is that relevant? In theory, Iraq was the first uncensored war. On the other hand, photographers were sending back numerous excellent photographs showing the casualties, military and civilian. An editor of a prominent magazine wrote his reporter, ?do not send any more photos of civilians.? There are no photos of dead American soldiers that have been made available to the American public. Further, the media has refused to show photographs of wounded soldiers and soldiers in dire situations. This is not the way it necessarily needs to be. When Clinton was president, for example, graphic photographs of America casualties in Mogadishu were made available. Revisionists abound now. You can hear them arguing that the lack of debate was caused by the Democrats, who were not speaking out. But some Democrats were speaking out, including Ted Kennedy, who made an impassioned plea against the war. The Washington Post, which had published at least a million words about the upcoming war, gave Kennedy?s speech only 23 words of coverage. It was in the run-up to the war that the Washington Post editorialized in favor of the war eight times. The lone exception at the Washington Post was E.J. Dionne. Boehlert reminded the audience that the war against the press started long before Iraq. President Bush was noted for his lack of press conferences. According to Andy Card, the press is ?just another special interest.? The Bush administration showed the low regard in which it held a press when it repeatedly invited Jeff Gannon to press conferences. Gannon, who did not hold any journalism credentials, was affiliated with a gay escort service. Boehlert suggests a reason why the press did not resist the administration on Iraq. The reporters wanted to go to Iraq for four days ?to come back as heroes.? As if the above information wasn?t a lot to digest in 1 1/2 hours, the audience also heard from two additional people who warned about government threats being made against journalists. The first of these speakers was Sarah Olson, a freelance journalist from Oakland who has been subpoenaed to testify for in the prosecution of the U.S. Army court martial of 1st Lt.Ehren Watada, the first commissioned officer to publicly refuse deployment to Iraq. To read of Olson?s story in detail, go to her site. In addition to refusing to report for duty, Watada had the audacity to speak out against the Iraq war. For those statements, he was charged additionally with four counts for making statements unbecoming. Olson had interviewed Wataba, and that?s why she was subpoenaed to Watada?s court-martial. According to Olson, Warada?s court-martial hearing is coming up in February, and she is facing felony charges if she refuses to testify. She came to this media conference looking for money, ideas, or any other form of support. Olson argues that this attempt to force her to testify is eviscerating the First Amendment. The military is ?trying to turn journalism into the investigative arm of the government. The second speaker is the mother of Josh Wolf, an independent journalist and video blogger. Wolf is currently in custody in California for civil contempt. He was incarcerated earlier this year (he?s now been in custody for 144 days) after resisting a subpoena to testify before a grand jury and refusing to turn over the video he shot of a San Francisco protest against the G8 Summit in 2005. Wolf had covered such protests in the past, and therefore had some privileged access to the Bay Area activist community. He is resisting this subpoena because this is an attempt to identify political dissidents which constitutes a fishing expedition. Like Sarah Olson, Josh?s mother was at the convention to find any sort of assistance. To learn more, go to his site. To read his daily blog which he updates from prison, go here. The solution, according to Wolf, is that the government should enact a federal shield law that upholds the right of journalists to protect the confidentiality of their sources. For more on protecting sources of reporters, see the site of Reporters Without Borders From rforno at infowarrior.org Mon Jan 22 09:10:10 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 Jan 2007 09:10:10 -0500 Subject: [Infowarrior] - Interview with Bill Cheswick Message-ID: The Register ? Security ? Network Security ? Original URL: http://www.theregister.co.uk/2007/01/22/bill_cheswick_interview/ Net security from one of the fathers of the biz By Federico Biancuzzi, SecurityFocus Published Monday 22nd January 2007 12:28 GMT Interview Many people have seen internet maps on walls and in various publications over the years. Federico Biancuzzi interviewed Bill Cheswick, who started the Internet Mapping Project that grew into software to map corporate and government networks. They discussed firewalling, logging, NIDS and IPS, how to fight DDoS, and the future of BGP and DNS. Could you introduce yourself? Bill Cheswick: I am known for my work in internet security, starting with work on early firewalls and honeypots at Bell Labs in the late 80s. I coined the word "proxy" in its current usage in a paper I published in 1990. I co-authored the first full book (http://www.wilyhacker.com/) on internet security in 1994 with Steve Bellovin. This sold very well and arrived in time to train the first generation of network managers. In the late 1990s Hal Burch and I did some seminal research on IP traceback, and then started the Internet Mapping Project. This grew into software to map corporate and government networks. We were two of seven people who co-founded Lumeta (http://www.lumeta.com/), a spin-off from Bell Labs, to commercialise these capabilities. You have probably seen our internet maps (http://www.cheswick.com/ches/map/gallery/index.html) on walls and in various publications over the years. I have served as chief scientist at Lumeta from Sept 2000 to Sept 2006. I am an internationally-known speaker on computers, the internet, and security. You wrote a famous book entitled "Firewalls and Internet Security (http://www.wilyhacker.com/)", so I'd like to ask you a couple of technical suggestions on firewalls. What type of policy do you prefer for filtered TCP ports? Returning a RST or dropping packets silently? Bill Cheswick: I prefer the silent drops: it makes an attacker wait for a timeout, and you can't use spoofed packets to point RSTs elsewhere. Returning an RST reveals information that really doesn't need to be disclosed. I don't think choosing one way or the other is a big deal, however. I was thinking of the fact that if you drop TCP packets for a particular port or range or ports, an attacker could spoof your IP. In fact, he would be able to send SYN packets to the victim, who will send SYN+ACK to your IP, but since your firewall will drop those packets instead of returning RST, the attacker will be able to send his ACK storm undisturbed... Bill Cheswick: It's true, but that trick will also work with any unassigned or idle IP addresses, and there are many. In any case, these bounced packets don't offer any amplification, so it isn't clear why they would bother. Also, I understand that with the botnets so common, a lot of attackers don't bother spoofing packets. What type of logging would you suggest for a firewall filtering an internet connection? If the aim of a firewall is to block undesired packets, why should we log them? Bill Cheswick: Back in the early 90s I used to log all the probes, and often send out emails warning the owners of probing machines that they might be compromised. Over time this became as pointless as counting bugs on a windshield, and I stopped. The information is not entirely useless, and the firewall can become a small packet telescope. Most of the information revealed is statistical: worm infection rates, etc. But you can imagine combining information about firewall probes with other information about an attack on a company that could yield some additional information about the attack. Disk space is cheap, and these logs aren't needed for very long, nor do they typically require being backed up. I like to put such logs into a large, cheap drop-safe, and make sure that if the safe fills up, the firewall still functions. You didn't mention NIDS when talking about analysing data and discovering threats. What is your opinion about the core idea and current technology of Network Intrusion Detection Systems? Bill Cheswick: It makes a lot of sense to watch your own network and interconnections to keep an eye on what's going on. The problem is that there is such volume and variety of data and protocols (a strength of the internet) that it is really hard for a human to understand his network traffic, unless it is highly constrained (in other words, "we only allow web traffic on this subnet...") Not only is it hard to really monitor what's going on, subtle, slow stealth attacks and probes over, say, a period of months, are almost impossible to separate from the hue and cry of momentary traffic. Most people don't try, but that's where the real pros can eat your lunch. NIDS are an ongoing attempt to watch the network. They all try to watch the net, summarise traffic, report anomalies, etc. They all have problems with false negatives and false positives. False positives quickly become a monotonous drumbeat, and tend to quash interest in the tool and its results. When a salesman tells you about a NIDS, or you read a paper about some new NIDS technology, always find out the details of false positive rates, and what they miss. Another problem is the NIDS themselves may be subverted. We have seen buffer overflow attacks on the monitoring host, packets that were intended to subvert the eavesdropping software! This can turn your NIDS against you. Deep down, network monitors have what Matt Blaze calls the "eavesdropper's dilemma." Is the eavesdropping software seeing the same data, and interpreting it the same way, as the destination hosts? This is a hard problem: perhaps packets don't make it all the way to the destination, or the end operating system can interpret overlapping data in two ways. The eavesdropper has to understand this, and state-of-the-art implementations actually understand the local network topology and actively probe endpoints to determine their operating system and version. It seems to me that this particular arms race will end badly. This same problem exists for law enforcement and military, only on a much grander scale. They need to extract specific, small bits of data from vast torrents of data. What do you think about reactive firewalls, also knows as IPS (Intrusion Prevention Systems)? Bill Cheswick: Reactive security is an idea that keeps popping up. It seems logical. Why not send out a virus to cure a virus, for example? How about having an attacked host somehow stifle the attacker, or tell a firewall to block the noxious packets? These are very tricky things to do, and the danger is always that an attacker can make you DOS yourself or someone else. As an attacker, I can make you shut down connections by making them appear to misbehave. This is often easier than launching the original attack that the reactive system was designed to suppress (by the way, this happens a lot in biological immune systems as well. There are a number of diseases that trigger dangerous or fatal immune system responses). So I am skeptical about these systems. They may work out, but I want to keep an eye on the actual user experiences with these. What is the state of research in network security? What attract funds? What is considered a promising technology? Bill Cheswick: A lot of the easy stuff has been done, and even beaten to death commercially. I have been intrigued by new work in a few areas. * There is a lot of activity on virtual machines of various sorts, like VMware and Xen, for example. I think these have a lot of potential, especially with better hardware support. VMs are a nice sandbox for necessary but dangerous client software, like browsers and mail readers. They can be used to improve testing of operating systems, which I would like to see more of. * Google for "strider honey monkeys". This is a nice paper about a proactive project at Microsoft research to go find browser exploits on evil sites (http://www.securityfocus.com/news/11273). It has found a number of day-zero and other exploits, which they fed into the developers and legal department. I understand this work has been turned over to production. A nice job. * I was excited by the SANE paper at Usenix from some crackerjack folk at Stanford. It is a rethinking of intranet design, completely replacing the end-to-end principle with centralised control. This is bad for research and new internet technologies, but it may be exactly what a military network needs, and maybe useful for corporate deployment. There are open questions, but it is quite promising. I am not that well connected with current funding streams to be able to answer that question well. How will the internet change with the increasing resources that common people have access to? For example, a blind spoofing attack could become more feasible with broadband access to the internet, and there are some countries where you can easily and cheaply get a 100Mbps connection. Same thing for DDoS via botnets, if each host got a 100Mbps... Bill Cheswick: This has already happened some time ago. Parts of the Far East have efficient home wiring, and computers there are often used in staging attacks because they have high bandwidth. This has become such a problem that some people just drop all email from China, since it can be a major source of spam connections, and many people don't know anyone there. Spoofing of attacks continue, but I am told that the spoofing rates are down. For DDoS, why spoof when there are tens of thousands of source addresses? For almost all users the computer and the network have far more potential than the average user employs almost all of the time. Common computers have cycle times six times greater than the million dollar Cray we had at Bell Labs in the early 90s. The Cray still wins in some performance areas, but in many it does not. What does an average user do with this compute power? Powerpoint and word processing don't need nearly this much power. Some multimedia and many games do use this power. So miscreants use the computer and the network connections of average users for their own uses, being careful not to bother the owner. That's why viruses these days don't tend to do nasty things like erase hard drives, though they certainly could if they wished. These compromised machines are very useful for making money, through spam delivery, phishing sites, DDoS extortion attacks, etc. The incentives are strong, and I expect this misuse to continue. I hope the population of susceptible machines will decline as Vista gets deployed and the early kinks get ironed out. The big change in the internet is going to be greatly increased multimedia delivery. An hour television show at 720p is about 5GB. People are going to want to share these with friends, and providers are grappling with new delivery mechanisms, perhaps permanently replacing broadcast TV. What is the more promising path to fight DDoS? Bill Cheswick: I have no definitive answer for this. I can imagine a world of robust, worm-free software. Engineering, experience, and the right economic motives can bring this about. But any public server can be abused by the public. Are the flood of queries to CNN the result of breaking news, or a focused DDoS attack? Even if it is breaking news, I could imagine that the news might be created explicitly to flood the site. How would we know? I see no theoretical possibility of doing anything more than mitigating attacks, and ultimately throwing large amounts of computing and network capacity at the problem, which is what all the most popular targets do. Do you think that we could use some mapping software to fight these types of attacks, just like weather people study the movement and shape of tornados with satellites? Bill Cheswick: I don't think it's likely to be useful, because the source of DDoS attacks are widespread and generally not hidden. It doesn't help me if I know the location of 10,000 attacking hosts: I can't possibly track them down (using traceback, traffic analysis, or whatever) and shut them all down. These days I am told that the attackers often don't even bother to spoof the attacking addresses. If there is a particular attacking stream of interest, then, yes, this technology may be helpful, combined with others. I mentioned traffic analysis: this is one area where I conjecture that the spooks may be well ahead of the public literature. There are certainly researchers examining packet traceback, flood suppression, etc., using these tools, including my data. It seems that net neutrality is under fire in the US. What is your opinion from a security standpoint? Could we see some security improvements if carriers had the right to filter the traffic on their networks? Bill Cheswick: Short answer: some carriers do filter some traffic, and that sometimes is a benefit to their customers. As the Chinese would tell you if free to do so, it is actually quite hard to suppress all the unwanted traffic, given world-class encryption and a massive traffic flow in which to hide. The USENIX Magazine (http://www.usenix.org/publications/login/) published an article [PDF (http://www.cs.columbia.edu/~smb/papers/v6worms.pdf)] titled Worm Propagation Strategies in an IPv6 Internet that you co-authored. It seems that IPv6 could help us in fighting worms thanks to its huge address space. What type of other indirect security advantages could IPv6 provide? Bill Cheswick: That paper points out that it doesn't help us that much. IPv6 is a good idea, but it shouldn't be sold as a palliative for worms. The job of hunting for hosts on a network also has legitimate motivations. Corporate auditors are keen to find and track their assets. I think they are going to have to talk to the routers more. Hopefully, the worms will be excluded from these conversations. At present, I don't see much economic pressure for corporations to switch their intranets to IPv6. There is a lot of work involved, and I don't see the benefits. The internet runs on two fragile technologies: BGP connections among routers, and a bunch of root DNS servers deployed around the planet. How much longer do you think this setup could still be effective? Bill Cheswick: For quite a while, actually, though there are obvious, well-known weaknesses with both systems. The DNS root servers appear to be 13 hosts, but are actually many more. They have been under varying, continual, low-level attacks for many years, a process that tends to toughen the defenses and make them quite robust. A few years ago there was a strong attack on the root servers, taking 9 of the 13 down at some point. The heterogeneity of the root server management was part of the underlying robustness. For example, Paul Vixie's servers (F.ROOT-SERVERS.NET) had many hosts hiding behind that single IP address. I understand they did not go down. In this case, the statelessness of the UDP protocol underlying the DNS system was a strength (it is a weakness in other ways, allowing a variety of attacks, including some new ones recently). There are other root servers, of course. Anyone can run one, it is just a question of getting people to use it. I understand that China is proceeding with root servers of their own. DNSSEC is a way to get the right DNS answer, but its deployment has had problems for at least 10 years. BGP is certainly another network issue. Where should my routers forward packets to? BGP distributes this information throughout the internet. There are two problems here: 1) is the distribution working correctly, and 2) are the other players sending the correct information in the first place. This is usually an easy problem between an ISP and their customer. The customer is only allowed to announce certain routes, and the ISP filters these announcements to enforce the restriction. It is easy on a short list of announcements. But at the peering point with other ISPs, this becomes hard, because there are hundreds of thousands of routes, and it isn't clear which is which. Should I forward packets for Estonia to router A or router B? We are far removed from the places where these answers are known. There are proposals to grab ahold of all this information using cryptographic signatures. SBGP is one on-going proposal, but there are lots of problems with it, and lots of routers to change (we identify almost 200,000 routers a day worldwide in the internet mapping project (http://www.cheswick.com/ches/map/index.html).) And BGP announcements are misused. Evil nets will pop up for a little while, emit bad packets, and then unannounce themselves, confounding the job of tracking them down. Other attacks can divert packets from the proper destinations. There have been many cases of this, both accidental and intentional. For all these problems, and others in the past, I have been impressed with the response of the network community. These problems, and others like security weaknesses, security exploits, etc., usually get dealt with in a few days. For example, the SYN packet DOS attacks in 1996 quickly brought together ad hoc teams of experts, and within a week, patches with new mitigations were appearing from the vendors. You can take the internet down, but probably not for very long. This article originally appeared in Security Focus (http://www.securityfocus.com/columnists/429?ref=rss). Copyright ? 2007, SecurityFocus (http://www.securityfocus.com/) From rforno at infowarrior.org Mon Jan 22 09:12:33 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 Jan 2007 09:12:33 -0500 Subject: [Infowarrior] - Vista copy protection is defended Message-ID: Vista copy protection is defended Microsoft has defended the digital rights management systems integrated into its new Vista operating system. It follows reports that Vista would "downgrade" the quality of all video and audio, if they were not output via approved connections on the PC. Microsoft said only the quality of "premium content" would be lowered, and only if requested by copyright holders. The measures are in place, says the firm, to protect content such as high definition movies from being copied. Vista's copy protection systems have come under fire from many quarters, including recently from Peter Gutmann, a computer science lecturer at the University of Auckland. It's very consumer-hostile technology that is being deployed Peter Gutmann, University of Auckland In a report looking at the impact Vista would have on video and audio playback, he described Vista's Content Protection specification as "the longest suicide note in history". He said Vista was "broken by design" and intentionally crippled the way it displayed video. "The sheer obnoxiousness of Vista's content protection may end up being the biggest incentive to piracy yet created," he wrote. Enforced In a response to the paper, Dave Marsh, lead program manager for video at Microsoft, said many of the copy protection systems enforced by Vista were common on all playback devices. He said Vista did have the capability of downgrading video and audio quality, like other devices, but that it would only be activated "when required by the policy associated with the content being played". The copyright holders of content on HD-DVD and Blu-ray discs, for example, can insist that the video be played back in high definition only if it is output via a HDMI connection on a PC and into a HDMI connection in a TV or monitor. That could prove a problem for many PC users whose graphics cards have a DVI or component video connection. Microsoft said that if picture quality was degraded it would still be better than current DVD quality. Mr Marsh also denied reports that the degradation would impact all video output, insisting it would only apply to premium content video. 'Very unhappy' Mr Gutmann told BBC News: "It's reassuring that they are saying that only the ability to playback high definition video can be revoked. "But if consumers have gone out and paid thousands of dollars on high quality, high resolution, high definition displays and find the content is downscaled or there is no picture at all, they are going to be very unhappy. "Some of the feedback I have been getting indicates that HD-DVD discs are not playing on some PCs." Mr Gutmann also highlighted the extra demands put on a computer's CPU to handle Vista's Content Protection systems. Microsoft admitted that the CPU will be taxed further but Mr Marsh said "Vista's Content Protection features were developed to carefully balance the need to provide robust protection... while still enabling great new experiences..." Mr Gutmann said it was insincere of Microsoft to lay the responsibility for the increased copy protection systems at the feet of content providers. He said: "Saying 'we were only following orders' has historically proven not to be a very good excuse. "If you have got the protection measures there, the impulse is to use the most stringent ones at your disposal. "In general, some sort of DRM is necessary, but we need to strike a balance. It's very consumer-hostile technology that is being deployed." Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/6286245.stm Published: 2007/01/22 12:12:07 GMT From rforno at infowarrior.org Mon Jan 22 09:17:03 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 Jan 2007 09:17:03 -0500 Subject: [Infowarrior] - Schneier: "Clear" Registered Traveller Program Message-ID: "Clear" Registered Traveller Program http://www.schneier.com/blog/archives/2007/01/clear_registere.html CLEAR, a private service that prescreens travelers for a $100 annual fee, has come to Kennedy International Airport. To benefit from the Clear Registered Traveler program, which is run by Verified Identity Pass, a person must fill out an application, let the service capture his fingerprints and iris pattern and present two forms of identification. If the traveler passes a federal background check, he will be given a card that allows him to pass quickly through airport security. Sounds great, but it?s actually two ideas rolled into one: one clever and one very stupid. The clever idea is allowing people to pay for better service. Clear has been in operation at the Orlando International Airport since July 2005, and members have passed through security checkpoints faster simply because they are segregated from less experienced fliers who don?t know the drill. Now, at Kennedy and other airports, Clear is purchasing and installing federally approved technology that will further speed up the screening process: scanners that will eliminate the need for cardholders to remove their shoes, and explosives detection machines that will eliminate the need for them to remove their coats and jackets. There are also Clear employees at the checkpoints who, although they can?t screen cardholders, can guide members through the security process. Clear has not yet paid airports for an extra security lane or the Transportation Security Administration for extra screening personnel, but both of those enhancements are on the table if enough people sign up. I fly more than 200,000 miles per year and would gladly pay $100 a year to get through airport security faster. But the stupid idea is the background check. When first conceived, traveler programs focused on prescreening. Pre-approved travelers would pass through security checkpoints with less screening, and resources would be focused on everyone else. Sounds reasonable, but it would leave us all less safe. Background checks are based on the dangerous myth that we can somehow pick terrorists out of a crowd if we could identify everyone. Unfortunately, there isn?t any terrorist profile that prescreening can uncover. Timothy McVeigh could probably have gotten one of these cards. So could have Eric Rudolph, the pipe bomber at the 1996 Olympic Games in Atlanta. There isn?t even a good list of known terrorists to check people against; the government list used by the airlines has been the butt of jokes for years. And have we forgotten how prevalent identity theft is these days? If you think having a criminal impersonating you to your bank is bad, wait until they start impersonating you to the Transportation Security Administration. The truth is that whenever you create two paths through security -- a high-security path and a low-security path -- you have to assume that the bad guys will find a way to exploit the low-security path. It may be counterintuitive, but we are all safer if the people chosen for more thorough screening are truly random and not based on an error-filled database or a cursory background check. I think of Clear as a $100 service that tells terrorists if the F.B.I. is on to them or not. Why in the world would we provide terrorists with this ability? We don?t have to. Clear cardholders are not scrutinized less when they go through checkpoints, they?re scrutinized more efficiently. So why not get rid of the background checks altogether? We should all be able to walk into the airport, pay $10, and use the Clear lanes when it?s worth it to us. This essay originally appeared in The New York Times. I've already written about trusted traveller programs, and have also written about Verified Identity Card, Inc., the company that runs Clear. Note that these two essays were from 2004. This is the Clear website, and this is the website for Verified Identity Pass, Inc. From rforno at infowarrior.org Mon Jan 22 09:31:38 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 Jan 2007 09:31:38 -0500 Subject: [Infowarrior] - More on - Spam is back, and worse than ever In-Reply-To: <20070122142301.GB6039@gsp.org> Message-ID: (c/o RSK) ------ Forwarded Message On Sun, Jan 21, 2007 at 11:44:56AM -0500, Richard Forno wrote: > Spam is back, and worse than ever What this doesn't appear to mention (just read it after a run and so oxygen deprivation may be in play) is this: "The spam problem" today pretty much equates to "the Microsoft Window insecurity problem". If you use passive OS fingerprinting on your incoming port 25 connections (a la the "pf" firewall in OpenBSD), then you'll find that the incoming spam stream pretty much divides into two classes: 1. Spam from dedicated spammer server farms. The originating OS's vary widely. It's pretty easy to block almost all of this just be using a sensible combination of DNSBLs, because the number of source IPs is relatively small, they don't change that quickly, and they tend to be clustered. 2. Spam from millions upon millions upon millions of zombie'd systems located all over the planet, including huge numbers of systems on dialup, DSL, cable, FIOS, etc. connections. The originating OS is almost always Windows. (Out of the last million hosts I looked at, I can count the possibly-non-Windows systems without running out of fingers.) It's considerably harder to block much of this because of the scalability issues involved, because hosts move around (DHCP, laptops, etc.), and because they can turn up anywhere. The amount of spam showing up from (2) swamps that showing up from (1), and with good reason: it works better (for spammers). And note that while today those systems primarily send spam directly to target systems, there's little, if anything, stopping them from sending spam through any mail server for which the zombies' former owners possess mail credentials. [ Consider as well that some of those former owners have a number of email accounts on a number of different servers. Maybe one for home, one for work, one at Hotmail, one at Yahoo, whatever. Those all belong to spammers now. Which means, among other things, that spammers can "harvest" any email address found in any traffic sent to them, and send forged email as any of them. ] Estimates of the number of zombies vary. Markoff's NYTimes article a couple of weeks ago cites an esimate of about 70M. I think that's way too small; I think we passed 100M a couple of years ago and that something around 300M is probably in the ballpark. But regardless of who's right about that, (a) it's a big number, on the order of 10e9, and (b) it's getting bigger every day. I see no reason at all to think that the trend will reverse or even slow down; in fact, I expect it to accelerate with the deployment of Vista. By the way, this situation also renders all supposed email "anti-forgery" systems moot. So we're kinda screwed. ---Rsk From rforno at infowarrior.org Mon Jan 22 10:01:44 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 Jan 2007 10:01:44 -0500 Subject: [Infowarrior] - Cyberthreat experts to meet at secretive conference Message-ID: Cyberthreat experts to meet at secretive conference By Joris Evers http://news.com.com/Cyberthreat+experts+to+meet+at+secretive+conference/2100 -7348_3-6151860.html Story last modified Mon Jan 22 04:40:48 PST 2007 Internet security experts are gathering at a secretive conference later this week to strategize in their fight against cybercriminals. The meeting on Thursday and Friday at Microsoft's Redmond, Wash. headquarters is slated to bring together representatives from security companies and government and law enforcement officials, as well as others involved in network security. The agenda focuses on botnets and related topics, seen by experts as a prime threat to the Internet. "Unlike most other security conferences, we allow only members of the different relevant groups access, and we discuss organized crime and threats across borders?with a strong lean toward how we can make things better," said Gadi Evron, an evangelist at security firm Beyond Security and organizer of the event. Botnets are networks of hijacked computers, popularly called zombies. Cybcercrooks use these networks to relay spam, bring down Web sites, distribute spyware and perform other nefarious acts. Microsoft has fingered zombies as a top threat to Windows PCs. In the battle between cybercrooks and those protecting the Internet, the bad guys are often at least one step ahead. Authorities are cracking down and have had successes in catching, prosecuting and convicting phishers and bot herders in recent years. But criminals are organizing better and moving to more sophisticated tactics, including the use of peer-to-peer technologies in their bot software. The gathering this week is the good guys' effort to team up. "These events have been a great way to build trust in the security community, which can lead to collaboration and data sharing. This helps in the overall efforts to combat the cybercriminals," said Dave Jevans, chairman of the Anti-Phishing Working Group, who is slated to speak at the event later this week. The two-day meeting is held behind closed doors. "For reasons of practicality as well as to help members feel safe to share and work in our environment, some privacy is required," Evron said. "Not everything can be common knowledge if we are to be successful in combating these threats." It is not unusual for such meetings to be confidential. After all, it doesn't make much sense to let the criminals in on the efforts being made to catch them. Also, this isn't a new thing for Microsoft--the company regularly holds meetings at its campus that require a nondisclosure agreement. Scheduled presentations at this week's event include two talks by Microsoft on security vulnerabilities that have no patch, known as zero-day flaws, and the software maker's response to those. There has been a significant rise in the use of zero-day bugs in cyberattacks. Criminals often exploit security holes to add PCs to their botnets. "Microsoft will be presenting our analysis of trends and patterns in its security response process," a company representative said. "Additionally, we will be reviewing vulnerability exploitation trends, with a specific focus on the usage of zero-day vulnerabilities, to attack customers." Microsoft also said it is "proud to sponsor the workshop, which provides an opportunity for the security operations community to discuss security trends, share information and plan for the future." Torjan horses, phishing and spam--oh my Aside from various talks specifically on botnets, other presentations dive into Trojan horses, new styles of denial-of-service attacks, spam, phishing and weaknesses in protection technologies such as sandboxes and virtual keyboards on banking sites, according to the event agenda. Douglas Otis of Trend Micro plans to give a talk on how e-mail authentication technology called Sender ID could be abused to launch denial-of-service attacks, he said. Sender ID is a specification pushed heavily by Microsoft for verifying the authenticity of e-mail by ensuring the validity of the server from which it came. Jevans of the Anti-Phishing Working Group plans to present a multiyear overview of phishing statistics and discuss new trends in the data-thieving scams, he said. These new trends include use of subdomains, more man-in-the-middle style attacks and changing attack patterns to also focus on smaller banks and payment services, he said. Alex Shipp, a senior antivirus technologist at e-mail security company MessageLabs, is scheduled to deliver a talk on Trojan horses targeted at a small number of companies or even individual. It is an update to a presentation he gave at the Virus Bulletin conference last year. These targeted Trojan horse attacks are considered dangerous because they could evade traditional protection mechanisms trained to look for known attacks or mass attacks. But Shipp also hopes to leave with answers to a number of questions. Ultimately, the event should better arm attendees in the fight against cyberattacks, he said "What are the bad guys doing now and how can we stop them? Can we do better than we are currently or do we need a seismic shift in the way we do things now to solve the problems? What kind of co-operative efforts can we put in place that would benefit us all?" are some of those questions, Shipp said. Among those scheduled to attend are representatives from security firms such as Symantec, Trend Micro and Websense, as well as people from AOL, Cisco Systems, Microsoft, Sun Microsystems and Qwest. Government and law enforcement expected to attend include the Federal Bureau of Investigation, Secret Service and United States Computer Emergency Readiness Team, or US-CERT. Various universities are also expected to send representatives. "Cooperation at all levels, technical, legal, government, is needed to contain the problem," said Righard Zwienenberg, chief research officer at Norman Data Defense Systems, who is slated to speak on sandboxes at the event Thursday. "Without worldwide laws and cooperation, we might lose the battle in the end." Copyright ?1995-2007 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Mon Jan 22 15:49:26 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 Jan 2007 15:49:26 -0500 Subject: [Infowarrior] - RFI - Netgear router tech question Message-ID: I installed a NETGEAR WNR834M 802.11x router early December to replace my NETGEAR 802.11b router. While it generally works okay, every now and then when surfing around, I'll receive an error message that reads "Bad Request (Invalid Verb)" and/or the HTML connection simply will drop. Or, the distant website will 'hiccup' and then redirect me to the page I want to visit. The network link remains functional, and I can surf elsewhere on the Net, but the connection to SITE$ (or a particular page inside SITE$) refuses to load. I've poked around the device and nothing seems out of the ordinary. Eg: > Content-Type: text/html > Date: Mon, 22 Jan 2007 19:58:23 GMT > Connection: close > Content-Length: 35 > >

Bad Request (Invalid Verb)

Yet using other network connections (cellular or wired to my gateway) I have no problems whatsoever when surfing --- hence I thnk the problem lies w/in the NETGEAR device and how it handles web traffic. But before I toss it for another device, I figure to see if anyone's got any ideas. Thx -rf From rforno at infowarrior.org Mon Jan 22 21:52:49 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 Jan 2007 21:52:49 -0500 Subject: [Infowarrior] - Blu-Ray DRM Cracked Message-ID: Blu-Ray DRM Cracked The plaintext exploit used to partially crack HD-DVD a couple of weeks ago was brought to bear on Blu-Ray by the same gents this weekend?and it worked a treat. "We need to kick DRM in the butt!" declares the sigfile of Doom9 forum poster Janvitos, launching his inspection of the format. And that they do, with muslix64 delivering the killing blow: "Oups, I did it again! ... In less that 24 hours, without any Blu-Ray equipment, but with the help of Janvitos, I managed to decrypt and play a Blu-Ray media file using my known-plaintext attack ... I will keep you informed If I found anything new..." Noting that this isn't a complete solution, but "merely" a successful breach on the DRM curtain wall of AACS encryption (and not the inner keep of BD+ copy protection) a pre-alpha version of "BackupBluRay V0.01" is available for crazy experimenter types: caveat replicator. http://blog.wired.com/gadgets/2007/01/bluray_drm_crac.html From rforno at infowarrior.org Mon Jan 22 23:07:05 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 22 Jan 2007 23:07:05 -0500 Subject: [Infowarrior] - =?iso-8859-1?q?YouTube_=8B_Censored=3F?= Message-ID: YouTube?Censored? http://www.redherring.com/Article.aspx?a=20872&hed=YouTube%e2%80%94Censored% 3f Offending Paula Abdul clips are abruptly taken down. January 22, 2007 By Sunshine Mugrabi Following a week?s worth of controversy about her behavior, Fox Broadcasting ordered clips of Paula Abdul swaying, appearing intoxicated, and answering questions on TV news programs in a nonsensical way taken down from YouTube this week. The move raises questions about where the line should be drawn between copyright infringement and outright censorship. It also shows how quickly an embarrassing piece of footage can become a viral sensation now that videos can be easily uploaded to the web. ?What Fox runs the risk of is using copyright law as a form of censorship,? said Van Baker, an analyst at Gartner Media Service. Ms. Abdul, a judge on the wildly popular show American Idol on Fox, whose parent is News Corp., has insisted she doesn?t drink or take drugs. Last week, she told Jay Leno on The Tonight Show that her inability to answer questions during news interviews on several Fox affiliate stations was the result of a mix-up in satellite feeds. "Well, there was a mistake. Alabama was in my ear and so was Seattle at the same time," said Ms. Abdul. However, such damage control hasn?t stopped bloggers, TV pundits, and others from speculating that Ms. Abdul?s behavior is veering out of control. Meanwhile, the video of her appearance on the Seattle Fox affiliate attracted many viewings on YouTube before being pulled. (A new version has since been uploaded.) YouTube did not immediately return a request for comment. Fox Broadcasting declined to be interviewed for this article. Any violation of what is known as the Digital Millennium Copyright Act (DMCA) is grounds for removal of videos on YouTube, a division of Mountain View, California-based search giant Google. However, there are also ?fair use? laws that allow some content?such as short clips or satirical depictions of celebrities?to be aired online. Aggressive Takedowns ?Some people would say this is an overly aggressive use of the takedown procedure [allowed in the DMCA],? said James Nguyen, an attorney who specializes in entertainment and copyright law at the Los Angeles-based law firm Foley & Lardner. ?They?re within their rights ? but most of the major TV networks don?t ask you to take down their other clips.? This is not the first time that the DMCA has been invoked to prevent embarrassing or unpleasant videos from being shown online. Mr. Nguyen also cited a recent incident in which a video of Second Life avatar Anshe Chung being a victim of a ?griefing attack? was pulled from YouTube following a request. In that situation, the avatar of Ms. Chung?whose real life name is Ailin Graef?was bombarded with pornographic imagery while being interviewed in CNET?s Second Life Theater. Originally, Ms. Graef argued that this was a copyright violation because she owns her avatar, according to a CNET News.com article on the subject. The video was unavailable on YouTube for a period of time, but was later restored. Another unintended consequence of this move could be that it extends the kerfuffle over Ms. Abdul?s behavior rather than quelling it. Mr. Nguyen called this the ?Barbra Streisand effect,? referring to that actress?s insistence that paparazzi photos of her mansion not be used. Perhaps it will become known as the Idol effect. From rforno at infowarrior.org Tue Jan 23 10:06:07 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 23 Jan 2007 10:06:07 -0500 Subject: [Infowarrior] - N.J. Internet users' aliases are private, court says Message-ID: N.J. Internet users' aliases are private, court says A woman had a "legitimate and substantial" interest in anonymity, it ruled. By Jeffrey Gold Associated Press http://www.philly.com/mld/inquirer/news/local/states/new_jersey/16523187.htm NEWARK - Computer users in New Jersey can expect that personal information they give their Internet service providers will be treated as private, a state appellate court decided yesterday in the first such case considered in the state. As a result, New Jersey and several other states will give greater privacy rights to computer users than do most federal courts, and law-enforcement officers in New Jersey will need to obtain valid subpoenas or search warrants to obtain the information. The court ruled that a computer user whose screen name hid her identity had a "legitimate and substantial" interest in anonymity. "Yes, this indicates that New Jersey, like a lot of states, is ahead of the curve on Internet privacy," said Kevin Bankston, a staff attorney with the Electronic Frontier Foundation, a San Francisco-based digital rights group. Bankston also praised the decision for recognizing anonymity as a core free-speech right. The 3-0 ruling by an appellate panel stemmed from the indictment of Shirley Reid, who was suspected of breaking into the computer system of her employer in Cape May County in 2004 and changing its shipping address and password for suppliers. The decision upholds a lower court ruling suppressing information from Reid's Internet service provider that linked her with a screen name that did not reveal her identity. Lower Township police obtained the information after having the township's Municipal Court administrator issue a subpoena to the provider, Comcast Internet Service. However, the appellate panel found that the subpoena was invalid because the crime being investigated was not within that court's jurisdiction and the subpoena was not issued, as required, in connection with a judicial proceeding. And because "New Jersey is among the few states to have found an implied right to privacy in its state charter," a proper subpoena or search warrant is required to obtain private information, the appeals court decided. It was not immediately known if the ruling would lead to the dismissal of the one-count indictment on a charge of computer theft. Messages left for Reid's lawyer and the Cape May County Prosecutor's Office were not immediately returned. By using a coded screen name, the "defendant manifested an intention to keep her identity publicly anonymous. She could have used her own name or some other ISP address that would have readily revealed her identity, but she did not. Having chosen anonymity, we conclude that defendant manifested a reasonable expectation of privacy in her true identity, known only to Comcast," Appellate Judge Harvey Weissbard wrote for the panel. The court said it was not issuing blanket protection for computer-based criminals. "Just as with telephones or bank records, computers cannot be used with impunity for unlawful purposes. When there is probable cause to believe unlawful use has occurred, law enforcement has the tools to respond," the court said. Federal courts have held that Internet subscribers have no right of privacy under Fourth Amendment protections against illegal search and seizure regarding identifying information on file with their service providers. That stems from U.S. Supreme Court decisions that held that a person cannot expect privacy for information voluntarily given to others, the New Jersey court said. "However, the right to privacy of New Jersey citizens under our state constitution has been expanded to areas not afforded such protection under the Fourth Amendment," the court added. From rforno at infowarrior.org Tue Jan 23 12:33:01 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 23 Jan 2007 12:33:01 -0500 Subject: [Infowarrior] - MySpace to send U.S. users missing-children alerts Message-ID: MySpace to send U.S. users missing-children alerts By Reuters http://news.com.com/MySpace+to+send+U.S.+users+missing-children+alerts/2100- 1028_3-6152320.html Story last modified Tue Jan 23 06:47:22 PST 2007 Popular online social network MySpace said Tuesday it will begin sending online alerts to users in certain U.S. regions to help find missing children as part of an expansion of plans to expand safeguards for users. MySpace struck a partnership with the National Center for Missing & Exploited Children to enable MySpace Amber alerts, a program between the media and law enforcement to issue early warning broadcast bulletins in serious child abduction cases. It is part of an upgrade by News Corp.-owned MySpace of safety features designed to address concerns of child safety advocates, some of whom say it has been slow to keep its many teenage members safe from adult predators. Last week, the families of five teenage victims of sexual abuse by adult MySpace users sued the service for negligence in protecting its users. Last year, the family of a 14-year-old girl sued the company in a similar case. MySpace hired a former U.S. Justice Department prosecutor last year to improve its online safety program. The Amber alerts, named after 9-year-old Amber Hagerman, who was kidnapped and murdered in 1996 in Texas, will appear in a small text box at the top of a profile, MySpace said. The alerts give MySpace users the option to get more information about the case, such as photos and information on suspects. "We've been working with partners...and law enforcement to find any possible avenue we can take to protect our nation's children, keeping sex offenders off our site and providing technology that the entire industry can take advantage of," MySpace Chief Security Officer Hemanshu Nigam said in a phone interview. With 150 million profiles, MySpace is seen as one of the Web's fastest-growing properties in terms of users. More than half of U.S. teens with online access use sites such as MySpace to stay in touch with friends, a recent Pew survey found. The explosive growth in MySpace usage since its purchase by Rupert Murdoch's News Corp. in September 2005, has made it a target for sex predators who prey on its huge teen population. As part of its safety program, MySpace now requires all new members to register with a valid e-mail address, which they say helps law enforcement track down potential predators. New applicants will receive a verification e-mail with a link requiring them to click back and verify their identity. U.S. Sens. Charles Schumer and John McCain said last month they planned to introduce legislation that would require convicted sex offenders to register active e-mail addresses, expanding the existing requirements that they register personal information with local municipalities. The database of e-mail addresses would let social networking sites like MySpace bar offenders from their services by cross-checking new applicants against the database. MySpace struck a deal with background verification firm Sentinel Tech Holding Corp. to build a new technology, Sentinel Safe, which will let MySpace search state and federal databases to seek out and delete profiles of registered sex offenders. MySpace previously did not require users to verify e-mails as some Internet service providers using junk e-mail filters were unable to recognize the verification mail as legitimate. In the last few months, MySpace has been in talks with U.S. Internet service providers to unblock verification e-mails. All users also now have the option to make their profile private--once available only to 14- and 15-year-old members. Story Copyright ? 2007 Reuters Limited. All rights reserved. From rforno at infowarrior.org Tue Jan 23 16:34:19 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 23 Jan 2007 16:34:19 -0500 Subject: [Infowarrior] - Feds: Details of ISP snooping haven't been decided Message-ID: Feds: Details of ISP snooping haven't been decided By Anne Broache http://news.com.com/Feds+Details+of+ISP+snooping+havent+been+decided/2100-10 28_3-6152598.html Story last modified Tue Jan 23 13:08:21 PST 2007 WASHINGTON--The Bush administration hasn't settled on what data it would like Internet service providers to retain about their subscribers or for how long, a U.S. Department of Justice attorney said Tuesday. U.S. Attorney General Alberto Gonzales made it clear last fall that he planned to seek national legislation requiring the controversial practice known as data retention, but "we don't have any position officially about how long records would have to be retained or what records would have to be retained," said Eric Wenger, a trial attorney with the Justice Department's computer crime unit. During an event here hosted by the Federal Communications Bar Association, Wenger also said police already have ready access to other legal tools, such as the power to send letters to ISPs requesting "preservation" of existing data for up to 90 days while law enforcement obtains the necessary court authority to obtain that data. But he categorized the lack of consistent data retention by ISPs as a "roadblock" to some investigations. He described, for example, a situation in which an investigator may be able to secure an IP address for a suspected phisher from Microsoft's Hotmail service. By the time the investigator took that IP address to the Internet service provider for more information about the suspect's identity, he may be told by the ISP that such information has already been purged. "We've been talking to some of the companies to explain the needs we have for the records," he said, although he did not expressly urge adoption of new laws. Another possibility is that a data retention requirement could be extended beyond ISPs to search engines, which was discussed in private Justice Department meetings in October. As first reported by CNET News.com in June 2005, Justice Department officials began quietly discussing the idea of data retention requirements, akin to what the European Union has already enacted. Last week, Gonzales told members of the Senate Judiciary Committee that he planned to resume discussions with Congress about data retention legislation this year. The attorney general did not elaborate on his plans, but last year, he repeatedly said the practice was necessary to help investigators nab elusive online criminals, particularly sexual predators. Privacy advocates have long resisted such mandates, arguing that they allow police to obtain records of e-mail chatter, Web browsing or chat room activity that normally would have been discarded after a few months--or in some cases, never kept at all. CNET News.com's Declan McCullagh contributed to this report. From rforno at infowarrior.org Tue Jan 23 16:50:09 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 23 Jan 2007 16:50:09 -0500 Subject: [Infowarrior] - Jill Carroll Criticizes Foreign Cutbacks in Harvard Report Message-ID: Jill Carroll Criticizes Foreign Cutbacks in Harvard Report http://editorandpublisher.com/eandp/news/article_display.jsp?vnu_content_id= 1003535593&imw=Y By Joe Strupp Published: January 23, 2007 11:05 AM ET updated Tuesday NEW YORK Jill Carroll, the Christian Science Monitor reporter who spent more than 80 days in captivity in Iraq last year before being freed following an international call for her release, is criticizing cutbacks in foreign news coverage in a new report she authored for the Shorenstein Center at Harvard University. Researched and written during her fellowship at the Shorenstein Center on the Press, Politics and Public Policy last fall, Carroll's 23-page report claims that media companies cutting back on foreign bureaus and correspondents in the face of financial pressure "are making a financial miscalculation and missing an opportunity to capitalize on an asset that they appear to undervalue." Carroll, who was kidnapped just over a year ago in Baghdad during an incident in which her driver was killed, followed her release last spring by writing an extensive series on her 82-day ordeal, which also included online video interviews and became the Monitor's most popular syndicated series and web-based report. She took a leave of absence from the paper during the fall semester at Harvard, where she was one of four such fellows. Her critical report includes statistics that note the number of foreign correspondents at U.S. newspapers had dropped from 282 in 2000 to 249 in 2006. She also points out that the number of foreign bureaus at the three major networks had "dropped significantly since 9/11. ABC, NBC and CBS all had six foreign bureaus by the summer of 2003, according to American Journalism Review, after ABC and NBC cut seven and CBS cut four bureaus since the 1980's. She also notes several reader polls, claiming their findings indicate a healthy appetite among readers and viewers for overseas news. "Good quality foreign news coverage is in fact in demand by readers and viewers. It adds significant value to a medium but in ways that can't always be directly measured by net profits," Carroll writes. "Higher quality employees, greater credibility and exclusive stories are all a result of having one's own staff providing good quality foreign news coverage. These benefits strengthen the medium as an organization and when factored into a cost-benefit calculation, the costs associated with producing good quality foreign news coverage begin to seem like a bargain." When noting companies that have hit hardest in reducing their foreign coverage, Carroll says that "the starkest example is Tribune Company. It is shuttering the Baltimore Sun's and Newsday's foreign bureaus and will rely instead on Tribune system reporters overseas. The rationale is that Tribune's Los Angeles Times and Chicago Tribune will handle the bureau reporting and that doing this will also eliminate overlap with other papers in the chain. "But one of the things the Sun and Newsday were particularly well known for was their ambitious foreign coverage. They distinguished themselves from average metro daily newspapers by having their own foreign staff-even if only a handful of correspondents. Their investment in original foreign coverage is often what made them great and not just average. But at small and mid-sized papers the fad solution to the industry's struggle to maintain 20% profit margins is to focus more on local news." Carroll, who is set to return to the Monitor for an as yet undisclosed assignment, ends the report by claiming the foreign coverage element of U.S. news operations should not be allowed to shrink further: "The quality of the information provided by the news media determines to a large extent the quality of the national debate and resulting policies. Having many sources of good quality, in-depth, insightful, well-informed foreign reporting is essential to keeping the national debate vigorous and churning. This moral argument won't hold sway in many boardrooms, but the financial incentives to produce good quality foreign news should. Hopefully financial decision makers will have the foresight to realize they are drastically undervaluing foreign news coverage and have the wisdom to hang onto and invest in this valuable asset." The entire report is availabe at the Shorenstein Web site, http://www.ksg.harvard.edu/presspol/index.htm From rforno at infowarrior.org Wed Jan 24 09:45:41 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 Jan 2007 09:45:41 -0500 Subject: [Infowarrior] - CDT's Congressional Agenda for the 110th Congress Message-ID: CDT's Congressional Agenda for the 110th Congress http://www.cdt.org/legislation/110th/2007agenda.php January 22, 2007 Executive Summary The 110th Congress faces a host of Internet policy decisions that will have a lasting impact on commerce, national security, and civil liberties. For more than a decade, the Center for Democracy & Technology (CDT) has sought to defend the free and open Internet by advocating policies that preserve privacy and free expression and remove obstacles to continued innovation. As lawmakers take up Internet-related issues, we offer the following recommendations. Contents: * The Policy Framework That Supported the Internet's Growth * Issue Area Recommendations o Free Expression o Consumer Privacy o Security & Freedom o Internet Neutrality o Digital Copyright o Digital Democracy * Conclusion and Contact Information < - > http://www.cdt.org/legislation/110th/2007agenda.php From rforno at infowarrior.org Wed Jan 24 14:27:08 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 Jan 2007 14:27:08 -0500 Subject: [Infowarrior] - Wired editor awarded almost $67, 000 in attorney fees Message-ID: (congrats Kevin!!! -rf) Editor awarded almost $67,000 in attorney fees http://www.rcfp.org/news/2007/0124-foi-editor.html Wired News editor Kevin Poulsen, who sued to obtain information about a crippling computer virus, should receive fees from U.S. Customs and Border Patrol, a judge has ruled. Jan. 24, 2007 ? A federal judge in San Francisco has ruled that a Wired News editor is entitled to almost $67,000 in attorney fees after successfully suing to obtain documents about problems with a $1.7 billion government computer system. U.S. District Judge Susan Illston wrote in her Tuesday order that senior editor Kevin Poulsen "substantially prevailed" ? the standard a requester must meet to receive reimbursement for the cost of legal fees ? in litigation regarding his Freedom of Information Act request. The U.S. Customs and Border Protection claimed that Poulsen should not receive legal fees because he did not prove there to be any benefit to the public from the documents the agency was forced to disclose. However, the judge noted that Poulsen has written two stories about a version of the worm virus and its damaging effects on computer systems using records obtained through his FOIA lawsuit. Poulsen originally sued the agency in April under FOIA, after its refusal to fulfill his request for documents that would explain the cause of a computer malfunction that occurred in the US-VISIT system. The $1.7 billion dollar program, which has recently been shut down, was in use for two years tracking foreign nationals' visits into the United States while comparing them to the list of suspected terrorists. Customs and Border Protection declined the request, claiming that if disclosed, the information in the documents could pose a threat to national security. After Poulsen filed suit, the agency released three heavily edited documents totaling five pages designating the Zotob computer virus as the reason for the system malfunction. Zotob, a computer virus originating from Morocco, first entered the network of Customs and Border Protection before infiltrating the Department of Homeland Security's US-VISIT system, according to Poulsen's article, " The Virus that Ate DHS," which appeared in Wired News. In court, Customs and Border Protection defended its editing of the released documents by concluding that disclosure of information could lead to problems with the overall security of the system. On these same grounds, the agency chose to withhold 12 other documents. After reviewing the documents, Illston ordered in September that four more of the documents be released and that some of the blacked out information from the original documents be revealed. (Poulsen v. U.S. Customs and Border Protection, Media Counsel: Lauren Gelman, Stanford Law School Center for Internet and Society, Stanford, Calif.) -- AG Other links: * Judge's order * Wired News comparison of redacted documents From rforno at infowarrior.org Wed Jan 24 14:38:50 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 Jan 2007 14:38:50 -0500 Subject: [Infowarrior] - CIA Gets in Your Face(book) Message-ID: CIA Gets in Your Face(book) http://www.wired.com/news/technology/internet/0,72545-0.html By Chaddus Bruce 02:00 AM Jan, 24, 2007 If you're a Facebook member, a career as a government spook is only a click away. Since December 2006, the Central Intelligence Agency has been using Facebook.com, the popular social networking site, to recruit potential employees into its National Clandestine Service. It marks the first time the CIA has ventured into social networking to hire new personnel. The CIA's Facebook page (login required) provides an overview of what the NCS is looking for in a recruit, along with a 30-second promotional YouTube video aimed at potential college-aged applicants. U.S. citizens with a GPA above 3.0 can apply. "It's an invaluable tool when it comes to peer-to-peer marketing," says Michele Neff, a CIA spokeswoman. The NCS, one of the four directorates of the CIA, was established following 9/11 to gather intelligence from sources both domestic and abroad. In 2004, President Bush directed the CIA to increase the "human intelligence capabilities" of the agency and hire more officers that can "blend more easily in foreign cities." The search for better spies led the NCS to set up shop on Facebook, which is used primarily by college students. Every Facebook user has her or his own page, and users can choose to join Facebook "groups," which can be created by individuals or sponsored by companies as paid promotions. The NCS-sponsored Facebook group was launched on Dec. 19, 2006 and will stay active for two months. The group currently has over 2,100 members, up from around 200 one week after its debut. Scores of companies and organizations have set up shop on Facebook, using the site's interactive tools like chat, video and personal messaging to establish relationships with potential hires. However, compared to most recruitment pages, the CIA's page is remarkably light on interactive content. For example, Ernst & Young's Facebook group (login required) offers resume advice, interaction with current employees and videos of actual interns. But like the CIA group, the accounting agency's page operates mostly as a gateway to its corporate careers website. Like many corporations or nonprofit organizations, the CIA has long turned to colleges with diverse and intelligent student bodies when hiring. But its foray into social networks is a new strategy not yet adopted by other agencies. There are strict federal regulations that guide recruitment and hiring, which are tightly controlled by the Office of Personnel Management. The bureau audits the recruitment practices of five to six government agencies a year on a rotating basis, according to Kevin Mahoney, OPM's associate director for human capital leadership. Yet the CIA is an "exempted agency," meaning it has its own hiring authority and isn't audited by OPM. As a result, the CIA is less encumbered by bureaucratic recruitment procedures. Basically, it runs its own show. "We don't have to obtain permissions on any of the venues we have scheduled for print or web," says the CIA's Neff. According to Robert Danbeck, associate director for OPM's human resources products and services division, there is talk about using social networks to let people know about other government jobs. However, most of the focus remains on the one-stop government job site USAJOBS.gov, which currently has around 220,000 job vacancies. "Right now, we really don't know about (social networking). We haven't gotten our arms around it yet," Danbeck says. Government agencies may be forced to turn to social networks and other web-based means for recruitment in the future. Hundreds of thousands of government workers are set to retire in the coming years, and new talent can increasingly be found on websites like Facebook and LinkedIn. However, dealings between social networks and the government may raise the hackles of citizens concerned about their privacy online. "If (the CIA) knows about Facebook, and they have a page on Facebook, it would be surprising if they weren't using it in other ways," says Nicole Ozer, civil liberties and technology policy director for the American Civil Liberties Union of Northern California. Facebook's privacy policy states that outside companies sponsoring groups don't have access to personal information or profiles. However, it does say that information may be shared with "other companies, lawyers, agents or government agencies," in order to comply with the law. Besides the fact that it isn't technically a company, the CIA says it is only using Facebook as an advertisement for new recruits. "The (CIA Facebook) page is only for information purposes; people cannot leave messages or engage in commentary," says Neff. "There is no collection of names, bio information or resume collection from this site, nor do we engage members in any way." Neff's claim is reinforced by Facebook's director of marketing Melanie Deitch, who refers to the agency as an "advertiser." "The CIA has no direct access to any user's profile," Deitch says. "They adhere to the same rules as all of our advertisers. We do not publish or disseminate our users' information to any advertiser." Ozer says that there's no way we can be sure what the CIA is up to online. "It seems if they would go to the trouble to infiltrate peace groups that they are also online looking at information." From rforno at infowarrior.org Wed Jan 24 14:40:03 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 Jan 2007 14:40:03 -0500 Subject: [Infowarrior] - 'There is no war on terror' Message-ID: 'There is no war on terror' http://politics.guardian.co.uk/terrorism/story/0,,1997247,00.html Outspoken DPP takes on Blair and Reid over fear-driven legal response to threat Clare Dyer, legal editor Wednesday January 24, 2007 The Guardian The director of public prosecutions, Sir Ken Macdonald, put himself at odds with the home secretary and Downing Street last night by denying that Britain is caught up in a "war on terror" and calling for a "culture of legislative restraint" in passing laws to deal with terrorism. Sir Ken warned of the pernicious risk that a "fear-driven and inappropriate" response to the threat could lead Britain to abandon respect for fair trials and the due process of law. Article continues He acknowledged that the country faced a different and more dangerous threat than in the days of IRA terrorism and that it had "all the disturbing elements of a death cult psychology". But he said: "It is critical that we understand that this new form of terrorism carries another more subtle, perhaps equally pernicious, risk. Because it might encourage a fear-driven and inappropriate response. By that I mean it can tempt us to abandon our values. I think it important to understand that this is one of its primary purposes." Sir Ken pointed to the rhetoric around the "war on terror" - which has been adopted by Tony Blair and ministers after being coined by George Bush - to illustrate the risks. He said: "London is not a battlefield. Those innocents who were murdered on July 7 2005 were not victims of war. And the men who killed them were not, as in their vanity they claimed on their ludicrous videos, 'soldiers'. They were deluded, narcissistic inadequates. They were criminals. They were fantasists. We need to be very clear about this. On the streets of London, there is no such thing as a 'war on terror', just as there can be no such thing as a 'war on drugs'. "The fight against terrorism on the streets of Britain is not a war. It is the prevention of crime, the enforcement of our laws and the winning of justice for those damaged by their infringement." Sir Ken, head of the Crown Prosecution Service, told members of the Criminal Bar Association it should be an article of faith that crimes of terrorism are dealt with by criminal justice and that a "culture of legislative restraint in the area of terrorist crime is central to the existence of an efficient and human rights compatible process". He said: "We wouldn't get far in promoting a civilising culture of respect for rights amongst and between citizens if we set about undermining fair trials in the simple pursuit of greater numbers of inevitably less safe convictions. On the contrary, it is obvious that the process of winning convictions ought to be in keeping with a consensual rule of law and not detached from it. Otherwise we sacrifice fundamental values critical to the maintenance of the rule of law - upon which everything else depends." His comments will be seen as a swipe against government legislation allowing the indefinite detention of suspected terrorists without trial, later held incompatible with human rights by the courts, and the replacement law that permits suspects to be placed under control orders instead of being brought to trial. Sir Ken referred to the government's opt-out from the European convention on human rights to pass the detention law - possible under the convention only if the "life of the nation" is threatened. "Everyone here will come to their own conclusion about whether, in the striking Strasbourg phrase, the very 'life of the nation' is presently endangered," he said. "And everyone here will equally understand the risk to our constitution if we decide that it is, when it is not." The criminal justice response to terrorism must be "proportionate and grounded in due process and the rule of law," he said. "We must protect ourselves from these atrocious crimes without abandoning our traditions of freedom." From rforno at infowarrior.org Wed Jan 24 19:18:11 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 Jan 2007 19:18:11 -0500 Subject: [Infowarrior] - Bug brokers offering higher bounties Message-ID: Bug brokers offering higher bounties Robert Lemos, SecurityFocus 2007-01-23 http://www.securityfocus.com/print/news/11437 Adriel Desautels aims to be the go-to guy for researchers that want to sell information regarding serious security vulnerabilities. The co-founder of security group Secure Network Operations Software (SNOSoft), Desautels has claimed to have brokered a number of deals between researchers and private firms--as well as the odd government agency--for information on critical flaws in software. Last week, he bluntly told members of SecurityFocus's BugTraq mailing list and the Full-Disclosure mailing list that he could sell significant flaw research, in many cases, for more than $75,000. "I've seen these exploits sell for as much as $120,000," Desautels told SecurityFocus in an online interview. It's a statement that underscores the increasing acceptance of the sale of vulnerability information. Once a frowned-upon practice, the sale of such information is taking off. Flaw bounty programs such as TippingPoint's Zero-Day Initiative (ZDI) and iDefense's Vulnerability Contributor Program (VCP) have added legitimacy to the practice, even if they remain controversial. Software vendors have had to increasingly get used to dealing with third parties reporting security flaws that were bought from anonymous researchers. Microsoft, for example, patched at least 17 flaws reported by the two programs in 2006, up from 11 reported in 2005. Desautels, now the chief technology officer for boutique security firm Netragard, highlighted the trend by announcing a program on Wednesday whereby the security company would act as a broker to any researcher with a critical flaw to sell. The program could be a more lucrative option for freelance researchers aiming to sell information on software vulnerabilities. In many ways, the push by researchers for greater returns on their research efforts is part of the ebb and flow of the debate over the proper way to disclose information about software vulnerabilities. In 2000, a researcher known as Rain Forest Puppy released a basic framework, dubbed the RFPolicy, for disclosing vulnerabilities in a way that seemed fair to responsible software makers. In 2002, two security researchers further refined the guidelines and submitted them to the Internet Engineering Task Force (IETF), but the technical standards body decided that setting disclosure policy was outside of its jurisdiction. Over the past few years, software makers, and Microsoft in particular, have focused on holding researchers to the guidelines, calling such disclosure "responsible." It's been an uneasy truce, and one that has fractured in many places. In 2005, a researcher attempted to auction off information about a flaw in Microsoft Office. Other flaw finders have decided to just release details of vulnerabilities they have found as a punishment for, what they believe to be, irresponsible behavior on the part of the software vendor. In the last six months, for example, a number of researchers have collected advisories on potential security issues into month-long releases of daily bugs. The trend started with the Month of Browser Bugs in July and continues with the latest Month of Apple Bugs this month. Now, flaw finders fed up with software vendors are increasingly turning to third parties to buy their research. "One of the reasons why the hacking community is so frustrated with large corporations is because these corporations are making a killing off their research and they are not seeing fair value for their work," Desautels said in an online interview with SecurityFocus. Software makers typically do not pay for vulnerability information, with the notable exception of the Mozilla Foundation. The well-known public bounty programs typically pay thousands of dollars for original vulnerabilities, while lesser-known private deals can net a researcher tens of thousands of dollars, according to security experts. The amounts quoted by Desautels are not excessive, according to experts interviewed by SecurityFocus. In September, for example, a private buyer approached noted security researcher HD Moore and offered between $60,000 and $120,000 for each client side vulnerability found in Internet Explorer, the founder of the Metasploit Project said. Moore declined to pursue the offer, but said that such prices are typical of high-level private purchases, while information on serious flaws in generic enterprise-level applications can be sold to safe buyers--such as 3Com's ZDI program and VeriSign's VCP program--for between $5,000 and $10,000. "The ZDI and (VCP) programs are definitely the easier way to sell a vulnerability, but at the 5x or 10x multipliers you see from a private buyer, it's usually worth the effort," Moore told SecurityFocus in an e-mail interview. Ethics continues to be a central question in the sales. Paying $75,000 for vulnerability research likely means that the buyer is a government agency, and not a private company, said Terri Forslof, manager of security response for 3Com's TippingPoint. And that raises a number of questions that should concern any ethical researcher, such as which government and whether the software vendor is notified of the vulnerability. "When you are paying $75,000 for a vulnerability, that tells me that you are not reporting it to a vendor," Forslof said. Because vulnerability information has a very short lifespan, recouping tens of thousands of dollars spent on buying a security flaw is difficult. However, by not telling the software vendor, it's likely that the value of the information can be preserved longer. That fact leads to a trade off between ethics and profit for most researchers. Under the accepted responsible disclosure timeline, the flaw finder could notify the software vendor, pressure it to fix the flaw, wait months for a patch to come out and, perhaps, get acknowledged in the advisory. On the other hand, the researcher could sell the information for a significant price and not ask questions about the buyer. "The buyer with the highest price often wins, but ethics do come into play when the business of the buyer can't be verified," Metasploit's HD Moore said in an e-mail interview. Currently, the gray market does not seem to necessarily compete with government buyers. Rewards can be higher on the gray market compared to 3Com's and VeriSign's programs, with typical offers for client-side vulnerabilities ranging from $5,000 to $50,000, he said. However, government purchasers will generally bid higher. Raimund Genes, chief technology officer for antivirus firm Trend Micro, has also seen offers for zero-day flaws between $5,000 and $20,000 in the gray market. More often, however, buyers attempt to trade credit-card numbers or goods, he said. A notable exception occurred last month, when a researcher attempted to sell an alleged vulnerability in Microsoft's Windows Vista operating system for $50,000, according to Genes. That could be a sign that criminal enterprises are willing to compete for vulnerabilities. "Definitely, they guy who was offering to sell (the flaw) though it might be possible," Raimund said. "It might not be out of range." Fraudsters and spammers could turn a significant vulnerability into a widespread collection of compromised PCs--a bot net. Spammers have netted significant profits from stock-touting campaigns, while fraudsters have used bot nets to launch denial-of-service attacks as part of an extortion campaign or harvest valuable data from the systems. Companies, on the other hand, have to justify the expense of buying vulnerabilities through enhanced services or penetration tests bolstered by sure-fire 0-day exploits. For 3Com's TippingPoint, the Zero Day Initiative (ZDI) gives its researchers a leg up on attackers and competitors, because having the flaw information means more time to create and test the filters for exploits using the vulnerability. The company also gets publicity and a selling point for its services. Still, it's not always an easy sell, 3Com's Forslof said. "We continually have to justify where we recoup the cost," she said. "Mainly, we consider that we recoup it in research--look how much you would have to pay a top-notch researcher." Some smaller firms have hit on ways to better profit from vulnerability information. While 3Com's and VeriSign's well-known vulnerability purchasing programs have legitimized the trade in security research, smaller boutique firms that cater to penetration testers or that have high-value vulnerability disclosure lists could become significant competitors. Buenos Aires-based Argeniss Information Security, for example, pays only for a small number of critical vulnerabilities. The company adds the information to its Ultimate 0day Exploits Pack, an add-on set of attacks for the popular penetration testing tool, CANVAS. A 0-day exploit in Microsoft's Internet Explorer or Outlook can bring in a dozen new customers in a day, Cesar Cerrudo, founder and CEO of the Argeniss, told SecurityFocus in an e-mail interview "For sure, we will pay more than iDefense," Cerrudo said. "Anyone will pay more than iDefense." The nascent marketplace for vulnerabilities could suffer a shakeup if companies such as Argeniss and Netragard keep up the price pressures. In 2002, security firm iDefense--now part of Internet giant VeriSign--kicked off its Vulnerability Contributor Program (VCP), offering thousands of dollars for security vulnerabilities. While the program grew quickly, unveiling 150 vulnerabilities in 2005 including 11 flaws in Microsoft software, the number of vulnerabilities outed by the program declined in 2006. The company only published 81 advisories in 2006 for flaws found by VCP researchers, only four of which were in Microsoft software (corrected). Earlier this month, the company offered $8,000 for the first six Windows Vista or Internet Explorer 7 vulnerabilities exclusively sold to its program. The Zero-Day Initiative started at TippingPoint, now a division of networking giant 3Com, had strong growth in 2006. The program, started in July 2005, only released advisories for 3 flaws that year, but published information on 54 vulnerabilities--including 13 in Microsoft software--in 2006. The company does not publish the prices it pays for vulnerability information, but aims to compete directly against iDefense. "To date, we have not lost out to iDefense on any offer," said Forslof. "We have people that have shopped around and they have always gone with us in the end." iDefense did not make a spokesperson available for comment on its Vulnerability Contributor Program. However, a former iDefense manager believes that the industry still has room for more competitors. "The vulnerability industry, in general, is still an immature industry," said Michael Sutton, the former director of iDefense Labs and current security evangelist for SPI Dynamics. "I think there is enough volume for at least a half dozen different players." If the efforts of Microsoft and other major software vendors reduce the number of critical flaws, security researchers stand to gain from competition between buyers, Sutton said. Relying on selling vulnerability information could pay the rent, he said. "You would be hard pressed to find someone who relies solely on the income from vulnerability research," Sutton said. "But the prices are getting high enough that, depending on where you lived and how good of a researcher you were, you could make a living." CORRECTION: The article undercounted the number of Microsoft issues found by researchers participating in VeriSign's Vulnerability Contributor Program (VCP) in 2006. The program's contributors found four issues in Microsoft software. From rforno at infowarrior.org Wed Jan 24 21:53:14 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 Jan 2007 21:53:14 -0500 Subject: [Infowarrior] - Diebold Shows How to Make Your Own Voting Machine Key In-Reply-To: <20070125013832.GA9828@gsp.org> Message-ID: (c/o RSK) Diebold Shows How to Make Your Own Voting Machine Key http://www.freedom-to-tinker.com/?p=1113 Excerpt: According to published reports, nearly all the machines deployed around the country use the exact same key. Up to this point we've been careful not to say precisely which key or show the particular pattern of the cuts. The shape of a key is like a password --- it only provides security if you keep it secret from the bad guys. We've tried to keep the shape secret so as not to make an attacker's job even marginally easier, and you would expect a security-conscious vendor to do the same. Not Diebold. From rforno at infowarrior.org Wed Jan 24 22:18:56 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 Jan 2007 22:18:56 -0500 Subject: [Infowarrior] - FW: AACS Decryption Code Released In-Reply-To: Message-ID: (c/o MS) AACS Decryption Code Released Monday January 8, 2007 by Ed Felten Decryption software for AACS, the scheme used to encrypt content on both next-gen DVD systems (HD-DVD and Blu-ray), was released recently by an anonymous programmer called Muslix. His software, called BackupHDDVD, is now available online. As shipped, it can decrypt HD-DVDs (according to its author), but it could easily be adapted to decrypt Blu-ray discs. Commentary has been all over the map, with some calling this a non-event and others seeing the death of AACS. Alex Halderman and I have been thinking about this question, and we believe the right view is that the software isn't a big deal by itself, but it is the first step in the meltdown of AACS. We'll explain why in a series of blog posts over the next several days. Today I'll explain how the existing technology works: how AACS encrypts the content on a disc, and what the BackupHDDVD software does. ... http://www.freedom-to-tinker.com/?p=1104 AACS: Extracting and Using Keys http://www.freedom-to-tinker.com/?p=1106 AACS: Blacklisting, Oracles, and Traitor Tracing http://www.freedom-to-tinker.com/?p=1107 AACS: Game Theory of Blacklisting http://www.freedom-to-tinker.com/?p=1108 AACS: Title Keys Start Leaking http://www.freedom-to-tinker.com/?p=1109 AACS: Sequence Keys and Tracing http://www.freedom-to-tinker.com/?p=1110 AACS: Modeling the Battle http://www.freedom-to-tinker.com/?p=1111 ------ End of Forwarded Message From rforno at infowarrior.org Wed Jan 24 23:07:10 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 Jan 2007 23:07:10 -0500 Subject: [Infowarrior] - CNET Reviews MS Vista Message-ID: The good: Windows Vista Ultimate does improve some features within Windows XP; fewer system crashes than Windows XP; Windows Vista offers better built-in support options. The bad: Windows Vista Ultimate does not put search on the desktop (it's buried within applications, within the Start Menu); optimized only for the Microsoft Windows ecosystem (for example, RSS feeds from Internet Explorer 7 get preferential treatment); there's simply too much and not all of it is implemented properly; no new software yet written exclusively for Windows Vista; and there are too many editions of Windows Vista. Bottom Line: Windows Vista is essentially warmed-over Windows XP. If you're currently happy with Windows XP SP2, we see no compelling reason to upgrade. On the other hand, if you need a new computer right now, Windows Vista is stable enough < - > http://reviews.cnet.com/Windows_Vista_Ultimate/4505-3672_7-32013603.html#mor e From rforno at infowarrior.org Wed Jan 24 23:15:37 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 Jan 2007 23:15:37 -0500 Subject: [Infowarrior] - Privacy Board Won't Share Documents Message-ID: Privacy Board Won't Share Documents http://blog.wired.com/27bstroke6/2007/01/privacy_board_w.html White House Privacy and Civil Liberties Board responded to Wired News's request for documents about its briefings on the board's knowledge of the government's warrantless wiretapping of Americans and is refusing to release any records -- except already publicly available testimony by activists and professors -- since doing so would not be in "not be in the public interest" and would "inhibit the frank and candid exchange of views that are necessary for effective government decision making," according to a letter received Tuesday. Congress, which created the board in 2004 in response to 9/11 Commission recommendations, specifically required the board to be subject to government sunshine requests. The board is charged with providing advice to the Administration, making sure that antiterrorism programs respect privacy and civil liberties and reporting to Congress. Carol Dinkins -- a partner at the law firm where Attorney General Alberto Gonzales used to work -- chairs the board. The Freedom of Information Act request asked for all records concerning the so-called Terrorist Surveillance Program in which the National Security Agency has been listening in on Americans' international communications without getting approval from a special court designed to handle warrants for national security wiretaps inside the country. The board was briefed on the program in November after a lengthy period of getting clearance, but in its first public meeting in December, board members said they would not share even the most basic details with the public. The board identified 72 documents responsive to Wired News's request, but withheld 69 of them in their entirety. The three documents that were released comprised the written testimony of three participants at December's meeting, where the board invited the press but banned them from asking questions. The documents are the ACLU's Caroline Fredrickson, the American Conservative Union's David Keene and Georgetown University Professor Anthony Arend. These were handed out to reporters at the meeting. A transcript of the meeting can be found here (.pdf). Additionally, Wired News's request for records about additional surveillance programs ("any other related or similar programs that target, without warrants, Americans' communications, communication records or transactional records") was declined because it "does not provide staff with any meaningfully specific information regarding what records you would like to obtain." Wired News has 30 days to appeal. An OCRed version of the letter is here (.pdf). From rforno at infowarrior.org Thu Jan 25 09:31:46 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Jan 2007 09:31:46 -0500 Subject: [Infowarrior] - Heirs sue over will-making software Message-ID: Police blotter: Heirs sue over will-making software By Declan McCullagh http://news.com.com/Police+blotter+Heirs+sue+over+will-making+software/2100- 1030_3-6152761.html Story last modified Wed Jan 24 08:33:53 PST 2007 "Police blotter" is a weekly News.com report on the intersection of technology and the law. What: Insurance agent sued for "unauthorized practice of law" after he uses Quicken software to help a 91-year-old woman create a will. When: Supreme Court of South Carolina rules on January 22. Outcome: Use of computer software ruled to be "unauthorized practice of law." What happened, according to court documents: Ernest Chavis is a South Carolina insurance agent who previously had some business dealings with a 91-year-old woman named Annie Belle Weiss. On July 20, 2004, Chavis visited her and, at some point in the conversation, Weiss asked him "Can you help me make a will?" Weiss said she was asking because she wanted "someone objective" and told Chavis how she wanted her property divided up. Chavis used Quicken software--apparently Quicken WillMaker or Quicken Family Lawyer--to fill in the blanks and then brought the completed will to her in the hospital. Weiss signed it on July 31, 2004, and died two months later. What makes this case relevant to "Police blotter" is the question of whether Chavis was engaging in the unauthorized practice of law by typing information into the Quicken program. Beth Franklin and Julianne Franklin, Weiss' grandnieces, filed a lawsuit contesting her will and claiming Chavis engaged in the unauthorized practice of law. Chavis was named as Weiss' personal representative, but not as a beneficiary. (He would be, however, entitled to up to 5 percent of the estate's value under state law because of his duties as personal representative.) Unauthorized practice of law is a remarkably vague concept that has led even some lawyers to refer to state bar associations as "cartels" that act to restrict competition and boost their own incomes. One scholarly paper, for instance, estimates that professional licensing inflates attorneys' starting salaries by at least $10,000 and cost consumers more than $3 billion annually in extra fees. The Texas Bar Association has targeted Nolo, a California publisher that sells self-help books like 8 Ways to Avoid Probate, and has tried to ban the sale of Quicken Family Lawyer. Paralegals offering basic services on their own--even after they had done the identical work at a law firm--have been sued out of business. To bar associations, unauthorized practice of law is a deadly serious business. As far back as 1941, a Pennsylvania court ruled that "furnishing advice" about the practical issues that wills and insurance policies raise "constitutes the practice of the law." In this case, too, the Supreme Court of South Carolina took an expansive view of unauthorized-practice-of-law violations. Instead of acting as a mere "scrivener" or stenographer, the court said that Chavis did the work away from the hospital outside of Weiss's presence and was guilty of an unauthorized-practice-of-law violation. The court did not order that Chavis be removed as personal representative, but did order that he should not receive the customary fee for his work (because, again, it allegedly derived from his unauthorized-practice-of-law offense). The judges did refuse to throw out the will in response to the grandnieces' requests, concluding "if the July 31 will was in fact drafted pursuant to Ms. Weiss's true wishes, it should not be invalidated simply because it was drafted by a non-lawyer." Excerpts from the Supreme Court of South Carolina's opinion: The preparation of legal documents constitutes the practice of law when such preparation involves the giving of advice, consultation, explanation, or recommendations on matters of law. Even the preparation of standard forms that require no creative drafting may constitute the practice of law if one acts as more than a mere scrivener. The purpose of prohibiting the unauthorized practice of law is to protect the public from incompetence in the preparation of legal documents and prevent harm resulting from inaccurate legal advice. ("The amateur at law is as dangerous to the community as an amateur surgeon....") The novel question here is whether respondent's actions in filling in the blanks in a computer-generated generic will constitute the practice of law. Respondent selected the will form, filled in the information given by Ms. Weiss, and arranged the execution of the will at the hospital. Although these facts are not in themselves conclusive, the omission of facts indicating Ms. Weiss's involvement is significant. There is no evidence Ms. Weiss reviewed the will once it was typed. The will was not typed in her presence and although respondent relates the details of what Ms. Weiss told him to do, there is no indication he contemporaneously recorded her instructions and then simply transferred the information to the form. We construe the role of "scrivener" in this context to mean someone who does nothing more than record verbatim what the decedent says. We conclude respondent's actions in drafting Ms. Weiss's will exceeded those of a mere scrivener and he engaged in the unauthorized practice of law... Copyright ?1995-2007 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Thu Jan 25 09:33:09 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Jan 2007 09:33:09 -0500 Subject: [Infowarrior] - PR's 'pit bull' takes on open access to scholarly work Message-ID: PR's 'pit bull' takes on open access Journal publishers lock horns with free-information movement. Jim Giles http://www.nature.com/news/2007/070122/full/445347a.html The author of Nail 'Em! Confronting High-Profile Attacks on Celebrities and Businesses is not the kind of figure normally associated with the relatively sedate world of scientific publishing. Besides writing the odd novel, Eric Dezenhall has made a name for himself helping companies and celebrities protect their reputations, working for example with Jeffrey Skilling, the former Enron chief now serving a 24-year jail term for fraud. Although Dezenhall declines to comment on Skilling and his other clients, his firm, Dezenhall Resources, was also reported by Business Week to have used money from oil giant ExxonMobil to criticize the environmental group Greenpeace. "He's the pit bull of public relations," says Kevin McCauley, an editor at the magazine O'Dwyer's PR Report. Now, Nature has learned, a group of big scientific publishers has hired the pit bull to take on the free-information movement, which campaigns for scientific results to be made freely available. Some traditional journals, which depend on subscription charges, say that open-access journals and public databases of scientific papers such as the National Institutes of Health's (NIH's) PubMed Central, threaten their livelihoods. Media messaging is not the same as intellectual debate. >From e-mails passed to Nature, it seems Dezenhall spoke to employees from Elsevier, Wiley and the American Chemical Society at a meeting arranged last July by the Association of American Publishers (AAP). A follow-up message in which Dezenhall suggests a strategy for the publishers provides some insight into the approach they are considering taking. The consultant advised them to focus on simple messages, such as "Public access equals government censorship". He hinted that the publishers should attempt to equate traditional publishing models with peer review, and "paint a picture of what the world would look like without peer-reviewed articles". Dezenhall also recommended joining forces with groups that may be ideologically opposed to government-mandated projects such as PubMed Central, including organizations that have angered scientists. One suggestion was the Competitive Enterprise Institute, a conservative think-tank based in Washington DC, which has used oil-industry money to promote sceptical views on climate change. Dezenhall estimated his fee for the campaign at $300,000?500,000. In an enthusiastic e-mail sent to colleagues after the meeting, Susan Spilka, Wiley's director of corporate communications, said Dezenhall explained that publishers had acted too defensively on the free-information issue and worried too much about making precise statements. Dezenhall noted that if the other side is on the defensive, it doesn't matter if they can discredit your statements, she added: "Media messaging is not the same as intellectual debate". Officials at the AAP would not comment to Nature on the details of their work with Dezenhall, or the money involved, but acknowledged that they had met him and subsequently contracted his firm to work on the issue. "We're like any firm under siege," says Barbara Meredith, a vice-president at the organization. "It's common to hire a PR firm when you're under siege." She says the AAP needs to counter messages from groups such as the Public Library of Science (PLoS), an open-access publisher and prominent advocate of free access to information. PLoS's publicity budget stretches to television advertisements produced by North Woods Advertising of Minneapolis, a firm best known for its role in the unexpected election of former professional wrestler Jesse Ventura to the governorship of Minnesota. The publishers' link with Dezenhall reflects how seriously they are taking recent developments on access to information. Minutes of a 2006 AAP meeting sent to Nature show that particular attention is being paid to PubMed Central. Since 2005, the NIH has asked all researchers that it funds to send copies of accepted papers to the archive, but only a small percentage actually do. Congress is expected to consider a bill later this year that would make submission compulsory. Brian Crawford, a senior vice-president at the American Chemical Society and a member of the AAP executive chair, says that Dezenhall's suggestions have been refined and that the publishers have not to his knowledge sought to work with the Competitive Enterprise Institute. On the censorship message, he adds: "When any government or funding agency houses and disseminates for public consumption only the work it itself funds, that constitutes a form of selection and self-promotion of that entity's interests." * In the original version of this story, Susan Spilka was reported as emailing a note that said "Media massaging is not the same as intellectual debate." It should have read "Media messaging", and has been changed accordingly. Article brought to you by: From rforno at infowarrior.org Thu Jan 25 09:38:19 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Jan 2007 09:38:19 -0500 Subject: [Infowarrior] - =?iso-8859-1?q?Restoring_America_=B9_s_Travel_Bra?= =?iso-8859-1?q?nd=2C_A_National_Strategy_to_Compete_for_International_Vis?= =?iso-8859-1?q?itors?= Message-ID: TI News: An information service from Office of Travel & Tourism Industries (OTTI) http://tinet.ita.doc.gov/tinews/archive/tinews2007/20070112.html January 12, 2007 Request for Information: Restoring America?s Travel Brand, A National Strategy to Compete for International Visitors In support of competitive goals established by the President of the United States, and in response to the white paper entitled Restoring America?s Brand, A National Strategy to Compete for International Visitors, that was recently submitted to the Secretary of Commerce by the U.S. Travel and Tourism Advisory Board (TTAB), the U.S. Department of Commerce (DOC), International Trade Administration (ITA), Office of Travel & Tourism Industries (OTTI), is issuing this Request for Information (RFI) for assistance by interested government agencies, organizations, and industry businesses. The information requested may include: * An assessment of, or comment on, the white paper presented by the Travel and Tourism Advisory Board, which can be found at: http://tinet.ita.doc.gov/TTAB/docs/2006_FINALTTAB_National_Tourism_Strategy. pdf. * Respondents are highly encouraged to provide specific comments on the recommendations that are covered in the white paper, organized by the sections: o making it easier for people to visit by balancing hospitality with security, o asking people to visit the United States through a nationally coordinated marketing program, and o demonstrating the value of travel and tourism to the nation?s economy. * In addition, respondents are encouraged to provide comments/observations related to other areas of concern or issues that are not addressed in the white paper, such as: o sustainable tourism development, o medical tourism, o cultural heritage tourism development, o technical training/tours for business-to-business development, o education exchanges or attendance, o public-private partnerships, or o infrastructure challenges, to name a few. Comments will serve in the development of policies and programs to be implemented by the federal government concerning the tourism sector. The Government encourages both rigorous and creative solutions in response to this RFI. From rforno at infowarrior.org Thu Jan 25 09:40:33 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Jan 2007 09:40:33 -0500 Subject: [Infowarrior] - Two new bills oppose federal ID law as privacy threat Message-ID: Two new bills oppose federal ID law as privacy threat http://www.billingsgazette.net/articles/2007/01/25/news/state/60-oppose.txt By The Associated Press HELENA - Lawmakers want Montana to be the first state in the country to say no to federally approved ID cards. Rep. Brady Wiseman, D-Bozeman, and Rep. Diane Rice, R-Harrison, presented nearly identical bills to the House Judiciary Committee Wednesday that would reject the federal Real ID Act of 2005. Both said the act was an attempt by the federal government to usurp power from individual state governments and threatened an individual's right to privacy. State legislatures in Georgia, Massachusetts and Washington have similar bills pending, and more states are likely to follow suit, according to Matt Sundeen of the National Council of State Legislatures. An effort to pass a similar law in New Hampshire failed during its last legislative hearing. "Our purpose here, members of the committee, is to lead, is to lead other state legislatures and other governors in a similar effort," Wiseman said. flash [[Click to play]] Gov. Brian Schweitzer signaled he would support both bills. "I'd like to say thanks to the last congress, but no thanks," said the governor's policy adviser, Hal Harper. "No thanks, please." The Real ID Act grew out of a recommendation by the 9/11 Commission to incorporate common security features into state driver's licenses to prevent tampering or counterfeiting. States will also be responsible for verifying the legitimacy of documents used to obtain a license, such as a birth certificates or green cards. Without such federally approved licenses, people would not be allowed to board an airplane or enter a federal building. States would also be responsible for funding the changes, which Wiseman said would cost Montana about $2.6 million. A wide-ranging group of proponents spoke in favor of both bills and against the Real ID Act, which some said was akin to a national ID card that would track a cardholder's every move. "People concerned about federal databases may never use libraries again," said Lois Fitzpatrick of the Montana Library Association. "The Real ID Act threatens to erode our fundamental right to privacy," said Cathy Day of the American Civil Liberties Union of Montana. "I will destroy every piece of ID I have. I will be hunted, I will move into the mountains and let them come for me," said David Anderson, vice chairman of the Constitution Party of Yellowstone County. Some proponents were particularly disgruntled with Montana's lone congressman, Rep. Denny Rehberg, R-Mont., who voted in favor of the Real ID Act. But Rehberg's spokesman, Bridger Pierce, said the law was misunderstood and did not infringe on personal liberties. The difference between the bills is that Wiseman's "opposes" implementing the Real ID Act, while Rice's "nullifies" the act. In an interview after the hearing, Rice said both bills were needed to ensure bipartisan support. She would have no problem, she said, if Wiseman's bill passed and not hers. The committee took no further action on either bill. Copyright ? 2007 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed From rforno at infowarrior.org Thu Jan 25 09:41:41 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Jan 2007 09:41:41 -0500 Subject: [Infowarrior] - Fox's Piracy Czar Subpoenas YouTube Message-ID: Fox's Piracy Czar Subpoenas YouTube over Pirated "24" and "Simpsons" Episodes http://googlewatch.eweek.com/content/youtube/foxs_piracy_czar_subpoenas_yout ube_over_pirated_24_and_simpsons_episodes.html D'oh! Twentieth Century Fox has subpoenaed YouTube to reveal the identity of users who uploaded four episodes of the TV series "24" and twelve episodes of "The Simpsons," Google Watch has learned. The subpoena reads, in part: On or about January 8, 2007, Fox became aware that a subscriber ("the Subscriber") of YouTube Inc.s' Internet-based service uploaded pirated copies of the works onto YouTube, making it available for illegal viewing over the Internet to anyone who wishes to watch it. Fox has not authorized this distribution or display of the works. The subpoena request YouTube, Inc. to disclose information sufficient to identify the Subscriber so that Fox can stop this infringing activity. YouTube declined to comment. A phone call to Fox's legal representation was not returned. The subpoena includes the testimony of Jane Sunderland, vice president of content protection and anti-piracy for the Fox Entertainment Group. Sunderland's portion of the subpoena, which is her personal testimony that the infringing activity is occurring, says that Fox has been unable to determine on their own who has been uploading the Works. The uploaded Works are also causing Fox irreparable harm (standard legal language). Sunderland also testifies that Fox sent an official letter to YouTube on January 8. Although I haven't been in touch with News Corp yet, I assume YouTube didn't remove the videos promptly enough, hence the official subpoena. A quick search on YouTube only revealed trailers for "24," although given how poorly the site's search function works some videos may yet exist. There are several Simpsons excerpts available, though I didn't see any full episodes. From rforno at infowarrior.org Thu Jan 25 09:47:25 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Jan 2007 09:47:25 -0500 Subject: [Infowarrior] - =?iso-8859-1?q?NY_Police_Won_=B9_t_Use_=24140_Mil?= =?iso-8859-1?q?lion_Radio_System?= Message-ID: Police Won?t Use $140 Million Radio System By WILLIAM NEUMAN http://www.nytimes.com/2007/01/25/nyregion/25radio.html?ei=5094&en=e10479282 c456281&hp=&ex=1169787600&partner=homepage&pagewanted=print For more than 10 years, the Metropolitan Transportation Authority has been working to correct a major hindrance to police work in the subway system: a radio network that keeps transit officers underground from talking with officers patrolling the streets above. The goal was simple but potentially revolutionary: replace an antiquated radio system with a network that would make it possible, for instance, for an officer chasing a suspect down a subway stairway to radio ahead to other officers. Last October, after spending $140 million, the authority completed the installation of the system citywide. But it has not been turned on. That is because the Police Department refuses to use it, saying the new system is hobbled by widespread interference that garbles communication and creates areas where radios cannot receive properly. ?What you get is distorted audio,? said Joseph Yurman, a communications engineer for New York City Transit. ?You can hear it, but it sounds as if you?re talking through a glass of water.? Fixing the problem may require replacing new equipment with more advanced components at a cost of up to $20 million more. If all goes well and disputes over which agency will pay for the changes can be resolved, the police say the full system could be turned on next year, some four years behind schedule. The decades-old radio disconnect between surface and subterranean police officers is another example of the kind of communications problems that have faced public safety agencies in New York City, most famously and tragically evident on 9/11. The communication problems that day included the inability of endangered firefighters to hear police radio broadcasts warning that the north tower was about to collapse. This time, the goal is to allow members of the same agency to communicate with each other, whether dealing with a street crime gone underground or something far more catastrophic, like an accident or terrorist attack in the subway. Fixing the interference is not the only problem. The authority?s new system uses a network of underground antenna cable that was already in place in the tunnels. But the authority has discovered that 72 miles of cable ? one-fifth of the system ? was so old and deteriorated it could not adequately carry the signal. The authority plans to replace the cable over the next several years at an additional cost of $36 million. When all of the fixes are made, the project will eventually have cost about $210 million, far more than its original budget of $115 million. In the meantime, transit police continue to use their old radios. ?We have no communication with the outside,? said one veteran transit police officer who spoke on condition of anonymity. ?Something can be happening to the street cops right upstairs and we don?t even know.? He said fleeing suspects knew they could take advantage of the communication gap by ducking into the subway. ?This is no secret,? he said. ?The criminals know how it works.? Police officers patrolling the subways have long used a VHF radio system that is separate from the UHF system used by officers working aboveground. The two systems date back to the days when the transit police existed as a separate force run by the Metropolitan Transportation Authority. In 1995, that force merged with the city department, and the authority agreed to build a system that would carry regular city police radio signals underground. The subway is a technically difficult environment for radio operations, and officials with both agencies said they could not have anticipated the severity of the problems. That applies in particular to the interference, which occurs when signals aboveground and below it mix as they pass through station entrances and gratings in the street, producing a buzz on radios that can range from a slight annoyance to a transmission killer. Michael Hunter, president of RCC Consultants, which worked on the design in its early stages, said radio networks in other subway systems also had to cope with interference, but perhaps not to the same degree. ?In New York it?s a very tough problem because of the number of portals that go into the subways and the number of vents and so on,? Mr. Hunter said. ?Some of the newer subways don?t have this problem.? In December 1999, after years of design work, the transportation authority chose two firms, E.A. Technologies and Petrocelli Electric, to build the system. Engineering reports submitted to the authority?s board say the project was expected to be completed by June 2004. Those reports also show that concerns about interference emerged as early as 2001. Nonetheless, in late 2001, the authority directed manufacturers to begin producing the amplifiers. Even as the equipment was being produced, however, the authority?s engineers were searching for ways to modify the system to reduce the interference. As part of that effort, they began looking at digital components that were only then being developed and had not been available when the system was designed. In mid-2004, the Police Department informed the transportation authority that it would not use the radio system unless the interference was eliminated, but a year later, officials at the authority made a concerted push to get the department to see things their way. According to project records maintained by the authority, top officials met in September 2005 with their police counterparts to urge them to begin using the radio system as is, with adjustments to come later to fix the interference. ?Based on several discussions,? the records say, ?we got indication that N.Y.P.D. will not accept the system without us addressing the T.D.I. issue,? a reference to time domain interference, the technical term for the problem. Talks continued throughout the fall and winter, according to the records, but the Police Department refused to budge. The authority forged ahead with construction and by the middle of last year the installation was largely finished. In October, the authority formally declared the contract with E.A. Technologies and Petrocelli complete ? only there was no one to hand the long-awaited system off to. ?I don?t think anybody anticipated the extent of the interference,? said Inspector Charles F. Dowd, commander of the police communications division. ?As soon as we started testing, it became apparent there was a serious problem.? While agreeing that the interference needed to be corrected, transit officials said the radio system could be put into use while a solution was developed. Parts of the system in Manhattan have been ready since 2004, when they were briefly activated (although apparently never used) as a backup network during the Republican National Convention, they said. ?What?s in place today is functional,? Mark Bienstock, a New York City Transit program manager, said in an interview. In a later e-mail message, Mr. Bienstock declined to say how widespread the interference is. ?In general,? he wrote, interference ?is expected at every entrance to the subway at street level. Its significance or severity is subjective.? That difference in perception has fueled a dispute in recent months over who will pay for a fix. The Police Department insists that under the 1995 agreement that merged the police forces, the authority agreed to cover all the costs involved in building the radio system. Officials at the authority, on the other hand, say they have fulfilled their financial obligations, and they want the police to pay half the $20 million repair cost. Privately, officials at the authority accuse the police of stalling to force the authority to pay the full cost. After the police formally accept the system, they will be expected to share the expense of maintaining or upgrading it with the authority. ?The issue is simply one of functionality,? Inspector Dowd said. ?If the system isn?t working in an area, the cops can?t use it.? Elliot G. Sander, who took over this month as executive director and chief executive of the transportation authority, said he spoke to Police Commissioner Raymond W. Kelly about the radio system on Tuesday and planned to meet with him to resolve the financing issue. While the police were intended as the radio system?s primary user, it was also designed to be used by the Fire Department, but on a different frequency. They won?t be able to talk with the police. Mr. Yurman said the Fire Department radios were configured differently and have already used the system. Francis X. Gribbon, a Fire Department spokesman, said the department has been testing the system extensively and has concerns about some areas of tunnels and stations where signals do not reach. Fire officials had previously asked the authority to make changes to the way the system works in the underwater tunnels, and they agreed to split the cost of those changes, which is estimated at $14 million. From rforno at infowarrior.org Thu Jan 25 10:39:08 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Jan 2007 10:39:08 -0500 Subject: [Infowarrior] - Seclists.Org shut down by Myspace and GoDaddy In-Reply-To: Message-ID: (c/o J) http://seclists.org/nmap-hackers/2007/0000.html Seclists.Org shut down by Myspace and GoDaddy From: Fyodor Date: Thu, 25 Jan 2007 01:47:47 -0800 Hi everyone, Many of you reported that our SecLists.Org security mailing list archive was down most of yesterday (Wed), and all you really need to know is that we're back up and running! But I'm going into rant mode anyway in case you care for the details. I woke up yesterday morning to find a voice message from my domain registrar (GoDaddy) saying they were suspending the domain SecLists.org. One minute later I received an email saying that SecLists.org has "been suspended for violation of the GoDaddy.com Abuse Policy". And also "if the domain name(s) listed above are private, your Domains By Proxy(R) account has also been suspended." WTF??! Neither the email nor voicemail gave a phone number to reach them at, nor did they feel it was worth the effort to explain what the supposed violation was. They changed my domain nameserver to "NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM". Cute, eh? I called GoDaddy several times, and all three support people I spoke with (Craig, Ricky, then Wael) said that the abuse department doesn't take calls. They said I had email abuse_at_godaddy.com (which I had already done 3 times) and that I could then expect a response "within 1 or two business days". Given that tens of thousands of people use SecLists.Org every day, I didn't take that well. When they realized I was going to just keep calling until they did something, they finally persuaded the abuse department to explain why they cut me off: Myspace.Com asked them to. Apparently Myspace is still reeling from all the news reports more than a week ago about a list of 56,000 myspace usernames+passwords making the rounds. It was all over the news, and reminded people of a completely different list of 34,000 MySpace passwords which was floating around last year. MySpace users fall for a LOT of phishing scams. They are basically the new AOL. Anyway, everyone has this latest password list now, and it was even posted (several times) to the thousands of members of the fulldisclosure mailing list more than a week ago. So it was archived by all the sites which archive full-disclosure, including SecLists.Org. Instead of simply writing me (or abuse_at_seclists.org) asking to have the password list removed, MySpace decided to contact (only) GoDaddy and try to have the whole site of 250,000 pages removed because they don't like one of them. And GoDaddy cowardly and lazily decided to simply shut down the site rather than actually investigating or giving me a chance to contest or comply with the complaint. Needless to say, I'm in the market for a new registrar. One who doesn't immediately bend over for any large corporation who asks. One who considers it their job just to refer people to the SecLists.Org nameserver at 205.217.153.50, not to police the content of the services hosted at the domains. The GoDaddy ToS forbids hosting what they call "morally objectionable activities". It is way too late for MySpace to put the cat back in the bag anyway. The bad guys already have the file, and anyone else who wants it need only Google for "myspace1.txt.bz2" or "duckqueen1". Is MySpace going to try and shut down Google next? For some reason, this is only one of a spate of bogus Seclists removal requests. I do remove material that is clearly illegal or inappropriate for SecLists.org (like the bonehead who keeps posting furry porn to fulldisclosure). But one company sent a legal threat demanding[1] that I remove a 7-year old Bugtraq posting which was a complaint about previous bogus legal threats they had sent. Another guy[2] last week sent a complaint to my ISP saying that an image was child porn and declaring that he would notify the FBI. When asked why he thought the picture was of a child, he tried a different tack: sending a DMCA complaint declaring under penalty of perjury that he is the copyright holder of the photo! Michael Crook told me on the phone that he sent the DMCA request, but when I forwarded the info to the EFF (who is already suing this guy for sending other bogus DMCA complaints), he changed his mind and wrote that "after further review, I can find no record" or mailing the complaint. Most of the censorship attempts are for the full-disclosure list. It would be easiest just to cease archiving that list, but I do think it serves an important purpose in keeping the industry honest. And many good postings do make it through if you can filter out all the junk. So I'm keeping it, no matter how "morally objectionable" GoDaddy and MySpace may think it to be! In much happier Nmap news, I'm pleased to report that the Nmap project now has a public SVN server so you can always check out the latest version. Due to a bug in SVN, we use a username as "guest" with no password rather than anonymous. So check it out with the command: svn co --username guest --password "" svn://svn.insecure.org/nmap Then do the normal: ./configure make And install it or set NMAPDIR to "." to run in place. Among other goodies, this release includes the Nmap scripting language[3]. If you want to follow Nmap development on a check-in by check-in basis, there is a new nmap-svn mailing list[4] for that. But be prepared for some high traffic as you'll get every patch! 2007 will be a good year for Nmap! Cheers, Fyodor [1] http://seclists.org/nmap-dev/2006/q4/0302.html [2] http://seclists.org/nmap-dev/2007/q1/0067.html [3] http://insecure.org/nmap/nse/ [4] http://cgi.insecure.org/mailman/listinfo/nmap-svn From rforno at infowarrior.org Thu Jan 25 12:02:41 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Jan 2007 12:02:41 -0500 Subject: [Infowarrior] - Man dressed as The Joker gets national ID card Message-ID: Original URL: http://www.theregister.co.uk/2007/01/25/the_joker_gets_id/ Man dressed as The Joker gets ID card By Jan Libbenga Published Thursday 25th January 2007 15:28 GMT A Dutchman dressed as the unpredictable master criminal The Joker from Batman managed to get himself a national ID card (http://www.ad.nl/binnenland/article1023228.ece), despite supposedly stringent new rules which outlaw grins, funny faces, and head coverings from passport pics. Man dressed as The Joker gets Netherlands ID card To avoid confusing facial recognition scanners, travellers in Europe have been ordered not to look too happy in their passport photographs. Eyes must also be open and clearly visible, and there must be no sunglasses, tinted glasses, or hair across the eyes. In the Netherlands, these rules were introduced last August. But a 35-year-old man from the Dutch town of Hellevoetsluis decided to paint his face black and dress up as Batman's goofy trickster-thief rival and was astounded that his new appearance was accepted without a hitch. Initially, the man was asked not to wear a hat, but when he argued it was because of religious beliefs, he was allowed to leave it on. The incident has stirred quite a controversy among Dutch politicians. Interior minister Johan Remkes now has to explain how this could have happened. "We don't think there are many people dressed up as clowns in this country," his department said. ? From rforno at infowarrior.org Thu Jan 25 12:03:21 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Jan 2007 12:03:21 -0500 Subject: [Infowarrior] - Waaay OT: Poetic justice to wardrobe disasters Message-ID: (sorry, couldn't resist! -rf) Low pants trips up fleeing Covington teen Published: Jan 25, 2007 http://www.2theadvocate.com/news/5352196.html COVINGTON ? Police caught up with and arrested a 16-year-old youth after his loose-fitting pants slipped down around his legs and forced him to his knees, the Police Department said Wednesday. Officers spotted the boy Monday afternoon and gave chase, Covington police said. The 16-year-old, whose name was not released, was wanted in the beating and robbery of a 35-year-old Covington man Nov. 2 and the carjacking and beating with a brick of another man Jan. 14, police said. The 16-year-old was booked on counts of armed robbery and aggravated battery in the Nov. 2 attack and aggravated battery and carjacking in the Jan. 14 incident. He also was booked as being a child in need of supervision. From rforno at infowarrior.org Thu Jan 25 12:07:03 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Jan 2007 12:07:03 -0500 Subject: [Infowarrior] - Tax Takers Send in the Spiders Message-ID: Tax Takers Send in the Spiders http://www.wired.com/news/technology/security/0,72564-0.html?tw=wn_index_1 By Quinn Norton| Also by this reporter 02:00 AM Jan, 25, 2007 Websites around the world are getting a new computerized visitor among the Googlebots and Yahoo web spiders: The taxman. A five-nation tax enforcement cartel has been quietly cracking down on suspected internet tax cheats, using a sophisticated web crawling program to monitor transactions on auction sites, and track operators of online shops, poker and porn sites. The "Xenon" program -- a reference to the super-bright auto headlights that light up dark places -- was started in The Netherlands in 2004 by the Dutch equivalent of the IRS, Belastingdienst. It has since been expanded and enhanced by international group of tax authorities in Austria, Denmark, Britain and Canada, with the assistance of Amsterdam-based data mining firm Sentient Machine Research. Xenon is primarily a spider: a program that downloads a web page, then traverses its links and downloads those as well, ad infinitum. In this manner spiders can create huge datasets of web material, while preserving the relationships between pages at the moment they were spidered -- something that can reveal a lot about the people that made the pages. It's unclear how effective Xenon has been in generating investigative leads. Contacted by Wired News, the tax departments of Canada and the United Kingdom confirmed participation in the program, but declined further comment. Dag Hardyson, the national project leader for e-commerce for Skatteverket, the Swedish tax authority, was more forthcoming. Skatteverket is scheduled to join the Xenon project this year, and Hardyson said web crawling is well suited to tax enforcement. "The internet is wide open for tools," said Hardyson. "It's much easier to handle than the real world." Xenon, explained Marten den Uyl of Sentient, is in some ways the opposite of something like Google's web crawler, which traverses a tree of links and grabs a copy of everything it sees. Xenon is smart about link selection and context, and uses a "slow search paradigm," he said. Whereas a spider like the Googlebot might hit thousands of websites in a second, "With Xenon it may take minutes, hours or even days to do a slow search." The slow search prevents the crawler from creating excessive traffic on a website, or drawing attention in the sites' server logs. Den Uyl declined to say what user-agent the Xenon software reports itself as, but it's likely to be variable or configurable on the tax investigator's part. The spider can also be configured and trained to look at particular economic niches -- a useful feature for compiling lists of business in industries that traditionally have high rates of non-filing. "For instance, weight control (yields) 85,000 hits, some for products ... also services," says Sweden's Hardyson. Once the web pages are screen-scraped, Xenon's Identity Information Extraction Module interfaces with national databases containing information like street and city names. It uses that data to automatically identify mailing addresses and other identity information present on the websites it has crawled, which it puts into a database that can be matched in bulk with national tax records. As illuminating as Xenon is for the tax man, the data-mining effort poses dangers to citizen privacy, said Par Strom, a noted privacy advocate in the world of Swedish IT. "Of course it's not illegal," said Strom. "I don't feel quite comfortable having a tax office sending out those kind of spiders." One issue has to do with how the information Xenon captures is protected. Sentient has created access controls for its law-enforcement data-mining tool, called Data Detective, but its Xenon software lacks many of those protections, said dan Uyl, commenting on the theory that investigators will quickly delete the compiled data. "Data Detective (handles) long-term data warehousing," he said, "(Xenon is) short-term project data warehousing. Different type of data, different type of analysis." But Hardyson said the Swedish government -- which already has its own internally developed tax crawlers -- is currently keeping a copy of everything it spiders. That means that someone's long-expired actions have the potential to come back and haunt them. "We can scan and store all actions for every e-marketplace in Sweden, it's about 55,000 per day," said Hardyson. He said his agency hasn't decided if it will change its policies with the new, more sophisticated Xenon software. "Is this what we should do? Our lawyers must look at it." Canada's tax authorities declined to state what its Xenon data retention policies are, as did Simon Bird, head of the "Web Robot Team" at the British HM Revenue and Customs office. In the United States, the IRS is not a part of the Xenon project, but would neither confirm nor deny that it uses spidering software in its investigations. Strom said now that the cat is out of the bag, there's no way to get governments or corporations to forgo technologies like spiders and data mining. "The information is public of course, because it's posted on the internet," Strom says. "It wasn't meant to be used this way ... (this is) using the naivete of people. It's on the limit of what is ethical." From rforno at infowarrior.org Thu Jan 25 15:24:32 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Jan 2007 15:24:32 -0500 Subject: [Infowarrior] - Sealing Data Security Breaches Offshore Message-ID: (c/o Dissent) Sealing Data Security Breaches Offshore By Miriam Wugmeister and Alistair Maughan Accounting & Financial Planning for Law Firms newsletter January 25, 2007 http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1169028153553 Editor's note: Outsourcing decisions should be based in part on a comparison of data security in-house and at each vendor location; generally this is evaluated in terms of staff vetting, physical access security, database security, communications security, etc. But another vital consideration should be the effectiveness of each candidate location's legal preventive measures and remedies for data theft or misuse -- and the complexity and cost of securing those protections. This article, which surveys the state of data security legal protections in India, shows that making such a comparison is no simple matter. As a growing number of companies seek more centralized and less expensive methods of processing information, they are turning to offshore outsourcing to fulfill many of their business and human resources processes. Given India's success in building a significant share of the offshore business process outsourcing (BPO) market, a significant portion of the data is now being processed in India. Recently, there have been allegations that call center employees based in India have stolen data outsourced to Indian service providers. Regardless of whether these allegations represent a trend or are just dramatic headlines, there have been concerns raised about the security of data held by Indian service providers, and the remedies that non-Indian companies may have in India in the event of a breach, either to seek recourse against the offender or to prevent the misuse of data. This article describes some of the remedies that are available to companies to deal with and prevent the misuse of data in India. PREVENTIVE MEASURES In the wake of concerns around data security and privacy in India, the National Association of Software and Services Companies (NASSCOM), one of the most recognized and vocal trade organizations in the information technology software and services industry in India, has put in place several measures to address data security concerns regarding service provider employees. Earlier this year, NASSCOM launched a National Skills Registry) for information technology professionals to help employers conduct better background checks on employees by tracking certain information about employees, such as employment history. More recently, NASSCOM announced plans to set up an independent, self-regulatory organization to set and monitor data security and privacy "best practices" by outsourcing service providers in India. Service providers in India are also increasingly adopting compliance programs and comprehensive security audits including personnel and equipment audits to put specific checks in place to prevent misuse of sensitive information and data. Compliance programs include specific training of employees to enhance awareness of confidentiality and specific training for computer system managers with regard to securing computer systems, common threats to information security, access control techniques, risk assessment and management, intrusion detection, authentication and other similar issues. Enforcement agencies in India also work with BPOs to conduct workshops to enable employees to improve knowledge and skills to prevent and prosecute misuse of data. However, despite the preventive measures, non-Indian companies should still be aware of their remedies in the event of a data security breach in India. LAWS RELATING TO DATA SECURITY IN INDIA The Indian legal system is substantially based on the British common law system. While there is no omnibus Indian data security law, there are several laws that apply to data theft or misuse in India. Typically, when an incident involving data occurs, a complaint is filed for theft, cheating, criminal breach of trust, dishonest misappropriation of data and/or criminal conspiracy under the provisions of the Indian Penal Code, 1860 (IPC) and for hacking under the Information Technology Act, 2000 (ITA). Many of these offenses under the IPC and the ITA allow for an arrest without a warrant, are non-bailable and carry penalties that range from imprisonment for a year to life imprisonment, as well as fines. Moreover, certain offenses carry higher penalties when the offender is an employee, a public servant, a merchant, an attorney or an agent. For example, misappropriation of data by criminal breach of trust carries a penalty of imprisonment for up to three years. However, when an employee carries out the criminal breach of trust (i.e. if the data is dishonestly misappropriated and converted by an employee for his or her own use), the penalty increases to imprisonment for up to seven years. Further, when the offender is a public servant, merchant, attorney or agent, the penalty can be as high as life imprisonment. In addition to these criminal affairs, civil proceedings for copyright infringement under the provisions of the Copyright Act, 1957 (CA) and the Specific Relief Act, 1963 (SRA) are also typically initiated to prevent the misuse and dissemination of data. The penalties under the CA and the SRA can range from hefty fines and damages to temporary and permanent injunctions. Over and above the laws currently in place, the Indian government is currently in the process of amending the Information Technology Act of 2000 (ITA) to deal with data privacy and security issues. The proposed amendments (which are currently being reviewed by the Ministry of Law, Justice and Company Affairs before being presented to Indian Parliament) include provisions that would empower the Central Government to make rules concerning control processes and procedures to ensure adequate integrity, security and confidentiality of electronic records and rules prescribing modes of encryption for data security. ENFORCEMMENT PROCEDURES There are several options open to a company that is dealing with a data misuse or theft incident in India. Generally, a criminal complaint under the provisions of the ITA, the IPC and the CA for theft, misappropriation or misuse of data and infringement of copyright is filed with the police station that has jurisdiction over the area where the data security breach occurred. The officers in the local police station, however, may not be in a position to properly investigate a data security incident, as officers are not adequately trained to deal with cybercrime cases. Thus, in the alternative, the criminal complaint can be made to Anti Cybercrime Cells set up by the State Police Departments. These cybercrime cells have been established specifically to investigate and prosecute cases of data theft and copyright infringement, as well as other cybercrime cases. Cybercrime cells of several state police departments (e.g., Delhi) organize training programs to enhance investigators' skills and knowledge concerning data protection, and use advanced equipment to investigate data security incidents. In fact, the U.S. Department of State recently trained Indian cybercrime investigators on investigating techniques. The investigating officers at Anti Cybercrime Cells have the power to seize infringing or stolen data by conducting searches and raids on the premises of the alleged offenders and can also prosecute the offenders in the criminal court that has jurisdiction over the police station where the complaint was registered. The law enforcement agencies also have the power to arrest offenders and keep them in custody during the course of the investigation and prosecution unless bail is granted to the offenders by the court. If a company believes that the local police station and/or the Anti Cybercrime Cell do not have the requisite expertise to investigate a data security incident, the company may make a formal complaint with the Central Bureau of Investigations (CBI) of the government of India under the provisions of the ITA, the IPC and the CA. The CBI is an independent, autonomous investigating agency set up by the government of India, and has professionally trained the Anti Cybercrime Units in various states to investigate data security incidents. If the officer investigating the complaint determines that a prima facie offense has been committed, he or she can register the complaint and file a charge sheet with the competent criminal court. Additionally, complaints alleging offenses under provisions of the ITA can also be made to the Controller of Certifying Authorities. Upon receipt of a complaint, the controller of certifying authorities investigates allegations and can order punishment of an offender under the provisions of the ITA. As the controller of certifying authorities is a quasi-judicial authority, an appeal against its orders can be made only in the state high court. Finally, in addition to, or in lieu of, a criminal complaint, a civil suit seeking damages and an injunction to restrain the misuse and misapplication of data can be filed under the provisions of the CA and the SRA. A civil court can issue an interim temporary injunction pending final adjudication of the civil suit. ISSUES IN THE INDIAN LEGAL SYSTEM While several measures have been put into place to deal with data security issues, some concerns still remain regarding the Indian legal system. Indian courts are overburdened -- in 2005, the lower courts had more than 20 million pending cases, while the high courts had more than three million. Delays in the system are common, and an average case can take several years to be resolved. However, things are changing. Several measures are underway, and the Prime Minister of India, as well as the Chief Justice of the Indian Supreme Court, have committed to dealing with the issues facing the Indian courts. Further, the system itself, while slow, works. More importantly, as previously discussed, the service providers themselves are putting into place several preventive measures to deal with data security and privacy issues. CONCLUSION Unfortunately, data breaches have occurred and will probably continue to occur in many parts of the world. Fortunately for companies that have sent data to India -- whether via an offshore outsourcing or otherwise -- the government of India has responded to the concerns raised about data security issues, and proven methodologies have been put into place and refined to minimize the damage, punish the offender and deter the tempted. Obviously, there are many steps that a non-Indian company can and should undertake to minimize its risk: for example, conducting due diligence and risk assessments when choosing service providers; implementing appropriate contractual measures designed to meet its objectives; and monitoring the service provider's compliance and making adjustments to reflect modified risks. A combination of all these measures should go a long way toward minimizing both the incidence and consequences of data theft and misuse incidents in India. Miriam Wugmeister is a partner at Morrison & Foerster, where she counsels clients on U.S. and international data protection laws. She represents the Coalition for Global Information Flows. Alistair Maughan, also a partner at Morrison & Foerster, focuses on outsourcing and technology projects, e-commerce and other technology contract work for major organizations. He also counsels on the UK government's Private Finance Initiative. Dijeet Titus, a partner at Titus, contributed to the preparation of this article. From rforno at infowarrior.org Thu Jan 25 15:52:45 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Jan 2007 15:52:45 -0500 Subject: [Infowarrior] - Resignations of U.S. attorneys raise suspicion of politically motivated DOJ purge Message-ID: Jan. 24, 2007, 9:08PM Dropping like flies Resignations of U.S. attorneys raise suspicion of politically motivated Justice Department purge. Copyright 2007 Houston Chronicle http://www.chron.com/disp/story.mpl/editorial/4497086.html In the past year 11 U.S. attorneys have resigned their positions, some under pressure from their Justice Department superiors and the White House, even through they had commendable performance records. Democratic senators are concerned that the high turnover is linked to an obscure, recently passed provision of the Patriot Act. The provision allows the Bush administration to fill vacancies with interim prosecutors for the remainder of the president's term without submitting them to the Senate for confirmation. Previously, interim appointments were made by a vote of federal judges in the districts served by the outgoing U.S. attorneys. U.S. Sen. Mark Pryor, D-Ark., contends that in his state U.S. Attorney Bud Cummins was improperly ousted in favor of a protege of Bush political adviser Karl Rove. Likewise in California, U.S. Attorneys Carol Lam of San Diego and Kevin Ryan of San Francisco were forced from their positions. Sen. Diane Feinstein, D-Calif., alleged that Lam fell out of favor with her Washington bosses for spearheading the bribery prosecution and conviction of Republican Congressman Randy "Duke" Cunningham last year. Lam reportedly had other politicians in her sights. "I am particularly concerned because of the inference ... that is drawn to manipulation in the lineup of cases to be prosecuted by a U.S. attorney," Feinstein stated. "In the San Diego case, at the very least, we have people from the FBI indicating that Carol Lam has not only been a straight shooter but a very good prosecutor." U.S. Attorney General Alberto Gonzales denied political motives figured in the multiple resignations of top prosecutors, and pledged that all interim appointments would be submitted to the Senate for confirmation. He reiterated that U.S. attorneys serve at the pleasure of the president and can be removed for a number of reasons, including job performance and their standing in their districts. That isn't good enough for Feinstein and her Democratic colleagues, who have introduced legislation to reinstate the appointment of interim prosecutors by federal judges. Gonzales is correct that the president is vested with the power to appoint U.S. attorneys. Unfortunately, the Patriot Act change eliminated the ability of the Senate to exercise its constitutional oversight of those nominations to make sure they are qualified and not simply political plums handed out to supporters in the waning years of the administration. The attorney general's pledge to bring the wave of interim appointees before the Senate for confirmation is welcome, providing it is done in a speedy fashion. Still, the Patriot Act needs to be amended to restore judicial appointment of interims. No president should be able to fire top government prosecutors from their positions for political reasons and then install successors without a thorough vetting by the constitutionally charged legislative body. From rforno at infowarrior.org Thu Jan 25 19:50:34 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Jan 2007 19:50:34 -0500 Subject: [Infowarrior] - Maine rejects Real ID Message-ID: Maine rejects Real ID State's legislature overwhelmingly opposes act requiring national digital ID cards, putting Bush administration in a pickle. By Declan McCullagh Staff Writer, CNET News.com Published: January 25, 2007, 2:33 PM PST http://news.com.com/2100-7348_3-6153532.html?part=rss&tag=2547-1_3-0-20&subj =news Maine overwhelmingly rejected federal requirements for national identification cards on Thursday, marking the first formal state opposition to controversial legislation scheduled to go in effect for Americans next year. Both chambers of the Maine legislature approved a resolution saying the state flatly "refuses" to force its citizens to use driver's licenses that comply with digital ID standards, which were established under the 2005 Real ID Act. It asks the U.S. Congress to repeal the law. The vote represents a political setback for the U.S. Department of Homeland Security and Republicans in Washington, D.C., which have argued that nationalized ID cards for all Americans would help in the fight against terrorists. "I have faith that the Democrats in Congress will hear this from many states and will find a way to repeal or amend this in the coming months," House Majority Leader Hannah Pingree, a Democrat, said in a telephone interview after the vote. "It's not only a huge federal mandate, but it's a huge mandate from the federal government asking us to do something we don't have any interest in doing." The Real ID Act says that, starting around May 2008, Americans will need a federally approved ID card--a U.S. passport will also qualify--to travel on an airplane, open a bank account, collect Social Security payments or take advantage of nearly any government service. States will have to conduct checks of their citizens' identification papers, and driver's licenses likely will be reissued to comply with Homeland Security requirements. In addition, the national ID cards must be "machine-readable," with details left up to Homeland Security, which hasn't yet released final regulations. That could end up being a magnetic strip, an enhanced bar code or radio frequency identification (RFID) chips. The votes in Maine on the resolution were nonpartisan. It was approved by a 34-to-0 vote in the state Senate and by a 137-to-4 vote in the House of Representatives. Other states are debating similar measures. Bills pending in Georgia, Massachusetts, Montana and Washington state express varying degrees of opposition to the Real ID Act. Montana's is one of the strongest. The legislature held a hearing on Wednesday on a bill that says "The state of Montana will not participate in the implementation of the Real ID Act of 2005" and directs the state motor vehicle department "not to implement the provisions." Barry Steinhardt, director of the ACLU's Technology and Liberty Project, said he thinks Maine's vote will "break the logjam, and other states are going to follow." (The American Civil Liberties Union has set up an anti-Real ID Web site called Real Nightmare). Pingree, Maine's House majority leader, said the Real ID Act would have cost the state $185 million over five years and required every state resident to visit the motor vehicle agency so that several forms of identification--including an original copy of the birth certificate and a Social Security card--would be uploaded into a federal database. From rforno at infowarrior.org Thu Jan 25 19:51:05 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Jan 2007 19:51:05 -0500 Subject: [Infowarrior] - More on....Seclists.Org shut down by Myspace and GoDaddy In-Reply-To: Message-ID: (c/o dissent) Wired's 27B Stroke 6 blog has a follow-up to this: http://blog.wired.com/27bstroke6/2007/01/godaddy_defends.html#more by Ryan Singel and Kevin Poulsen Thursday, 25 January 2007 GoDaddy Defends SecLists Takedown GodaddyGoDaddy got back to me. General counsel Christine Jones defends taking down SecLists.org, saying that Fyodor had close to an hour to respond to GoDaddy's voicemail and e-mail warnings yesterday, and didn't. "We couldn't reach him, and because the content was hundreds and hundreds of MySpace user names and password, we went ahead and redirected the domain to remove that content," she says. An hour's notice doesn't seem much time before shutting down someone's website, particularly when the content in question is nine days old. Jones says there was urgency, because so many MySpace users are young teenagers, and they could suffer serious privacy invasions if perverts start logging into their profiles to get private photos and messages. "For something that has safety implication like that, we take it really seriously," she says. "For spammers, we give people a little bit of time to respond to us." Ouch. Archiving Full Disclosure is worse than spamming. I still find the whole thing chilling. The domain registrar isn't the logical place for a surgical strike against one web page or a single file -- it can do nothing except take down an entire domain with, in this case, thousands of pages. So why did MySpace call GoDaddy, instead of Fyodor or his ISP? -- the polite and customary approach. My theory is MySpace went forum shopping for the best place to get the password list squelched, and ended up at GoDaddy because they expected the friendliest reception there. And that's the risk: every new link in internet service -- network operators, hosting companies, and now domain registrars -- willing to take on a censorship role increases the likelihood of legitimate content being suppressed. Jones stands by the decision. "Should registrars be involved in this? I'm not sure," she says. "We're the largest domain registrar in the world, and my view is, for $8.95 its not okay for somebody to come and use our services to harm other people." ------ End of Forwarded Message From rforno at infowarrior.org Thu Jan 25 19:55:11 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Jan 2007 19:55:11 -0500 Subject: [Infowarrior] - WH Argues in Support of Warrantless Wiretaps Message-ID: Bush Administration Argues in Support of Warrantless Wiretaps By Dan Eggen Washington Post Staff Writer Thursday, January 25, 2007; 5:50 PM http://www.washingtonpost.com/wp-dyn/content/article/2007/01/25/AR2007012501 434.html The Bush administration argued in court papers filed today that both a lawsuit and a ruling challenging the constitutionality of its warrantless surveillance program should be thrown out because the government is now conducting the wiretaps under the authority of a secret intelligence court. In a filing with the 6th Circuit U.S. Court of Appeals in Cincinnati, Justice Department lawyers argue that the lawsuit by the American Civil Liberties Union and other plaintiffs should be considered moot because the case "no longer has any live significance." The ACLU said the government's claims have no merit and it plans to file a response to the arguments Friday. The brief represents the latest volley in the legal battle over the controversial spying effort run by the National Security Agency that was dubbed the "Terrorist Surveillance Program," or TSP, by the Bush administration. The program allowed the NSA to monitor telephone calls without warrants between the United States and overseas if the government concluded that one of the parties was linked to al-Qaeda. Civil-liberties groups and many lawmakers condemned the program as an illegal exercise of presidential power. Attorney General Alberto R. Gonzales announced last week that the government was disbanding the program and replacing it with a new effort that will be supervised by a secret 11-judge panel that oversees clandestine spying in the United States, known as the Foreign Intelligence Surveillance Act, or FISA, court. The government argues that the new arrangement essentially invalidates an August ruling in the ACLU case by U.S. District Judge Anna Diggs Taylor of Detroit, who declared the surveillance program unconstitutional and said it violated free-speech rights and the separation of powers between the three branches of government. Taylor ordered a halt to the program, and the government appealed to the 6th Circuit. The administration says that Taylor's ruling should be vacated and the entire lawsuit should be dismissed. "Plaintiffs' challenge to the TSP is now moot," the government wrote in its filing. "The surveillance activity they challenge . . . does not exist. And the specific relief they sought and were awarded -- injunction of the TSP -- cannot redress any claimed injury because no electronic surveillance is being conducted under the TSP." But Ann Beeson, the ACLU's associate legal director, said the Justice Department's theory is "not plausible," arguing that legal precedents make clear that the government cannot escape a legal judgment merely by voluntarily stopping illegal activity. "The FISA court didn't reach out on its own to do something; the government asked it to do something," Beeson said. "And absent a ruling, they are free to return to their illegal conduct again. This does not meet the mootness test." From rforno at infowarrior.org Thu Jan 25 21:16:12 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Jan 2007 21:16:12 -0500 Subject: [Infowarrior] - Update - my Netgear issue Message-ID: Bought a different model Netgear 802.11g router today and thus far have not encountered that cryptic "Bad Verb" message I mentioned earlier. To be sure, I swapped routers and my (old) Netgear gave me the same errors....meaning the problem was nearly-certainly that particular device that I've now replaced. *crosses fingers* So far so good. Thanks to those who offered suggestions off-list! Cheers -rf From rforno at infowarrior.org Thu Jan 25 22:54:05 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Jan 2007 22:54:05 -0500 Subject: [Infowarrior] - Angry passengers pitch airline changes Message-ID: Posted on Wed, Jan. 24, 2007 http://www.dfw.com/mld/dfw/business/16533365.htm Angry passengers pitch airline changes By TREBOR BANSTETTER STAR-TELEGRAM STAFF WRITER Passengers on an American Airlines flight that was stuck on the tarmac in Austin for nearly 10 hours last month are pushing for a national Passengers Bill of Rights to protect traveling consumers. The proposal would require airlines to return passengers to terminal gates after three hours on the tarmac. It would also impose penalties on airlines for losing baggage and bumping passengers, and create a consumer committee to review and investigate complaints. The measure doesn't yet have a backer in Congress. But it comes as lawmakers are increasing their scrutiny of the industry, with a hearing scheduled for today before the Senate Commerce Committee on the impact of airline mergers and consolidation. Heavy passenger loads during the past year have accompanied increased delays and complaints, according to the U.S. Transportation Department. "Enough is enough," said Kate Hanni, a Napa, Calif., resident who was stuck with her husband on American Flight 1348 in Austin for nearly 10 hours Dec. 29 during a trip from San Francisco to Mobile, Ala. Her flight was supposed to land at Dallas/Fort Worth Airport for a connection, but heavy thunderstorms diverted the plane to Austin. "Never again should anyone be left in a plane without information, without food, with toxic air, overflowing toilets, no remuneration and no explanation," she said. Officials with Fort Worth-based American have apologized to passengers for the long delays and issued vouchers worth up to $500. But they also point out that the events that day were because of an unusual storm in North Texas coupled with the fact that airplanes were flying with full loads on a holiday weekend. "The thunderstorm event of Dec. 29, 2006, that spread almost the entire length of Texas was one of the most unusual weather circumstances we've seen in 20 years," said Tim Wagner, a spokesman. More than 80 flights were diverted from D/FW that day. Hanni and her husband recruited 13 other passengers to sign onto the effort. They've written to Commerce Committee Chairman Daniel Inouye, D-Hawaii, with a draft proposal for the law and have launched an Internet blog at www.strandedpassengers.blogspot.com. Hanni hasn't ruled out filing a lawsuit against American but said it would be a last resort. "If the only way to send a message to the airlines is to pursue it from that angle, then absolutely," she said during a conference call with reporters Tuesday. Stories of the long delays have been featured in national news media, including The Wall Street Journal and NBC Nightly News, in recent weeks. Passengers say they ran out of food, toilets overflowed and some lacked access to medication while stranded on the tarmac. Hanni called the conditions "subhuman." "I was fighting off a panic attack the entire time," said Mark Vail of Madera, Calif. "I was counting raindrops in the window, doing anything to try to distract myself." All the while, he said, "I kept seeing Southwest Airlines flights taking off and landing." American officials say they were doing their best to cope with an extraordinary spate of bad weather at the carrier's largest hub. Unlike most storms that quickly sweep over D/FW Airport from the west, the Dec. 29 tempest moved north from the southwest and hung over the airport for hours, Wagner said. Airline officials were hoping that the storm would lift so diverted planes could fly to D/FW and passengers could get to connecting flights. If the airline had brought the plane into a gate in Austin early, it would have immediately been a canceled flight, he said. It then would have been nearly impossible to get the passengers onto later flights because most airplanes were already full. "People would have been stranded in Austin for two or three days, maybe in a hotel room or maybe there at the airport, waiting for a flight," he said. "That's what we were trying to avoid." Still, Wagner said that "the extremity of their experience was a mistake, and we've apologized for that." He said the airline has tweaked some policies and re-emphasized others in an attempt to avoid repeating the situation. Some of the affected passengers said the airline responded only after the story was featured in the national press. And they say they haven't seen any indication that American is working to prevent future problems. "There hasn't been any attempt to contact us; they haven't said anything," said Andy Welch of Lynn Creek, Mo., who was also on Flight 1348. "It infuriates me. How can anyone think they can run a business this way?" An attempt was made in 2000 to pass a similar slate of protections for traveling consumers, and the idea was revived in 2002. Neither attempt resulted in a law being passed. This time, however, Hanni is hopeful that the issue will have traction in Washington, D.C., particularly as lawmakers consider the impact that mergers could have on the industry. "I believe we're reached the tipping point," she said. "The only thing that will change this is action from our elected officials." PASSENGERS BILL OF RIGHTS A group of travelers who were stranded on the tarmac for up to 10 hours last month have proposed a slate of protections for travelers. Their recommendations include: Establishing procedures for airlines to return passengers to a terminal gate after three hours on the tarmac. Requiring airlines to respond to complaints within 24 hours and resolve them within two weeks. Forcing airlines to publish a list of chronically delayed flights online. Compensation for bumped passengers or passengers whose flights are delayed by more than 12 hours at 150 percent of the ticket price. Compensation for passengers whose baggage is lost or mishandled. Creation of a Passenger Review Committee made up of nonairline consumers to review and investigate complaints. Trebor Banstetter, 817-390-7064 tbanstetter at star-telegram.com From rforno at infowarrior.org Thu Jan 25 23:25:29 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 25 Jan 2007 23:25:29 -0500 Subject: [Infowarrior] - Secrecy Is at Issue in Suits Opposing Domestic Spying Message-ID: January 26, 2007 Secrecy Is at Issue in Suits Opposing Domestic Spying By ADAM LIPTAK http://www.nytimes.com/2007/01/26/washington/26nsa.html?ei=5094&en=b269fa6bc 75f304b&hp=&ex=1169787600&partner=homepage&pagewanted=print The Bush administration has employed extraordinary secrecy in defending the National Security Agency?s highly classified domestic surveillance program from civil lawsuits. Plaintiffs and judges? clerks cannot see its secret filings. Judges have to make appointments to review them and are not allowed to keep copies. Judges have even been instructed to use computers provided by the Justice Department to compose their decisions. But now the procedures have started to meet resistance. At a private meeting with the lawyers in one of the cases this month, the judges who will hear the first appeal next week expressed uneasiness about the procedures, said a lawyer who attended, Ann Beeson of the American Civil Liberties Union. Lawyers suing the government and some legal scholars say the procedures threaten the separation of powers, the adversary system and the lawyer-client privilege. Justice Department officials say the circumstances of the cases, involving a highly classified program, require extraordinary measures. The officials say they have used similar procedures in other cases involving classified materials. In ordinary civil suits, the parties? submissions are sent to their adversaries and are available to the public in open court files. But in several cases challenging the eavesdropping, Justice Department lawyers have been submitting legal papers not by filing them in court but by placing them in a room at the department. They have filed papers, in other words, with themselves. At the meeting this month, judges on the United States Court of Appeals for the Sixth Circuit asked how the procedures might affect the integrity of the files and the appellate records. In response, Joan B. Kennedy, a Justice Department official, submitted, in one of the department?s unclassified filings, a detailed seven-page sworn statement last Friday defending the practices. ?The documents reviewed by the court have not been altered and will not be altered,? Ms. Kennedy wrote, and they ?will be preserved securely as part of the record of this case.? Some cases challenging the program, which monitored international communications of people in the United States without court approval, have also involved atypical maneuvering. Soon after one suit challenging the program was filed last year in Oregon, Justice Department lawyers threatened to seize an exhibit from the court file. This month, in the same case, the department sought to inspect and delete files from the computers on which lawyers for the plaintiffs had prepared their legal filings. The tactics, said a lawyer in the Oregon case, Jon B. Eisenberg, prompted him to conduct unusual research. ?Sometime during all of this,? Mr. Eisenberg said, ?I went on Amazon and ordered a copy of Kafka?s ?The Trial,? because I needed a refresher course in bizarre legal procedures.? A federal district judge in the case, Garr M. King, invoked another book after a government lawyer refused to disclose whether he had a certain security clearance, saying information about the clearance was itself classified. ?Frankly, your response,? Judge King said, ?is kind of an Alice in Wonderland response.? Questions about the secret filings may figure in the first appellate argument in the challenges, before the Sixth Circuit, in Cincinnati, on Wednesday. The three judges who will hear the appeal met with lawyers for the Justice Department and the American Civil Liberties Union on Jan. 8 in a judge?s chambers in Memphis. ?The court raised questions about the procedures the government had used to file classified submissions in the case and the propriety and integrity of those procedures,? said Ms. Beeson, associate legal director of the A.C.L.U., which represents the plaintiffs in the appeal. ?They were also concerned about the independence of the judiciary,? given that ?the Justice Department retains custody and total control over the court filings.? Ms. Beeson said. Nancy S. Marder, a law professor at the Chicago-Kent College of Law and an authority on secrecy in litigation, said the tactics were really extreme and deeply, deeply troubling. ?These are the basics that we take for granted in our court system,? Professor Marder said. ?You have two parties. You exchange documents. The documents you?ve seen don?t disappear.? A spokesman for the Justice Department, Dean Boyd, said employees involved in storing the classified documents were independent of the litigators and provided ?neutral assistance? to courts in handling sensitive information. The documents, Mr. Boyd said, are ?stored securely and without alteration.? The appellate argument in Cincinnati will almost certainly also concern the effects of the administration announcement last week that it would submit the program to a secret court, ending its eavesdropping without warrants. In a brief filed on Thursday, the government said the move made the case against the program moot. Ms. Beeson of the A.C.L.U. said the government was wrong. At least one case, the one in Oregon, is probably not moot. It goes beyond the other cases in seeking damages from the government, because the plaintiffs say they have seen proof that they were wiretapped without a warrant. In August 2004, the Treasury Department?s Office of Foreign Assets Control, which was investigating an Oregon charity, al-Haramain Islamic Foundation, inadvertently provided a copy of a classified document to a foundation lawyer, Lynne Bernabei. That document indicated, according to court filings, that the government monitored communications between officers of the charity and two of its lawyers without a warrant in spring 2004. ?If I gave you this document today and you put it on the front page of The New York Times, it would not threaten national security,? Mr. Eisenberg, a lawyer for the foundation, said. ?There is only one thing about it that?s explosive, and that?s the fact that our clients were wiretapped.? Ms. Bernabei circulated the document to two directors of the charity, at least one of them in Saudi Arabia, and to three other lawyers. She discussed them with two more lawyers. A reporter for The Washington Post, David B. Ottaway, also reviewed the document. The full significance of the document was apparently not clear to any recipient, more than a year before The New York Times disclosed the existence of the N.S.A. program in December 2005. The F.B.I. learned of the disclosure almost immediately in August 2004, Judge King said at a court hearing last year, but made no effort to retrieve copies of the document for about six weeks. When it did, everyone it asked apparently returned all copies of the document. In a statement reported in The Post in March, for instance, Mr. Ottaway said he the F.B.I. had told him that the document had ?highly sensitive national security information.? ?I returned it after consulting with Washington Post editors and lawyers, and concluding that it was not relevant to what I was working on at the time,? Mr. Ottaway said. In a sworn statement in June, a lawyer who had the document, Asim Ghafoor, said the bureau took custody of his laptop computer ?in order that the document might be ?scrubbed? from it.? The computer was returned weeks later. In February 2006, the charity and the two lawyers who say they were wiretapped sued to stop the program, requesting financial damages. They attached a copy of the classified document, filing it under seal. They have not said how they came to have a copy. Three weeks later, the lawyers for the foundation received a call from two Justice Department lawyers. The classified document ?had not been properly secured,? the lawyers said, according to a letter from the plaintiffs? lawyers to the judge. As Mr. Eisenberg recalled it, the government lawyers said, ?The F.B.I. is on its way to the courthouse to take possession of the document from the judge.? But Judge King, at a hurriedly convened hearing, would not yield it, and asked, ?What if I say I will not deliver it to the F.B.I.?? A Justice Department lawyer, Anthony J. Coppolino, gave a measured response, saying: ?Your Honor, we obviously don?t want to have any kind of a confrontation with you. But it has to be secured in a proper fashion.? The document was ultimately deposited in a ?secure compartmented information facility? at the bureau office in Portland. In the meantime, copies of the document appear to have been sent abroad, and the government concedes that it has made no efforts to contact people overseas who it suspects have them. ?It?s probably gone many, many places,? Judge King said of the document at the August hearing. ?Who is it secret from?? A Justice Department lawyer, Andrew H. Tannenbaum, replied, ?It?s secret from anyone who has not seen it.? He added, ?The document must be completely removed from the case, and plaintiffs are not allowed to rely on it to prove their claims.? Judge King wondered aloud about the implications of that position, saying, ?There is nothing in the law that requires them to purge their memory.? Mr. Eisenberg, in an interview, said that was precisely the government position. ?They claim they own the portions of our brains that remember anything,? he said. In a decision in September, Judge King ruled that the plaintiffs were not entitled to review the document again but could rely on their recollections of it. In October, they filed a motion for summary judgment, a routine step in many civil litigations. In a sealed filing, they described the classified document. Government lawyers sent Judge King a letter saying the plaintiffs had ?mishandled information contained in the classified document? by, among other actions, preparing filings on their own computers. In a telephone conference on Nov. 1, Judge King appeared unpersuaded. ?My problem with your statement,? he told Mr. Tannenbaum, ?is that you assume you are absolutely correct in everything you are stating, and I am not sure that you are.? Mr. Boyd of the Justice Department said the government ?continues to explore with counsel ways in which the classified information may be properly protected without any intrusion on the attorney-client privilege.? From rforno at infowarrior.org Fri Jan 26 09:57:11 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 26 Jan 2007 09:57:11 -0500 Subject: [Infowarrior] - CFP: Surveillance and Communications In-Reply-To: Message-ID: Special Issue of The Communication Review: Surveillance and Communications Guest Editors: Kelly Gates and Shoshana Magnet We invite submissions for a special issue of The Communication Review on the contribution of communications research to the study of surveillance. The age of informatics has resulted in the proliferation of new technologies of surveillance. Surveillance remains one of the key means by which modern institutions interact with and govern their constituencies. This special issue of The Communication Review will examine the multiple connections between communications and surveillance. We hope to foster dialogue on the interconnections between communications theory and surveillance studies. Has communications theory helped to expand the study of surveillance through attention to the socio-cultural ramifications of surveillance practices? Can communications theory broaden the study of surveillance through its attention to the importance of surveillance technologies as information and communication technologies, as well as visual media and sound reproduction systems? The special issue will address such questions as: How do communicative practices, media technologies, and surveillance practices intersect? What insights does communications theory and research bring to the study of surveillance as a modern institutional practice? We are particularly interested in connections between surveillance studies and critical race and feminist theories, as well as theoretical investigations of the ways in which surveillance techniques are used to mark and classify bodies based on social inequalities. How are forms of discrimination coded into and perpetuated by surveillance strategies? We are also interested in the intensification of surveillance in the neo-liberal economy. How is the expansion of new surveillance technologies informed by the logic of privatization? How has "informationalized capitalism" encouraged the development of new practices and technologies of surveillance? How do particular surveillance strategies contribute to the conflation of consumption and citizenship? Topics might include, but are not limited to: The relationships between surveillance and communication theory The differential application of surveillance strategies based on social inequalities Surveillance technologies as markers of identity Surveillance and media interactivity Surveillance and the digitization of visual media Surveillance and copyright enforcement Market research surveillance and consumer citizenship Surveillance and reality television Surveillance forms and cinematic "practices of looking" Papers should be between 7500 and 8000 words long and must be received by May 1st, 2007. Please email them to: Andrea Press and Bruce Williams, Editors, The Communication Review, c/o Tanya Omeltchenko, Managing Editor, at to3y at virginia.edu From rforno at infowarrior.org Fri Jan 26 12:12:56 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 26 Jan 2007 12:12:56 -0500 Subject: [Infowarrior] - Why pirated Vista has Microsoft champing at the BitTorrent Message-ID: Why pirated Vista has Microsoft champing at the BitTorrent Eric Lai http://www.computerworld.com/action/article.do?command=viewArticleBasic&art icleId=9009143&intsrc=hm_ts_head January 25, 2007 (Computerworld) As Microsoft Corp. gets ready to launch Windows Vista and Office 2007 to consumers, it claims a formidable new foe it lacked at its last major consumer software launch five years ago: the popular filesharing network known as BitTorrent. This third-generation peer-to-peer (P2P) service, already used by tens of millions of Internet users to swap digital music and movies for free, is becoming a popular mechanism for those looking to obtain pirated software. "Any software that is commercially available is available on BitTorrent," according to Mark Ishikawa, CEO of BayTSP Inc., a Los Gatos, Calif., antipiracy consulting firm. Piracy and prerelease Or in the case of Vista and Office 2007, before they were commercially available. Both products were released to corporations almost two months ago, but won?t be officially launched to consumers until Jan. 29. But as early as mid-November, "cracked" copies of both products were available via BitTorrent. As of mid-January, more than 100 individual copies of Office 2007 and more than 350 individual copies of Windows Vista were available on the service, according to BigChampagne LLC, a Los Angeles-based online media-tracking firm. The pirates that cracked early copies of Vista all sidestepped Microsoft?s latest antipiracy technology, the Software Protection Platform. SPP is supposed to shut down any copy of Vista not registered to Microsoft over the Internet with a legitimate, paid-up license key within the first 30 days. Microsoft has quietly admitted that it has already found three different workarounds to SPP. It says it can defeat one, dubbed the Frankenbuild because of its cobbling together of code from beta and final versions of Vista. It hasn?t yet announced success against several other cracks, including one seemingly inspired by Y2k, which allows Vista to run unactivated until the year 2099 rather than for just 30 days. "Pirates have unlimited time and resources," BayTSP?s Ishikawa says. "You can?t build an encryption that can?t be broken." Microsoft popular with pirates According to BayTSP?s most recent figures from 2005, six out of the 25 most widely pirated software packages on BitTorrent and eDonkey, another P2P network, originated at Microsoft. Office 2003 was the second most-pirated software behind Adobe Systems Inc.?s Acrobat 7. Other widely pirated Microsoft software includes InfoPath 2003, FrontPage 2003, Visio 2003, Office XP and Windows XP. Cori Hartje, director of Microsoft?s Genuine Software Initiative, remains confident that SPP, along with another effort by Microsoft to clamp down on the abuse of corporate volume license keys by pirates, can reduce the rate of piracy of Microsoft?s latest products compared to previous ones. But the company is taking no chances, fighting back on multiple fronts. To distract downloaders who may only be seeking a sneak peek at the new software, the company's offering free online test drives of Vista and 60-day trials of Office 2007. To reach young people, who are the most enthusiastic users of P2P, Microsoft is putting comics up on the Web, mostly in foreign languages, decrying software piracy. And on Monday, the company released statistics purporting to show that users downloading pirated software from P2P networks are at great risk infecting themselves with viruses or spyware. According to an October 2006 report conducted by IDC and commissioned by Microsoft, nearly 60% of key generators and crack tools downloaded from P2P networks contained malicious or unwanted software. Similarly, one quarter of Web sites offering key generators -- software that create alphanumeric strings that users can type in to activate their pirated Microsoft software -- had such hidden software. The perils of P2P? Hartje claims that many pirates are irresponsibly uploading malware along with their cracked goods to BitTorrent. "They may not be running a clean shop, and don?t care if viruses are on the software," she says. IDC researchers used popular antivirus packages from McAfee Inc. and Symantec Corp. to detect malware. However, the researchers did not differentiate between more serious viruses and spyware and less harmful unwanted code such as adware. IDC also conceded that some P2P networks deploy built-in virus scanning that "strip[s] out most of the malicious software" before it reaches users. Some skeptics say that Microsoft?s "education" campaign is primarily an attempt to sow FUD -- fear, uncertainty and doubt -- in the minds of consumers, a tactic the company has been called out for in the past, and which could backfire. "Warning customers about viruses and spyware in counterfeit software is a nice PR thing for Microsoft, but for the most part, I doubt that it's really effective," says Paul DeGroot, an analyst at Directions on Microsoft, an independent consulting firm in Kirkland, Wash., who applauds Microsoft?s other antipiracy efforts. Microsoft hopes to scare consumers straight, he says, because efforts to guilt and shame consumers into not downloading, have had little success. Moreover, the company rarely targets end users of counterfeit software with lawsuits for fear of alienating customers. "Our main concern is preventing pirates from putting counterfeits in the hands of unsuspecting customers," says Matt Lundy, a senior attorney at Microsoft. The technology advances P2P technology, meanwhile, has advanced greatly since Microsoft released Windows XP in late 2001. At the time, P2P networks such as Napster and Gnutella were solely used to exchange music files. Since that time, Napster has been closed and re-opened as a legitimate pay music service similar to Apple Inc.?s iTunes. The second-generation Gnutella has waned in popularity because of aging technology and partial neutering by the record companies, which have flooded Gnutella with decoy files masquerading as songs, Ishikawa says. Enter BitTorrent, which boasts faster file transfers and more reliable downloads than other P2P networks. BitTorrent was not the first P2P network to host pirated DVDs and software, but it was the first to make the trade of such hefty files practical. Moreover, BitTorrent claims it automatically cleanses its network of both viruses as well as decoy files. The latter defeats related antipiracy efforts by the music industry. BitTorrent?s other great advantage is its ease of use compared to "darknet" services used by more sophisticated pirates, such as Internet Relay Chat channels, private FTP sites and Usenet newsgroups. For most Internet users, darknets remain hard to find -- you can?t simply Google them -- and intimidating to use. Microsoft?s worst nightmare would come to pass if P2P software piracy becomes as pervasive as the movie and music piracy. Already, the number of songs swapped illegally online surpasses the number sold in stores or online at sites like iTunes, says BigChampagne CEO Eric Garland, citing music industry estimates. Victory by assimilation? Faced with this situation, music and movie companies are starting to co-opt P2P. Record companies are using services like BigChampagne to scout music trends and sign up-and-coming bands, while movie studios such as Paramount and Fox have linked up with BitTorrent to sell movies via downloads. The software industry lags by comparison. Microsoft is allowing consumers to download and buy Vista from its own Web site for the first time. Otherwise, Microsoft has "nothing new to announce in regards to any new distribution channels," Hartje says. BitTorrent did not return a call and an e-mail seeking comment. For Microsoft to ink a deal with BitTorrent to sell full software or even put up free trials would send out mixed messages, Ishikawa says. "If you ever want to litigate, don?t send out any freeware," he says. Still, people like BigChampagne?s Garland point out that P2P software piracy today remains a drop in the bucket compared to video piracy, which involve similarly hefty files. His reason: downloaded movies are just entertainment, but business software is used to run companies, do people?s taxes and other important things. For those, most users still prefer the security blanket of technical support, access to software fixes and updates -- even manuals -- that only buying the software can provide, Garland says. "Forget backdoor viruses or trojans," he says. "There are some things that are worth paying for." From rforno at infowarrior.org Fri Jan 26 12:20:05 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 26 Jan 2007 12:20:05 -0500 Subject: [Infowarrior] - Korean IT: the cost of monoculture Message-ID: the cost of monoculture http://www.kanai.net/weblog/archive/2007/01/26/00h53m55s (I am still preparing for posts on my China trip, but I wanted to first address the issue of monoculture as it is very relevant now.) What would you say if I told you that there was a nation that was at the forefront of technology, an early adopter of ecommerce, leading the world in 3G mobile adoption, in wireless broadband, in wired broadband adoption, as well as in citizen-driven media. Sounds like an amazing place, right? Technology utopia? Wrong. This nation is also a unique monoculture where 99.9% of all the computer users are on Microsoft Windows. This nation is a place where Apple Macintosh users cannot bank online, make any purchases online, or interact with any of the nation's e-government sites online. In fact, Linux users, Mozilla Firefox users and Opera users are also banned from any of these types of transactions because all encrypted communications online in this nation must be done with Active X controls. I travelled to South Korea last fall to learn more about the South Korean Internet market and came away disappointed and frankly stunned. I met with leading businesses in the search market, the music download market, the games market and all reported the same situation- a monoculture of users using MS Windows. The S. Korean market is in a unique situation where decisions made long ago have created a consumer monoculture which is having unintended repercussions that are affecting anyone with a computer in South Korea. It is a fascinating story because it is true. The history goes back to 1998, when the 128 bit SSL protocol was still not finalized (it was finalized by the IETF as RFC 2246 in Jan. '99.) South Korean legislation did not allow 40 bit encryption for online transactions and the demand for 128 bit encryption was so great that the South Korean government funded (via the Korean Information Security Agency) a block cipher called SEED. SEED is, of course, used nowhere else except South Korea, because every other nation waited for the 128 bit SSL protocol to be finalized and have standardized on that. In the early years of SEED, users downloaded the SEED plugin to their IE or Netscape browsers, either an Active X control or a NSplugin, which was then tied to a certificate issued by a Korean government certificate authority. (Can you see where this is going?) When Netscape lost the browser war, the NSplugin fell out of use and for years, S. Korean users have only had an Active X control with the SEED cipher to do their online banking or commerce or government. So we end up in 2007, 9 years after SEED was created for Korean users, and one legacy of the fall of Netscape is that Korean computer/Internet users only have an Active X control to do any encrypted communication online. So in late 2006, a group of Korean computer/Internet users, Citizens Action Network at Open Web Korea, having documented the problem with accessibilty of sites via anything other than Microsoft IE, have decided to sue the Korean government. It gets worse. Remember how Active X controls were and continue to be a significant vector of viruses and malware because Microsoft originally architected Active X to run by default instead of with a user action? Maliciously programmed websites would be able to automatically install software on users' computers just by visiting a web page in IE 6. In IE 7 and in Vista, Microsoft has re-architected Active X controls in such a way to make them "more safe" by requiring a user action for the control to run. This is obviously impacting every web site and company that uses active X controls on their websites, which include just about every website in Korea that handles any kind of secure transaction. Every online bank, every governmental agency, every ecommerce site. Without enough time to re-architect Korean websites, 3 S. Korean governmental ministries, the Ministry of Information and Communication, the Ministry of Government Administration and Home Affairs, and the Financial Supervisory Service, warned S. Korean users that upgrading to Vista would disable the user from making any secure transaction online. Can you imagine spending thousands of dollars on a new machine (because the requirements of Vista generally require new hardware) and a new OS from Redmond only to be locked out of any secure transaction online? It's Kafkaesque. To add insult to injury, the monopolist who absolutely controls the Korean market for computers won't delay the launch of Vista to alllow for Korean websites to re-code their sites. "We've been testing Vista with banks and other service providers since September, but we encountered more delays than we expected. We plan to release the product as scheduled." Absolutely incredible. A related problem is that KISA and Microsoft announce "plans to work together to improve computer security awareness" or "mark anniversary of cooperation with renewed pledge" when in fact the situation in 2007 is no better than it was in 2003 when KISA decided to "work with Microsoft." I can't tell who is the fox and which is the henhouse, but either way, the two should not be near each other. Another part of the Korea story that I cannot comprehend are articles about Linux in Korea. The Korean Army considering Linux. Kwangju City as "Linux City." If the Korean Army or Kwangju city cannot do any encrypted communications because their operating system of choice does not work with Active X controls, I'm not sure if this is hype or confusion. To get the most depth and perspective on this topic, from the people in Korea who are suing the government, it's best to read the documents at Open Web Korea. This issue with the launch of Vista and IE 7 and the work of thousands and thousands of web programmers in Korea who are feverishly working to reprogram their sites to work with Microsoft's new standards - do they realize that their efforts only bring them back to square 0 - there's no more heterogeneity in the Korean Internet market post-Vista than pre. The problem for Korean websites wasn't competition from MSN Korea, it was their sole dependence on infrastructure from Microsoft. Korea will only get beyond this problem by 1) applying Korean laws on open standards to the certificate authorities, 2) reassigning new certificates which work with open web standards to all Koreans, 3) reprogramming all Korean websites to support 128 bit SSL which will allow for a heterogeneous marketplace of operating systems and web browsers. This is a herculean task and thus Korea stays hostage to Redmond. Fascinating history. Unintended consequences and de-facto monopolies create costs too high to calculate and must be borne without question. If you enjoyed this article, please take a moment to digg it :) From rforno at infowarrior.org Fri Jan 26 22:48:36 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 26 Jan 2007 22:48:36 -0500 Subject: [Infowarrior] - China censorship damaged us, Google founders admit Message-ID: China censorship damaged us, Google founders admit http://business.guardian.co.uk/davos2007/story/0,,1999994,00.html Jane Martinson in Davos Saturday January 27, 2007 The Guardian Google's decision to censor its search engine in China was bad for the company, its founders admitted yesterday. Google, launched in 1998 by two Stanford University dropouts, Sergey Brin and Larry Page, was accused of selling out and reneging on its "Don't be evil" motto when it launched in China in 2005. The company modified the version of its search engine in China to exclude controversial topics such as the Tiananmen Square massacre or the Falun Gong movement, provoking a backlash in its core western markets. Article continues Asked whether he regretted the decision, Mr Brin admitted yesterday: "On a business level, that decision to censor... was a net negative." The company has only once expressed any regret and never in as strong terms as yesterday. Mr Brin said the company had suffered because of the damage to its reputation in the US and Europe. Last year in a speech in Washington Mr Brin admitted the company had been forced to compromise its principles to operate in China. At the time, he also hinted at a potential reversal of its stance in the country, saying "perhaps now the principled approach makes more sense". >From what was said yesterday a policy change seemed unlikely in the near future. Co-founder Larry Page said: "We always consider what to do. But I don't think we as a company should be making decisions based on too much perception." Much of the harm had come from newspaper headlines, he said, which affected perception for most people, who then did not read the actual articles. Since moving into China, Google has been compared to Microsoft because of its dominant position and power. "We are very sensitive to people talking about us in that way," said Mr Brin. Mr Page described the differences between the two technology companies by saying "we have very open partnerships, we are very clear about being fair with revenues." Speaking about one of the hot topics of this year's meeting in Davos, Mr Brin said he had decided to offset his carbon emissions after growing concerned about his own use of private jets, despite not really being sure about the efficacy of such programmes. "I was concerned about my private jet travel and whatnot ... I wanted to offset it so I did." Mr Brin said yesterday that he would feel a "bit better about it" by doing something "more specific" but declined to outline what that might be. The company's charitable arm, Google.org, takes an interest in the environment, they said. Both men are known to have driven fuel-efficient Toyota cars. Exactly what is inside the two men's private jet, however, has become the stuff of dotcom legend after a legal spat between the holding company that owns the Boeing 767 and a designer hired to re-fit it, went public last summer. Documents published in US newspapers included plans for a lounge for Eric Schmidt, the chief executive, and two state rooms for the co-founders. There were also calls from the founders for hammocks to be hung from the ceiling of the plane. Both founders yesterday offered some solace to the newspaper industry, which has been most threatened by the growth of online news providers. Larry Page said: "I believe in the future of newspapers," before admitting that he reads all his news online. His colleague said he read a Sunday newspaper "and it's nice". Rather than suggest paid-for content was doomed, they called for a new model to collect revenues. "I should probably pay for the Wall Street Journal but I don't because it's a hassle," said Mr Page, who is worth billions. "I'm not worried about the money thing, it's just a hassle." From rforno at infowarrior.org Sat Jan 27 15:36:27 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 27 Jan 2007 15:36:27 -0500 Subject: [Infowarrior] - N.Korea says South's Web ban violates freedom Message-ID: Oh, the irony..........rf N.Korea says South's Web ban violates freedom Fri Jan 26, 2007 10:40 AM ET http://today.reuters.com/news/articlenews.aspx?type=technologyNews&storyid=2 007-01-26T154000Z_01_SEO147382_RTRUKOC_0_US-KOREA-NORTH-INTERNET.xml SEOUL (Reuters) - North Korea said on Friday the South Korean government was violating the public's basic right to information by blocking access to Web sites sympathetic to the North. South Korea has denied access to more than 30 Web sites that it has designated "pro-North Korea" since 2004, including the North's official KCNA news agency's Web service and sites operated outside. "This is a fascist action against democracy and human rights as it infringes upon the South Koreans' freedom of speech and deprives them of even their right to enjoy the civilization offered by the IT age," the North's official Rodong Sinmun newspaper said. "The above-said actions are as rude as blindfolding people's eyes and stopping their ears and mouths," Rodong Sinmun said in a commentary carried by KCNA news agency. The ban showed South Korea was against reconciliation with the North, the newspaper said. South Korea's unification ministry said earlier this month that it had no plans to lift the ban. Most North Koreans have limited or no access to computers let alone the Internet, refugees from the North and human rights activists in Seoul have said. South Korea is one of the world's most wired countries. Three-quarters of the population have access to the Internet. From rforno at infowarrior.org Sun Jan 28 01:08:42 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 28 Jan 2007 01:08:42 -0500 Subject: [Infowarrior] - NASA marks anniversary of Apollo deaths Message-ID: Saturday, January 27, 2007 ? Last updated 7:55 p.m. PT http://seattlepi.nwsource.com/national/1501AP_Apollo_1_Fire.html NASA marks anniversary of Apollo deaths By MIKE SCHNEIDER ASSOCIATED PRESS WRITER CAPE CANAVERAL, Fla. -- It was supposed to be a routine launch pad test. But from the Apollo 1 command module at Pad 34 came a panicked voice saying, "Fire in the cockpit." Exactly 40 years later, the three Apollo astronauts who were killed in that flash fire were remembered Saturday for paving the way for later astronauts to be able to travel to the moon. The deaths of Virgil "Gus" Grissom, Ed White and Roger Chaffee forced NASA to take pause in its space race with the Soviet Union and make design and safety changes that were critical to the agency's later successes. "I can assure you if we had not had that fire and rebuilt the command module ... we could not have done the Apollo program successfully," said retired astronaut John Young, who flew in Gemini 3 with Grissom in 1965. "So we owe a lot to Gus, and Rog and Ed. They made it possible for the rest of us to do the almost impossible." The memorial service at the Kennedy Space Center Visitors Complex marked the start of a solemn week for NASA - Sunday is the 21st anniversary of the space shuttle Challenger accident, and Thursday makes four years since the space shuttle Columbia disaster. Chaffee's widow, Martha, and White's son, Edward III, along with NASA associate administrator Bill Gerstenmaier, laid a wreath at the base of the Space Mirror Memorial, a tall granite-finished wall engraved with the names of the Apollo 1, Challenger and Columbia astronauts and seven other astronauts killed in accidents. Chaffee, 69, remembered feeding her two children hot dogs for dinner that night in 1967 and knowing something was wrong when astronaut Michael Collins showed up at her home to tell her about the accident. "My first reaction was, 'What could have happened? He's not flying,'" Martha Chaffee recalled before the ceremony. NASA also hadn't considered the countdown drill hazardous, anticipating accidents only in space. Fire rescue and medical teams were not at the launch pad. No procedures had been developed for the type of emergency the Apollo 1 crew faced. The work levels around the spacecraft contained steps, sliding doors and sharp turns that hindered emergency responses. An investigation said the fire most likely started in an area near the floor around some wires between the oxygen panel and the environmental control system. The 100 percent oxygen environment made it highly combustible and internal pressure made it impossible for the astronauts to open the command module's inner hatch. The astronauts died from inhaling toxic gases. Before his death, Grissom, the second astronaut in space, had been so disappointed with problems in the new spacecraft that at one point he hung a lemon over it, said Lowell Grissom, the astronaut's younger brother. After the tragedy, the command module's hatch was changed so it opened outward, flammable materials in the cabin were replaced, wiring problems were fixed and a mixture of nitrogen and oxygen replaced the all oxygen atmosphere. Apollo 1's legacy contributed to the safety culture at NASA and the successful lunar landings, said Edward White III, whose father conducted the first U.S. spacewalk in 1965. "The safety that came out of Apollo 1 is still here today," he said. Describing it as "one of the most significant relics in the history of the space program," Lowell Grissom urged that the Apollo 1 spacecraft be moved from a warehouse in Virginia to the launch pad where the astronauts perished. "As we remember their deaths ... let us renew our dedication to the quest for which they died, reaching for the stars for all mankind," Grissom said. From rforno at infowarrior.org Sun Jan 28 01:52:04 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 28 Jan 2007 01:52:04 -0500 Subject: [Infowarrior] - Cyberspace land grab Message-ID: Cyberspace land grab DOMAIN NAMES BACK IN BUSINESS AS BIG MONEY SEEKS HOT PROPERTY By Constance Loizos Mercury News http://www.siliconvalley.com/mld/siliconvalley/news/local/16552993.htm You might not think of generic Internet addresses like Carbs.com as the beachfront property of the Web, but plenty of financial heavy-hitters do, and they're snapping up such real estate -- fast. Starbucks Chairman Howard Schultz, billionaire Ross Perot and Richard Rosenblatt, former chief executive of MySpace and its parent, Intermix Media, are just three of those attempting to build sprawling businesses around Web domains. And the list is growing. ``As of late 2004, it wasn't obvious to us that you could turn domains into a real business, but that's definitely proving to be the case,'' said Jeff Horing, a venture capitalist with Insight Venture Partners in New York. Why are these properties so hot? It owes to a rapidly growing phenomenon known as direct navigation, in which people skip search engines and instead try to find things directly online. The investors are trying to transform generic domains such as Golflink.com into easy-to-find sites that will draw enthusiasts and, consequently, advertisers. Little wonder, given the opportunity. According to the investment bank RBC Capital Markets, direct navigation was expected to generate $650 million in sales in the United States last year, and it estimates the business could hit $800 million this year. The money is largely coming from display advertising at the sites, which is shared with search giants such as Yahoo and Google. Publicly traded Marchex, a search optimization company, first captured the attention of industry observers when it paid $164 million for the Name Development company -- owner of roughly 100,000 Internet addresses, including Debts.com -- in late 2004. Since then, a number of other, well-funded competitors have sought to roll up domain businesses. VC interest Houston-based Internet REIT, for example, owns more than 400,000 domain names and a growing number of overseas addresses and has raised more than $20 million from investors including Perot Investments and Maveron, the Seattle-based venture capital firm founded by Schultz, to keep buying. Richard Rosenblatt, who sold Intermix to News Corp. in 2005 for $580 million, is also amassing hundreds of thousands of addresses, using $220 million that his 10-month-old start-up, Demand Media in Santa Monica, has raised from several venture capital firms. Then there's Internet Real Estate Group, whose first foray into Internet addresses came in 1998, when it spent $80,000 to acquire 80 percent of Beer.com from a 20-year-old who was ``mostly posting photos of his friends throwing up beer,'' said company co-founder Andrew Miller. Despite making more than $20 million since then -- including by selling Beer.com to a Belgian brewery for $7 million -- Internet Real Estate Group has also grown more interested in buying and keeping domains than in selling them and -- surprise -- it is now trying to raise upward of $100 million from VCs and private equity firms to do exactly that. Hot in demand It might want to hurry things along. Buying domains ``was a great opportunity a year ago, but the price of domains is beginning to become much more efficient,'' said Roger Lee, a venture capitalist with Battery Ventures in Menlo Park. Another looming question about such roll-ups is whether people will keep coming. Demand Media is building a platform that allows for user-generated content and social networking across its sundry sites. Yet most of Demand Media's sites are little more than computer-generated directories. It's a risky strategy, says analyst Bryce Lane of the Minneapolis-based investment bank Mercati Group, who recently published a report on the feverish activity around domains. ``There's tons of demand right now for traffic, but populating these sites with B-minus content or worse could turn people off from visiting at all.'' But investor appetite for these sites doesn't appear to be disappearing anytime soon. Given direct navigation's ability to attract at least some traffic and thus some advertising revenue for practically free, it may be too efficient to fail. ``Right now, there are still a lot of people and ad dollars coming online,'' Horing said. ``I don't think this is going to play out too badly for the speculators.'' Contact Constance Loizos at cloizos at mercurynews.com or (408) 920-5920. From rforno at infowarrior.org Sun Jan 28 12:31:43 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 28 Jan 2007 12:31:43 -0500 Subject: [Infowarrior] - YouTube to become YouProfit Message-ID: YouTube to become YouProfit By Ruth Elkins Published: 28 January 2007 http://news.independent.co.uk/business/news/article2192967.ece The internet video site YouTube says it plans to start sharing its revenue with users. Chad Hurley, co-founder of the site, said YouTube is working on developing ways for its users, who upload videos on to the site, to be paid for the content they have created. Speaking at the World Economic Forum in Davos yesterday, Hurley said: "We are getting an audience that is large enough to give us an opportunity to support and foster creativity through sharing revenue with our users. So, in the coming months, we are going to be opening that up." Hurley, 30, who became a multimillionaire when YouTube was bought for $1.65bn (?84m) by the search engine Google last November, did not say how such a payment system would work or how much money users would receive. YouTube is not the first site to offer money to content providers. In October 2005, Revver, which like YouTube offers video clips online, announced plans to attach advertising to user-submitted videos and give their content creators an equal cut of the profits. From rforno at infowarrior.org Sun Jan 28 19:51:17 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 28 Jan 2007 19:51:17 -0500 Subject: [Infowarrior] - Blog: SpamHaus - Irresponsible Net Citizens Message-ID: SpamHaus - Irresponsible Net Citizens I think in general that spam blocking databases are a good thing. I am as frustrated with spam as the next person. However, I think SpamHaus is irresponsible in the service they provide for the simple reason that they abuse their power and refuse to implement levels of granularity in their database. For example, right now my organization the Terrorism Research Center is being blocked by SpamHaus. We?ve operated on the same single static IP address for five years and we have never had a complaint against our IP address with SpamHaus. So why are we being blocked? Because according to SpamHaus we live in a bad Internet neighborhood and should be blocked because another IP address in our same subnet sent a direct mailing for Staples. Instead of just blocking the IP address engaging in spamming, they are blocking the whole subnet! < - > http://blog.devost.net/2007/01/28/spamhaus-irresponsible-net-citizens/ From rforno at infowarrior.org Mon Jan 29 09:34:58 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Jan 2007 09:34:58 -0500 Subject: [Infowarrior] - Adobe submits PDF standard to ISO Message-ID: Adobe Systems turned over the full Portable Document Format (PDF) 1.7 specification to AIIM, the Enterprise Content Management Association, for publication by the International Standards Organization (ISO). Yep, that?s a mouthful. Why would Adobe bother? The company claims that this is simply the ?next logical step? for the PDF format. However, it is more likely that the main reason for the move is Microsoft?s competing XPS format. Both technologies allow customers to print documents without needing the actual application that created it. Adobe is just taking precautionary steps to make sure XPS doesn't make PDF disappear. "We're handing it over to a group that will eventually drive it to become a recognized ISO standard. We're doing it because we feel it's the next logical extension of where PDF has been in the past and where it needs to go in the future. This move, making the entire PDF specification an ISO standard, will go to allay concerns that some people have voiced that at some point in the future it could go away," said Sarah Rosenbaum, director of product management at Adobe. "By releasing the full PDF specification for ISO standardization, we are reinforcing our commitment to openness. As governments and organizations increasingly request open formats, maintenance of the PDF specification by an external and participatory organization will help continue to drive innovation and expand the rich PDF ecosystem that has evolved over the past 15 years," said Kevin Lynch, chief software architect and SVP of the platform business unit at Adobe. http://www.neowin.net/index.php?act=view&id=37645 From rforno at infowarrior.org Mon Jan 29 13:34:33 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Jan 2007 13:34:33 -0500 Subject: [Infowarrior] - RFI: Online brokerages Message-ID: At the gym today, I got into a discussion with a fellow looking into online brokerage....not using one myself, I told him I'd pass the request for info/opinions around and see what others might have to say on the matter. That said -- what's your preferred online brokerage? Any difference in performance between PC and Mac users? Any he should totally-avoid? I'll be happy to post an aggregate (and anonymized) list of any feedback to the list so y'all can share in whatever insight may be provided. -rf From rforno at infowarrior.org Mon Jan 29 13:49:16 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Jan 2007 13:49:16 -0500 Subject: [Infowarrior] - Global court confirms charges for first trial Message-ID: Global court confirms charges for first trial Mon Jan 29, 2007 10:00 AM ET http://today.reuters.com/news/articlenews.aspx?type=topNews&storyid=2007-01- 29T150003Z_01_L29142440_RTRUKOC_0_US-WARCRIMES-CONGO.xml&src=rss&rpc=22 By Emma Thomasson THE HAGUE (Reuters) - The International Criminal Court (ICC) ruled on Monday there was enough evidence against a Congolese militiaman to launch the new court's first trial. The decision to confirm charges and pave the way for a trial against Thomas Lubanga, accused of recruiting child soldiers, is a major landmark for the ICC, set up as the first permanent global war crimes court in 2002. "The chamber confirms the charges brought by the prosecution," Judge Claude Jorda told the court. "Thomas Lubanga Dyilo should be committed for trial." Democratic Republic of Congo -- rich in gold, diamonds and timber -- was the battleground for rebels, local factions, tribes and several neighboring countries in a 1998-2003 war in which 4 million people died, mainly from hunger and disease. Prosecutors say Lubanga, the founder and leader of a militia in the Ituri district, trained children as young as 10 to kill, made them kill and let them be killed in 2002-03. The 46-year-old, who holds a degree in psychology, has denied the charges. His lawyer has accused the prosecution of withholding information he needs to prepare the defense. Lubanga is the only suspect to be delivered so far to the court that issued its first arrest warrants in 2005 for leaders of Uganda's Lord's Resistance Army (LRA), who have led a 20-year insurgency that has killed tens of thousands. ICC Chief Prosecutor Luis Moreno-Ocampo also plans to charge suspects soon for atrocities in Sudan's Darfur region, which the U.N. Security Council asked him to investigate in 2005. The United States has fiercely opposed the ICC, fearing it would be used for politically motivated prosecutions of its soldiers and citizens, but its hostility to the court is waning and it abstained when the Security Council voted on Darfur. Lubanga, leader of the Union of Congolese Patriots (UPC), an ethnic militia now registered as a political party, is accused of using children to kill members of the Lendu ethnic group. Ethnic violence in the Ituri region between the Hema and Lendu and clashes between militia groups vying for control of mines and taxation have killed 60,000 people since 1999. Up to 30,000 children were associated with Congo's armed groups at the height of the war. The United Nations estimates there are as many as 300,000 child soldiers worldwide. The ICC prosecutors' indictment said the children, who often joined the militia because of their desperate need for food or desire to avenge their murdered families, were subject to systematic military training and severe discipline. The ICC is separate from the International Court of Justice, the highest legal authority of the United Nations known as the World Court which is also based in The Hague and which was set up in 1946 to resolve disputes between states. From rforno at infowarrior.org Mon Jan 29 14:11:45 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Jan 2007 14:11:45 -0500 Subject: [Infowarrior] - UK looking at X-Ray 'naked' street surveillance Message-ID: http://www.thesun.co.uk/article/0,,2-2007040610,00.html OFFICIALS are bracing themselves for a storm of public outrage over their controversial X-ray cameras scheme. As part of the most shocking extension of Big Brother powers ever planned here, lenses in lampposts would snap ?naked? pictures of passers-by to trap terror suspects. The proposal is contained in leaked documents drawn up by the Home Office and presented to PM Tony Blair?s working group on Security, Crime and Justice. But the prospect of the State snooping on individuals? most private parts is certain to spark national fury. And officials are battling to find a way of dealing with that reaction. Blair ... working group A January 17 memo seen by The Sun discusses the cameras, which can see through clothes. It says ?detection of weapons and explosives will become easier? and says cameras could be deployed in street furniture. It adds: ?Some technologies used in airports have already been used as part of police operations looking for drugs and weapons in nightclubs. These and others could be developed for a much more widespread use in public spaces. ?Street furniture could routinely house detection systems that would indicate the likely presence of a gun, for example.? But the document goes on to reveal fears at the public reaction. Officials have agreed one solution would be to allow only women to monitor female subjects ? although they admit this would be ?very problematic? in crowds. The memo says: ?The social acceptability of routine intrusive detection measures and the operational response required in the event of an alarm are likely to be limiting factors. ?Privacy is an issue because the machines see through clothing.? Beside cameras, officials are also considering systems known as millimetre wave imaging and THz imaging and spectroscopy. All are routinely used in airports and other secure places to detect explosives and weapons in luggage and on people. Rumbled ... US system 'strip-searches' smugglers Air passengers are now chosen at random for full X-ray examinations ? and must agree to it. Technology could also be used to halt theft, with fingerprint scanners fitted to many items. Elsewhere, tagged offenders could be sent electronic pulses to remind them not to re-offend. Cops would also get the power to build a database of everyone in the land. Three-dimensional CCTV pictures would be coupled with records of people?s mobile phones and even their travel cards to get details of their movements and habits. Facial recognition systems to help track individuals? movements are also being considered. From rforno at infowarrior.org Mon Jan 29 14:59:45 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Jan 2007 14:59:45 -0500 Subject: [Infowarrior] - Vista's Fine Print Raises Red Flags Message-ID: Vista's Fine Print Raises Red Flags http://www.michaelgeist.ca/content/view/1640/159/ Monday January 29, 2007 Appeared in the Toronto Star on January 29, 2007 as Vista's Legal Fine Print Raises Red Flags Vista, the latest version of Microsoft's Windows operating system, makes its long awaited consumer debut tomorrow. The first major upgrade in five years, Vista incorporates a new, sleek look and features a wide array of new functionality such as better search tools and stronger security. The early reviews have tended to damn the upgrade with faint praise, however, characterizing it as the best, most secure version of Windows, yet one that contains few, if any, revolutionary features. While those reviews have focused chiefly on Vista's new functionality, for the past few months the legal and technical communities have dug into Vista's "fine print." Those communities have raised red flags about Vista's legal terms and conditions as well as the technical limitations that have been incorporated into the software at the insistence of the motion picture industry. The net effect of these concerns may constitute the real Vista revolution as they point to an unprecedented loss of consumer control over their own personal computers. In the name of shielding consumers from computer viruses and protecting copyright owners from potential infringement, Vista seemingly wrestles control of the "user experience" from the user. Vista's legal fine print includes extensive provisions granting Microsoft the right to regularly check the legitimacy of the software and holds the prospect of deleting certain programs without the user's knowledge. During the installation process, users "activate" Vista by associating it with a particular computer or device and transmitting certain hardware information directly to Microsoft. Even after installation, the legal agreement grants Microsoft the right to revalidate the software or to require users to reactivate it should they make changes to their computer components. In addition, it sets significant limits on the ability to copy or transfer the software, prohibiting anything more than a single backup copy and setting strict limits on transferring the software to different devices or users. Vista also incorporates Windows Defender, an anti-virus program that actively scans computers for "spyware, adware, and other potentially unwanted software." The agreement does not define any of these terms, leaving it to Microsoft to determine what constitutes unwanted software. Once operational, the agreement warns that Windows Defender will, by default, automatically remove software rated "high" or "severe,"even though that may result in other software ceasing to work or mistakenly result in the removal of software that is not unwanted. For greater certainty, the terms and conditions remove any doubt about who is in control by providing that "this agreement only gives you some rights to use the software. Microsoft reserves all other rights." For those users frustrated by the software's limitations, Microsoft cautions that "you may not work around any technical limitations in the software." Those technical limitations have proven to be even more controversial than the legal ones. Last December, Peter Guttman, a computer scientist at the University of Auckland in New Zealand released a paper called "A Cost Analysis of Windows Vista Content Protection." The paper pieced together the technical fine print behind Vista, unraveling numerous limitations in the new software seemingly installed at the direct request of Hollywood interests. Guttman focused primarily on the restrictions associated with the ability to playback high-definition content from the next-generation DVDs such as Blu-Ray and HD-DVD (referred to as "premium content"). He noted that Vista intentionally degrades the picture quality of premium content when played on most computer monitors. Guttman's research suggests that consumers will pay more for less with poorer picture quality yet higher costs since Microsoft needed to obtain licenses from third parties in order to access the technology that protects premium content (those license fees were presumably incorporated into Vista's price). Moreover, he calculated that the technological controls would require considerable consumption of computing power with the system conducting 30 checks each second to ensure that there are no attacks on the security of the premium content. Microsoft responded to Guttman's paper earlier this month, maintaining that content owners demanded the premium content restrictions. According to Microsoft, "if the policies[associated with the premium content] required protections that Windows Vista couldn't support, then the content would not be able to play at all on Windows Vista PCs." While that may be true, left unsaid is Microsoft's ability to demand a better deal on behalf of its enormous user base or the prospect that users could opt-out of the technical controls. When Microsoft introduced Windows 95 more than a decade ago, it adopted the Rolling Stones "Start Me Up" as its theme song. As millions of consumers contemplate the company's latest upgrade, the legal and technological restrictions may leave them singing "You Can't Always Get What You Want." Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at mgeist at uottawa.ca or online at www.michaelgeist.ca. From rforno at infowarrior.org Mon Jan 29 15:03:42 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Jan 2007 15:03:42 -0500 Subject: [Infowarrior] - Microsoft to audit your company's software licenses Message-ID: Microsoft to audit your company's software licenses By Colin Barker http://news.com.com/Microsoft+to+audit+your+companys+software+licenses/2100- 1012_3-6154268.html Story last modified Mon Jan 29 11:36:49 PST 2007 Microsoft could face a user revolt as it launches a campaign in the United Kingdom to get mid-range companies to submit to a software audit. Those who refuse risk having their details being handed to the Business Software Alliance, which will execute follow-up interviews that could result in fines and other penalties. The company revealed on Monday that it is launching the campaign, which is aimed at companies that have not already joined similar licensing schemes such as the controversial Windows Genuine Advantage. According to Ram Dhaliwal, licensing program manager for Microsoft UK, the process will involve sending out questionnaires to all of Microsoft's mid-range customers that are not part of one of Microsoft's licensing schemes and that are of a certain size. "We are looking at companies with around 350 licenses," Dhaliwal said. "We are dealing with big companies and the smallest companies in other areas." According to Dhaliwal, Microsoft wants to take "what (its customers) are using, and what they have paid for" and match them together. This would show if a customer had more employees using a piece of software than they have paid for, or if some user licenses were going unused. This process normally falls under the heading of Software Asset Management (SAM) but, as Dhaliwal explained, the company has come up with another name. "We are calling this Software Audit and Asset Management or SAAM," he said. Once Microsoft receives the information it can then "get a view" of customers, Dhaliwal said. He insisted that Microsoft wasn't simply planning to use this view to see ways of collecting more license revenue from companies. "Where customers have gone through the audit process, we find that almost 30 percent will discover that they are overpaying for licenses that are unused. They typically order something and pay for it, and then find they do not have as many users as they thought they could," said Dhaliwal. But users that have underpaid would be expected to pay for the extra licenses they are found to need, Dhaliwal admitted. Users who choose to ignore Microsoft's questionnaires face a three-stage process leading up to possible prosecution by the Business Software Alliance (BSA), Dhaliwal said. After being given two weeks to return their completed questionnaires, Microsoft would again contact users to remind them. If there is still no response, there would be an e-mail warning that the company faced possible penalties, he said. After five days, it there was still no response, the matter would be handed over to the BSA. "I see this process as being very transparent," Dhaliwal said. "We know from our records what people have, we want to know what they use and then match the two together. That's all. It is just part of the of the SAAM process." Colin Barker of ZDNet UK reported from London. From rforno at infowarrior.org Mon Jan 29 17:16:31 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Jan 2007 17:16:31 -0500 Subject: [Infowarrior] - Watch Out for Online Ads That Watch You Message-ID: Watch Out for Online Ads That Watch You Dan TynanMon Jan 29, 2:00 PM ET http://news.yahoo.com/s/pcworld/128272&printer=1;_ylt=AicP0ZQN7J7S3ysT01JlGi 4RSLMF;_ylu=X3oDMTA3MXN1bHE0BHNlYwN0bWE- You can keep at least some behavioral-ad cookies at bay by opting out of the services at the Network Advertising Initiative's site.Online ads are not only booming--and scrolling, spinning, shaking, shouting, and singing--they are also watching you even as you are viewing them, capturing your click patterns to create more detailed profiles than traditional browser cookies do. Behavioral marketing networks such as BlueLithium, Revenue Science, and Tacoda display ads based on your browsing habits. Spending on these behavioral ads will grow from $1.5 billion in 2007 to more than $2 billion next year, according to eMarketer, a market research firm. And the company expects video ads to account for more than a third of that total. The networks say that behavioral ads are more effective for advertisers, and usually less intrusive for consumers, than are standard pop-ups or adware. But the potential for abuse is troubling, privacy advocates claim, and the vast majority of Netizens have no idea that their actions are being tracked so closely. Visit any of the 1000-plus sites on BlueLithium's ad network, and your PC will get a cookie that records the Web pages you visit, the ads you click, and whether you bought anything. The network then delivers ads based on your interests: Shop for cell phones at one site, and you might see ads for handsets at another, unrelated site, while someone with other interests would see a different ad. Unless you keep a close watch on your browser cookies, though, you'd never know you were being targeted. BlueLithium chief marketing officer Dakota Sullivan declines to name any of the company's clients, but says that they include 70 of the 100 most popular sites. Sneaky Cookies Last November, the Center for Digital Democracy and the U.S. Public Interest Research Group filed a 50-page complaint with the Federal Trade Commission, claiming that such techniques by behavioral ad networks were unfair and deceptive marketing tactics. "There's nothing wrong with serving an ad targeted to what users are interested in," says Jeff Chester, the CDD's executive director. "But you need to tell consumers exactly what you're doing and get their permission before you follow them from site to site." Shortly after the complaint was filed, Tacoda said that it would periodically run ads on its network disclosing how it uses tracking cookies, and that it would set the cookies to expire after a year. The Tacoda site features a prominent link to the Network Advertising Initiative's opt-out page, where consumers can turn off the tracking cookies from Tacoda, Revenue Science, and five other online ad networks (click on the thumbnail screenshot at the top of this article for a view of this page). NAI executive director Trevor Hughes says that, in addition, consumers can protect themselves by reading privacy policies and by carefully managing their cookies. Revenue Science chief executive officer Bill Gossman says the way his company captures Web surfing data makes it "nearly impossible" to merge clicks with users' personal information. "If a new corporate owner, the government, or anyone else asked us to provide data on an individual user, we most likely could not do so," he says. BlueLithium's Sullivan claims that linking a person to a surfing history would be relatively easy for companies with information on both, but doing so would ignite a firestorm of public criticism. Database Risk As Web entities continue to consolidate and corporate giants such as Microsoft enter the behavioral ad business, consumer advocates fear that the razor-thin boundaries between anonymous clickstreams and personally identifiable data could dissolve. The risk? "Once a database exists, people often dream up ways to use it," says Peter Swire, an Ohio State University law professor and former privacy advisor to the Clinton administration. "Notice and effective choice by consumers are the way to go." Dan Tynan From rforno at infowarrior.org Mon Jan 29 22:31:36 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Jan 2007 22:31:36 -0500 Subject: [Infowarrior] - GoDaddy, Meet NoDaddy Message-ID: GoDaddy, Meet NoDaddy http://blog.wired.com/27bstroke6/2007/01/godaddy_meet_no.html In the wake of GoDaddy's one-minute's-notice shutdown of his site last week, Fyodor has launched an anti-GoDaddy website at NoDaddy.com. The previous owner of NoDaddy.com turned down a cash offer and donated the domain to the GoDaddy Sucks cause, Fyodor says. "I made an offer to buy the domain from the owner, thinking I didn't have much hope because .com domains are so expensive now. But he had such bad experiences with GoDaddy that he refused money and donated the domain." The Internet Archive shows the domain was previously used for gay male porn. The question now, What will GoDaddy do? 1. Send Fyodor a misguided lawyer letter claiming the site is a trademark violation likely to confuse consumers. 2. Admit it made a mistake in shutting down a popular computer security website with less than a minute's notice at MySpace's request. 3. Nothing 4. Phone Fyodor's new registrar,DirectNIC, and ask them to take down the site, or, as it will henceforth be known, "Pull a GoDaddy." From rforno at infowarrior.org Mon Jan 29 22:39:25 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Jan 2007 22:39:25 -0500 Subject: [Infowarrior] - Bush Directive Increases Sway on Regulation Message-ID: January 30, 2007 Bush Directive Increases Sway on Regulation By ROBERT PEAR http://www.nytimes.com/2007/01/30/washington/30rules.html?ei=5094&en=f7bdc9f 4cbb28c31&hp=&ex=1170133200&partner=homepage&pagewanted=print WASHINGTON, Jan. 29 ? President Bush has signed a directive that gives the White House much greater control over the rules and policy statements that the government develops to protect public health, safety, the environment, civil rights and privacy. In an executive order published last week in the Federal Register, Mr. Bush said that each agency must have a regulatory policy office run by a political appointee, to supervise the development of rules and documents providing guidance to regulated industries. The White House will thus have a gatekeeper in each agency to analyze the costs and the benefits of new rules and to make sure the agencies carry out the president?s priorities. This strengthens the hand of the White House in shaping rules that have, in the past, often been generated by civil servants and scientific experts. It suggests that the administration still has ways to exert its power after the takeover of Congress by the Democrats. The White House said the executive order was not meant to rein in any one agency. But business executives and consumer advocates said the administration was particularly concerned about rules and guidance issued by the Environmental Protection Agency and the Occupational Safety and Health Administration. In an interview on Monday, Jeffrey A. Rosen, general counsel at the White House Office of Management and Budget, said, ?This is a classic good-government measure that will make federal agencies more open and accountable.? Business groups welcomed the executive order, saying it had the potential to reduce what they saw as the burden of federal regulations. This burden is of great concern to many groups, including small businesses, that have given strong political and financial backing to Mr. Bush. Consumer, labor and environmental groups denounced the executive order, saying it gave too much control to the White House and would hinder agencies? efforts to protect the public. Typically, agencies issue regulations under authority granted to them in laws enacted by Congress. In many cases, the statute does not say precisely what agencies should do, giving them considerable latitude in interpreting the law and developing regulations. The directive issued by Mr. Bush says that, in deciding whether to issue regulations, federal agencies must identify ?the specific market failure? or problem that justifies government intervention. Besides placing political appointees in charge of rule making, Mr. Bush said agencies must give the White House an opportunity to review ?any significant guidance documents? before they are issued. The Office of Management and Budget already has an elaborate process for the review of proposed rules. But in recent years, many agencies have circumvented this process by issuing guidance documents, which explain how they will enforce federal laws and contractual requirements. Peter L. Strauss, a professor at Columbia Law School, said the executive order ?achieves a major increase in White House control over domestic government.? ?Having lost control of Congress,? Mr. Strauss said, ?the president is doing what he can to increase his control of the executive branch.? Representative Henry A. Waxman, Democrat of California and chairman of the Committee on Oversight and Government Reform, said: ?The executive order allows the political staff at the White House to dictate decisions on health and safety issues, even if the government?s own impartial experts disagree. This is a terrible way to govern, but great news for special interests.? Business groups hailed the initiative. ?This is the most serious attempt by any chief executive to get control over the regulatory process, which spews out thousands of regulations a year,? said William L. Kovacs, a vice president of the United States Chamber of Commerce. ?Because of the executive order, regulations will be less onerous and more reasonable. Federal officials will have to pay more attention to the costs imposed on business, state and local governments, and society.? Under the executive order, each federal agency must estimate ?the combined aggregate costs and benefits of all its regulations? each year. Until now, agencies often tallied the costs and the benefits of major rules one by one, without measuring the cumulative effects. Gary D. Bass, executive director of O.M.B. Watch, a liberal-leaning consumer group that monitors the Office of Management and Budget, criticized Mr. Bush?s order, saying, ?It will result in more delay and more White House control over the day-to-day work of federal agencies.? ?By requiring agencies to show a ?market failure,? ? Dr. Bass said, ?President Bush has created another hurdle for agencies to clear before they can issue rules protecting public health and safety.? Wesley P. Warren, program director at the Natural Resources Defense Council, who worked at the White House for seven years under President Bill Clinton, said, ?The executive order is a backdoor attempt to prevent E.P.A. from being able to enforce environmental safeguards that keep cancer-causing chemicals and other pollutants out of the air and water.? Business groups have complained about the proliferation of guidance documents. David W. Beier, a senior vice president of Amgen, the biotechnology company, said Medicare officials had issued such documents ?with little or no public input.? Hugh M. O?Neill, a vice president of the pharmaceutical company Sanofi-Aventis, said guidance documents sometimes undermined or negated the effects of formal regulations. In theory, guidance documents do not have the force of law. But the White House said the documents needed closer scrutiny because they ?can have coercive effects? and ?can impose significant costs? on the public. Many guidance documents are made available to regulated industries but not to the public. Paul R. Noe, who worked on regulatory policy at the White House from 2001 to 2006, said such aberrations would soon end. ?In the past, guidance documents were often issued in the dark,? Mr. Noe said. ?The executive order will ensure they are issued in the sunshine, with more opportunity for public comment.? Under the new White House policy, any guidance document expected to have an economic effect of $100 million a year or more must be posted on the Internet, and agencies must invite public comment, except in emergencies in which the White House grants an exemption. The White House told agencies that in writing guidance documents, they could not impose new legal obligations on anyone and could not use ?mandatory language such as ?shall,? ?must,? ?required? or ?requirement.? ? The executive order was issued as White House aides were preparing for a battle over the nomination of Susan E. Dudley to be administrator of the Office of Information and Regulatory Affairs at the Office of Management and Budget. President Bush first nominated Ms. Dudley last August. The nomination died in the Senate, under a barrage of criticism from environmental and consumer groups, which said she had been hostile to government regulation. Mr. Bush nominated her again on Jan. 9. With Democrats in control, the Senate appears unlikely to confirm Ms. Dudley. But under the Constitution, the president could appoint her while the Senate is in recess, allowing her to serve through next year. Some of Ms. Dudley?s views are reflected in the executive order. In a primer on regulation written in 2005, while she was at the Mercatus Center of George Mason University in Northern Virginia, Ms. Dudley said that government regulation was generally not warranted ?in the absence of a significant market failure.? She did not return calls seeking comment on Monday. From rforno at infowarrior.org Mon Jan 29 22:41:55 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Jan 2007 22:41:55 -0500 Subject: [Infowarrior] - Nuclear agency: Air defenses impractical Message-ID: Nuclear agency: Air defenses impractical http://news.yahoo.com/s/ap/20070130/ap_on_go_ot/reactor_security;_ylt=AiCBz4 hqtx1pResnTW.S4X6s0NUE;_ylu=X3oDMTA2Z2szazkxBHNlYwN0bQ-- By H. JOSEF HEBERT, Associated Press Writer 44 minutes ago WASHINGTON - Making nuclear power plants crash-proof to an airliner attack by terrorists is impracticable and it's up to the military to avert such an assault, the government said Monday. The Nuclear Regulatory Commission, in a revised security policy, directed nuclear plant operators to focus on preventing radiation from escaping in case of such an attack and to improve evacuation plans to protect public health and safety. "The active protection against airborne threats is addressed by other federal organizations, including the military," the NRC said in a statement. The agency rejected calls by some nuclear watchdog groups that the government establish firm no-fly zones near reactors or that plant operators build "lattice-like" barriers to protect reactors, or be required to have anti-aircraft weapons on site to shoot down an incoming plane. The NRC, in a summary of the mostly secret security plan, said such proposals were examined, but that it was concluded the "active protection" against an airborne threat rests with organizations such as the military or the Federal Aviation Administration. It said that various mitigation strategies required of plant operators ? such as radiation protection measures and evacuation plans ? "are sufficient to ensure adequate protection of the public health and safety" in case of an airborne attack. The commission unanimously approved the plan, which has been the subject of internal discussions for 15 months, in a 5-0 vote at a brief meeting without discussion. "Nuclear power plants are inherently robust structures that our studies show provide adequate protection in a hypothetical attack by an airplane," NRC Chairman Dale Klein said in a statement, adding that plant operators already must be able to manage large fires or explosions, no matter the cause. Klein called the new rule "only one piece" of an effort to enhance reactor security and said the NRC will continue to examine and discuss the issue of airborne threats and take additional actions if found to be necessary. The defense plan, formally known as the Design Basis Threat, spells out what type of attack force the government believes might target a commercial power reactor and what its operator must be capable of defending against. While details are sketchy because of security concerns, the plan requires defense against a relatively small force, perhaps no more than a half-dozen attackers, but that they could come from multiple directions including by water and could include suicide teams. The plan, which formally approves many of the procedures that have long been in place, reflects the increased concerns raised by the Sept. 11, 2001, terrorist attacks. It also includes measures to address cyber attacks, according to the NRC. Some members of Congress and nuclear watchdog groups have argued that the requirements fall short of what is needed, given what was learned by the Sept. 11 attacks on the twin towers in New York and at the Pentagon. These critics have argued that defenders of a reactor should be ready to face up to 19 attackers ? as was the case on Sept. 11 ? and expect them to have rocket-propelled grenades, so-called "platter" explosive charges and .50-caliber armor-piercing ammunition. The NRC does not assume such weapons being used and rejected the idea of a 19-member attack force, maintaining that the Sept. 11 attacks actually were four separate attacks, each by four or five terrorists. Sen. Barbara Boxer (news, bio, voting record), D-Calif., said that NRC appears not to have followed the direction of Congress "to ensure that our nuclear power plants are protected from air- or land-based terrorist threats" of the magnitude demonstrated on Sept. 11. The NRC "has missed an opportunity to provide the public with a real solution to the nuclear reactor security problem," said Rep. Edward Markey (news, bio, voting record), D-Mass., a frequent critic of the nuclear industry and the NRC. Daniel Hirsch, president of the Community to Bridge the Gap, a California-based nuclear watchdog group that had urged the NRC to require physical barriers to keep planes from hitting reactors, called the security measures "irresponsible to the extreme." "Rather than upgrading protections, (the NRC plan) merely codifies the status quo, reaffirming the existing, woefully inadequate security measures already in place at the nation's reactors," said Hirsch. NRC officials have emphasized that the defense plan should require what is "reasonable" to be expected of a civilian security force at the 103 commercial nuclear power reactors. In an unclassified summary of the DBT, the NRC maintains that studies "confirm the low likelihood" that an aircraft crashing into a reactor will damage the reactor core and release radioactivity, affecting public health and safety. "Even in the unlikely event of a radiological release due to a terrorist use of a large aircraft against a nuclear power plant, the studies indicate that there would be time to implement the required onsite mitigating actions," says the summary. ___ On the Net: Nuclear Regulatory Commission: http://www.nrc.gov Nuclear Energy Institute: http://www.nei.org From rforno at infowarrior.org Mon Jan 29 22:52:29 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Jan 2007 22:52:29 -0500 Subject: [Infowarrior] - High-Tech Army Rehab Center Opens Message-ID: (amazingly, it's totally privately-funded.........rf) High-Tech Army Rehab Center Opens http://www.washingtonpost.com/wp-dyn/content/article/2007/01/29/AR2007012900 188_pf.html By MICHELLE ROBERTS The Associated Press Monday, January 29, 2007; 7:56 PM SAN ANTONIO -- Of the roughly 20,000 soldiers injured since the start of the Iraq war, more than 500 have lost a limb _ many of them in roadside bombings. On Monday, a $50 million high-tech rehabilitation center opened that is designed to serve the growing number of soldiers who return from war as amputees or with severe burns. The privately funded Center for the Intrepid includes a rock-climbing wall, a wave pool and a virtual reality computer system. About 3,200 people attended a dedication ceremony, including Gen. Peter Pace, the chairman of the Joint Chiefs of Staff; and 2008 presidential hopefuls Sens. Hillary Rodham Clinton of New York and John McCain of Arizona. Clinton, a Democrat, said Americans are firmly behind the nation's veterans, despite the rancorous national debate over the Iraq war. "There is common ground on higher ground, and on that higher ground, we stand to pay in full our debt" to those who were wounded in combat, she said. McCain, a Republican former Navy pilot who spent nearly six years as a POW during the Vietnam War, said those maimed in battle can't be compensated enough. "We can only offer you our humility. You are the best Americans," said McCain, standing before dozens of soldiers who entered the ceremony on crutches or in wheelchairs. The 60,000-square-foot, four-story glass building will allow the Army to move its rehabilitation program out of the Brooke Army Medical Center and into a separate facility. "The Center for the Intrepid is going to let us keep advancing what we've been doing," said Maj. Stewart Campbell, the officer-in-charge of rehabilitation at Brooke. The facility tells soldiers "we're going to take care of you for as long as you need us, to get you back to where you want to be," he said. At Brooke, amputees were being treated in offices and facilities carved out of the larger hospital. The new center includes a 360-degree virtual reality sphere to help soldiers recover their balance and other basic skills, and a wave pool where they can use wake boards to strengthen their backs and abdominal muscles. Staff Sgt. Jon Arnold-Garcia, who lost part of a leg in a grenade attack, got his first look at the rehab center on Sunday. "This place is amazing, that the American people donated the money for this," said the 28-year-old from Sacramento, Calif. He has been in rehabilitation at Brooke since May, but he was eager to get to work at the center. "It doesn't look like a hospital," he said. "It's a place I can see myself getting up and being motivated instead of walking hospital hallways with doctors." Prior to the Iraq war, amputees were generally given acute care by the military and then turned over to the Department of Veterans Affairs, said retired Col. Rebecca Hooper, program manager for the Center for the Intrepid. But since 2003, the military has kept those patients and made rehabilitation part of its mission. Amputee rehab programs are now being run at Brooke, Walter Reed Medical Center and Bethesda Naval Medical Center. The center was funded by private donations to the Intrepid Foundation, a charity that has built dozens of houses to shelter families of wounded soldiers while they undergo treatment. ___ On the Net: Brooke Army Medical Center: http://www.bamc.amedd.army.mil/ From rforno at infowarrior.org Mon Jan 29 22:58:17 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Jan 2007 22:58:17 -0500 Subject: [Infowarrior] - Google Moves to Disarm Search 'Bombs' Message-ID: Google Moves to Disarm Search 'Bombs' Changed Algorithm Reverses Policy, Seeks to Protect Company's Image http://www.washingtonpost.com/wp-dyn/content/article/2007/01/29/AR2007012901 891_pf.html By Sara Kehaulani Goo Washington Post Staff Writer Tuesday, January 30, 2007; D03 For many years, Google said it wouldn't rectify the antics of pranksters who rigged terms like "miserable failure" to bring up a White House biography of George W. Bush as a top result on its search engine. But Google last week reversed its position, changing its algorithms to eliminate so-called "Google bombs" that yield political or humorous results. On its blog targeted at Web engineers, Google disclosed it made changes to minimize the impact of the most popular Google bombs. Too many people started to believe that the results reflected the company's political opinion, it said. "We've seen a lot of misconceptions. People thought Google was behind these or was endorsing these" Google bombs, said Matt Cutts, the software engineer at Google who posted an explanation of the company's decision on the Google Webmaster blog. "It's not the case. Most of these can be considered pranks, and the direct impact on all search results is minuscule. But it is good to correct our search quality." Because of the changes Google made to its formula, searching for "miserable failure" on Google now pulls up a news story by the BBC about Google bombing as the first result, followed by a Wikipedia entry on the topic and another article in an industry publication. The White House page no longer appears in the top 100 results. The search engine uses many factors to determine the ranking of a Web site in the search results. One factor influencing that ranking is how many other Web sites link to the targeted site, so if many sites use the term "miserable failure" and use it as a link to the White House site, the White House site rises in the rankings. Although the White House Web page does not contain the words "miserable failure," the obscurity of the phrase also made it rise quickly in the rankings. Other search engines use similar variations on search technology. Google isn't the only one affected. Yahoo's search, for example, still brings up the president's profile as its top result. George Johnston, a Bellevue, Wash., man who claims to be the architect of the "miserable failure" Google bomb, said he started his campaign in 2003 because it would be "fun" and "easy." He e-mailed a number of popular bloggers and asked them to use the phrase and create a link to the White House Web site. It quickly took off. "It spawned a whole class of jokes when people understood how easy it was," Johnston said in an e-mail. "Google bombing as a blogger sport hit its peak in 2004," then receded as the novelty wore off, he said. The White House has never asked Google to remove the "miserable failure" results, according to White House spokeswoman Emily Lawrimore. "If anything, it provided people with an opportunity to learn more about the president's positive agenda," Lawrimore said. Other popular Google bombs include "French military victories," which brings up a Web site designed to look like an error message that says, "Did you mean: French military defeats". Another term, "waffles," used to pull up a site about former presidential candidate Sen. John Kerry. Google bombing happened in other languages, as well. Despite the growth of fake results, Google was initially reluctant to intervene, claiming most relevant results could still be found. More recently, Google tried to highlight pranks by putting a warning at the top of the results page. Danny Sullivan, a London-based consultant and former editor of Search Engine Watch, said Google should have addressed the issue much earlier. "But it's a difficult decision," he wrote in response to e-mailed questions. "Some people still interpret this as Google trying to repress Web 'opinion' rather than improve search results." Google said the changes it made last week still can't stop all Google bombs. "People will always find ways to make jokes on the Web," Cutts said. "Because Google takes search quality very seriously, we will continue to refine search quality." From rforno at infowarrior.org Mon Jan 29 23:12:57 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 29 Jan 2007 23:12:57 -0500 Subject: [Infowarrior] - A Lively Market, Legal and Not, for Software Bugs Message-ID: January 30, 2007 A Lively Market, Legal and Not, for Software Bugs By BRAD STONE http://www.nytimes.com/2007/01/30/technology/30bugs.html?ei=5094&en=8a3ee799 331ee282&hp=&ex=1170133200&partner=homepage&pagewanted=print Microsoft says its new operating system, Windows Vista, is the most secure in the company?s history. Now the bounty hunters will test just how secure it is. When its predecessor, Windows XP, was released five years ago, software bugs were typically hunted by hackers for fame and glory, not financial reward. But now software vulnerabilities ? as with stolen credit-card numbers and spammable e-mail addresses ? carry real financial value. They are commonly bought, sold and traded online, both by legitimate security companies, who say they are providing a service, and by nefarious hackers and thieves. Vista, which will be installed on millions of new PCs starting today, provides the latest target. This month, iDefense Labs, a subsidiary of the technology company VeriSign, said it was offering $8,000 for the first six researchers to find holes in Vista, and $4,000 more for the so-called exploit, the program needed to take advantage of the weakness. IDefense sells such information to corporations and government agencies, which have already begun using Vista, so they can protect their own systems. Companies like Microsoft do not endorse such bounty programs, but they have even bigger problems: the willingness of Internet criminals to spend large sums for early knowledge of software flaws that could provide an opening for identity-theft schemes and spam attacks. The Japanese security firm Trend Micro said in December that it had found a Vista flaw for sale on a Romanian Web forum for $50,000. Security experts say that the price is plausible, and that they regularly see hackers on public bulletin boards or private online chat rooms trying to sell the holes they have discovered, and the coding to exploit them. Especially prized are so-called zero-day exploits, bits of disruption coding that spread immediately because there is no known defense. Software vendors have traditionally asked security researchers to alert them first when they find bugs in their software, so that they could issue a fix, or patch, and protect the general public. But now researchers contend that their time and effort are worth much more. ?To find a vulnerability, you have to do a lot of hard work,? said Evgeny Legerov, founder of a small security firm, Gleg Ltd., in Moscow. ?If you follow what they call responsible disclosure, in most cases all you receive is an ordinary thank you or sometimes nothing at all.? Gleg sells vulnerability research to a dozen corporate customers around the world, with fees starting at $10,000 for periodic updates. Mr. Legerov says he regularly turns down the criminals who send e-mail messages offering big money for bugs they can use to spread malicious programs like spyware. Misusing such information to attack computers or to aid others in such attacks is illegal, but there appears to be nothing illegal about the act of discovering and selling vulnerabilities. Prices for such software bugs range from a couple of hundred dollars to tens of thousands. Microsoft is not the only target, of course. Legitimate security researchers and underground hackers look for weaknesses in all commonly used software, including Oracle databases and Apple?s Macintosh operating system. The more popular a program, the higher the price for an attacking code. The sales of Vista faults will therefore continue to trail the sale of flaws in more widely used programs, even Windows XP, for the foreseeable future. ?Of course it concerns us,? Mark Miller, director of the Microsoft Security Response Center, said of the online bazaar in software flaws, which it has declined to enter. ?With the underground trading of vulnerabilities, software makers are left playing catch-up to develop updates that will help protect customers.? Throughout the 1990s, software makers and bug-hunters battled over the way researchers disclosed software vulnerabilities. The software vendors argued that public disclosure gave attackers the blueprints to create exploitative programs and viruses. Security researchers charged that the vendors wanted to hide their mistakes, and that making them public allowed companies and individual computer users to protect their systems. The two sides reached an uneasy compromise. Security researchers would inform vendors of vulnerabilities, and as long as the vendor was responsive, wait for the release of an official patch before publishing code that an attacker could use. Vendors would give public credit to the researcher. The d?tente worked when most researchers were motivated by acclaim and a desire to improve security. But ?in the last five years the glory seekers have gone away,? said David Perry, global education director at Trend Micro. ?The people who are drawn to it to make a living are not the same people who were drawn to it out of passion.? In 2002, iDefense Labs became one of the first companies to pay for software flaws, offering just a few hundred dollars for a vulnerability. It administered the program quietly for a few years, then answered early critics by arguing that it was getting those bugs out into the open and informing software makers, at the same time as clients, before announcing them to the general public. ?We give vendors ample time to react, and then we try to responsibly release them,? said Jim Melnick, the director of threat intelligence at iDefense. In 2005, TippingPoint, a division of the networking giant 3Com, joined iDefense in the nascent marketplace with its ?Zero-Day Initiative? program, which last year bought and sold 82 software vulnerabilities. IDefense said its freelance researchers discovered 305 holes in commonly used software during 2006 ? up from 180 in 2005 ? and paid $1,000 to $10,000 for each, depending on the severity. Security researchers warmed to the idea that vulnerabilities were worth real dollars. In December 2005, a hacker calling himself ?Fearwall? tried to sell on eBay a program to disrupt computers through Excel, Microsoft?s spreadsheet program. Bidding reached a paltry $53 before the auction site pulled it. Nevertheless, several Internet attacks in the following months exploited flaws in Excel, suggesting to security experts that its creator ultimately found other ways to sell it. In January 2006, a Moscow-based security company, Kaspersky Labs, found more evidence of an emerging marketplace for software bugs. Russian hacking gangs, it disclosed at the time, had sold a ?zero-day? program aimed at the Microsoft graphics file format, Windows Metafile or WMF. The price: $4,000. The program was widely used that month and allowed criminals to plant spyware and other malicious programs on the computers of tens of thousands of unsuspecting Internet users. Microsoft rushed out a patch. It had to distribute another patch in September, to counter one more malicious program, which involved a flaw in the vector graphics engine of Internet Explorer, that enabled further cyber mischief. Marc Maiffret, co-founder of eEye Digital Security, a computer security company, said prices in the evolving black market quickly proved higher than what legitimate companies would pay. ?You will always make more from bad guys than from a company like 3Com,? he said. Even ethical researchers feel that companies like iDefense and TippingPoint do not adequately compensate for the time and effort needed to discover flaws in complex, relatively secure software. And some hackers have little ethical compunction about who buys their research, or what they use it for. In a phone interview last week arranged by an intermediary in the security field, a hacker calling himself ?Segfault,? who said he was a college-age student in New York City, led a reporter on an online tour of a public Web site, ryan1918.com, where one forum is provocatively titled ?Buy-Sell-Trade-0day.? Segfault, who said he did not want to reveal his name because he engages in potentially illegal activity, said the black market for zero-days ?just exploded? last year after the damaging Windows Metafile attack. He claims he earned $20,000 last year from selling his own code ? mostly on private chat channels, not public forums like Ryan1918 ? making enough to pay his tuition. Although he conceded that Microsoft had made significant strides with Vista?s security, he said underground hacker circles now had a powerful financial incentive to find its weak links. ?Vista is going to get destroyed,? he said. That may be an exaggeration. Microsoft has taken precautions such as preventing unauthorized programs from running at the most central part of the system, called the kernel, and creating an extra level of protection between the operating system and the browser. Microsoft appears to wish the open market for flaws in their products would simply disappear. ?Our practice is to explicitly acknowledge and thank researchers when they find an issue in our software,? said Mike Reavey, operations manager of the company?s security response center. ?While that?s not a monetary reward, we think there is value in it.? But independent security analysts say those days are over. Raimund Genes, the Trend Micro researcher who found the Vista bug for sale on a Romanian Web site, said, ?The driving force behind all this now is cash.? From rforno at infowarrior.org Tue Jan 30 08:57:32 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 30 Jan 2007 08:57:32 -0500 Subject: [Infowarrior] - Experts: Don't buy Vista for the security Message-ID: Experts: Don't buy Vista for the security By Joris Evers http://news.com.com/Experts+Dont+buy+Vista+for+the+security/2100-1016_3-6154 448.html Story last modified Tue Jan 30 04:00:04 PST 2007 Windows Vista is a leap forward in terms of security, but few people who know the operating system say the advances are enough to justify an upgrade. Microsoft officially launched Vista for consumers Tuesday. The software giant promotes the new operating system as the most secure version of Windows yet. It's a drum Microsoft has been beating for some time. "Safety and security is the overriding feature that most people will want to have Windows Vista for," Jim Allchin, Microsoft's outgoing Windows chief, told CNET News.com a year ago. "Even if they are not into home entertainment or in any of the specialty areas, they are just going to feel safer and more secure by using it." Now that Vista is finally here, pundits praise the security work Microsoft has done. However, most say that is no reason to dump a functioning PC running Windows XP with Service Pack 2 and shell out $200 to upgrade to Vista. "As long as XP users keep their updates current, there's generally no compelling reason to buy into the hype and purchase Vista right away," said David Milman, chief executive of Rescuecom, a computer repair and support company. "We suggest people wait until buying a new machine to get Vista, for economic and practical reasons." As in the past, Microsoft faces itself as its toughest competitor. SP2 for Windows XP, which was released in August 2004, marked a significant and much-needed boost in PC security. Since then, Microsoft has released Internet Explorer 7 and the Windows Defender antispyware tool for XP. As a result, the older Windows version is simply good enough for many users. "Upgrading to Vista is pretty expensive, not only the new software but often new hardware as well," said Gartner Analyst John Pescatore. "If you put IE 7 on a Windows XP SP2 PC, along with the usual third-party firewall, antiviral and antispyware tools, you can have a perfectly secure PC if you keep up with the patches." Vista is the first client version of Windows built with security in mind, according to Microsoft. That means it should have fewer coding errors that might be exploited in attacks. Vista also includes several techniques and features designed to make it harder to attack computers running Vista and to thwart attacks if they do happen. "Vista is light-years ahead of XP from a built-in security perspective," said Pete Lindstrom, a Burton Group analyst. "But the market will decide whether it is important. Note that there haven't really been significant problems with the operating system lately, and our memories are short." If most consumers think like Brian Lambert, a student at Southern Illinois University, it doesn't bode well for Microsoft. "The added security alone is not worth the money when comparing Vista with Windows XP SP2," said Lambert, a member of CNET News.com's Vista Views panel. Yet, if you are in the market for a new PC because your old computer is outdated or otherwise failing on you, Vista is your best bet, experts say. Even if you're considering buying a Mac, said David Litchfield, a noted security bug hunter. "If you're looking to buy a new computer, the security features built into Vista tip the balance in its favor over other options such as Mac OS X," Litchfield said. "We've moved beyond the days of lots of bugs and worms. Recent history shows that Microsoft can get it right, as they did with XP SP2. With Vista, they will again demonstrate that." Hacking Vista Litchfield and other security researchers are impressed with the work Microsoft has done on Vista, in particular because the operating system has gone through the company's Security Development Lifecycle, a process designed to prevent flaws and vet code before it ships. Also, Microsoft challenged hackers to break Vista before its release. Key Vista security features User Account Control: Runs a Vista PC with fewer user privileges, which dictate how software can interact with the PC. UAC asks for permission to lift security barriers whenever software requires it. Protected Mode for IE 7: Prevents silent installation of malicious software by Web sites by stopping the Web browser from writing data anywhere except in a temporary folder without first seeking permission. IE 7 is also available for Windows XP, but the protected mode is not. Address Space Layout Randomization: Loads key system files in different memory locations each time the PC starts, making it harder for malicious code to run. Windows Defender: Detects and removes spyware. Also available for Windows XP. Windows Firewall: Blocks attacks from the Net and includes limited outbound protection. Also in XP, but improved in Vista. BitLocker: Encryption for hard drives. Only in Vista Enterprise and Vista Ultimate. "To be clear, XP SP2 was a massive leap for Windows security. But XP SP2 was not the systemic, top-to-bottom, scrub-everything experience that Vista is," said Dan Kaminsky, an independent security researcher. "XP SP2 secured the surface. Vista security goes much deeper. It's a far bigger leap." Kaminsky was among about two dozen hackers asked by Microsoft to try to hack Vista. The exercise took about eight months, and Microsoft paid attention to the feedback, he said. "They did what we asked," Kaminsky said. "The security community spent years bashing Microsoft, and (Microsoft) deserved to get bashed. But they listened." All the praise aside, Vista isn't flawless. In fact, Microsoft has issued security patches for the operating system even before its final release. "To think there won't be vulnerabilities and there won't be exploits is inappropriate," said Michael Cherry, an analyst with Directions on Microsoft. "At best, we should see the number of them decline and the time in between them increase." No software is without flaws, and Microsoft will be the last to deny that. "While we greatly improved the security of Windows Vista and we believe it is the best system available, I have always been clear that the system is neither fool-proof nor unbreakable; no software I have seen from anyone is," Allchin wrote on a Microsoft corporate blog last week. Robert McLaws, a blogger who writes about Microsoft, is gung ho about Vista. He recommends that everyone buy a copy as soon as possible. "Security is the No. 1 feature in Vista, and everyone with a computer in the house should go out and buy it," he said. Some critics, however, say Microsoft has reserved too many of the security features for the high-end editions of Vista. The operating system comes in five different flavors (with a sixth, "Starter" edition designed for developing markets), but only Windows Vista Ultimate--the most expensive one--includes the maximum level of protection. Even more, Vista comes to market in an era where criminals are taking to the Net and looking for profits by breaking into the PCs of unsuspecting Web surfers. Vista is their next target. "I don't want people to expect that their computer is never going to be compromised because of Vista; that's simply not the case," McLaws said. "The nature of maliciousness on the Internet is changing rapidly," he said. "It used to be that nerdy kids were trying to outdo other nerdy kids. Now it is criminals." Copyright ?1995-2007 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Tue Jan 30 08:58:25 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 30 Jan 2007 08:58:25 -0500 Subject: [Infowarrior] - FBI turns to broad new wiretap method Message-ID: FBI turns to broad new wiretap method By Declan McCullagh http://news.com.com/FBI+turns+to+broad+new+wiretap+method/2100-7348_3-615445 7.html Story last modified Tue Jan 30 04:00:05 PST 2007 The FBI appears to have adopted an invasive Internet surveillance technique that collects far more data on innocent Americans than previously has been disclosed. Instead of recording only what a particular suspect is doing, agents conducting investigations appear to be assembling the activities of thousands of Internet users at a time into massive databases, according to current and former officials. That database can subsequently be queried for names, e-mail addresses or keywords. Such a technique is broader and potentially more intrusive than the FBI's Carnivore surveillance system, later renamed DCS1000. It raises similar concerns as widespread Internet monitoring that the National Security Agency is said to have done, according to documents that have surfaced in one federal lawsuit, and may stretch the bounds of what's legally permissible. Call it the vacuum-cleaner approach. It's employed when police have obtained a court order and an Internet service provider can't "isolate the particular person or IP address" because of technical constraints, says Paul Ohm, a former trial attorney at the Justice Department's Computer Crime and Intellectual Property Section. (An Internet protocol address is a series of digits that can identify an individual computer.) That kind of full-pipe surveillance can record all Internet traffic, including Web browsing--or, optionally, only certain subsets such as all e-mail messages flowing through the network. Interception typically takes place inside an Internet provider's network at the junction point of a router or network switch. The technique came to light at the Search & Seizure in the Digital Age symposium held at Stanford University's law school on Friday. Ohm, who is now a law professor at the University of Colorado at Boulder, and Richard Downing, a CCIPS assistant deputy chief, discussed it during the symposium. In a telephone conversation afterward, Ohm said that full-pipe recording has become federal agents' default method for Internet surveillance. "You collect wherever you can on the (network) segment," he said. "If it happens to be the segment that has a lot of IP addresses, you don't throw away the other IP addresses. You do that after the fact." "You intercept first and you use whatever filtering, data mining to get at the information about the person you're trying to monitor," he added. On Monday, a Justice Department representative would not immediately answer questions about this kind of surveillance technique. "What they're doing is even worse than Carnivore," said Kevin Bankston, a staff attorney at the Electronic Frontier Foundation who attended the Stanford event. "What they're doing is intercepting everyone and then choosing their targets." When the FBI announced two years ago it had abandoned Carnivore, news reports said that the bureau would increasingly rely on Internet providers to conduct the surveillance and reimburse them for costs. While Carnivore was the subject of congressional scrutiny and outside audits, the FBI's current Internet eavesdropping techniques have received little attention. Carnivore apparently did not perform full-pipe recording. A technical report (PDF) from December 2000 prepared for the Justice Department said that Carnivore "accumulates no data other than that which passes its filters" and that it saves packets "for later analysis only after they are positively linked by the filter settings to a target." One reason why the full-pipe technique raises novel legal questions is that under federal law, the FBI must perform what's called "minimization." Federal law says that agents must "minimize the interception of communications not otherwise subject to interception" and keep the supervising judge informed of what's happening. Minimization is designed to provide at least a modicum of privacy by limiting police eavesdropping on innocuous conversations. Prosecutors routinely hold presurveillance "minimization meetings" with investigators to discuss ground rules. Common investigatory rules permit agents to listen in on a phone call for two minutes at a time, with at least one minute elapsing between the next spot monitoring. That section of federal law mentions only real-time interception--and does not explicitly authorize the creation of a database with information on thousands of innocent targets. But a nearby sentence adds: "In the event the intercepted communication is in a code or foreign language, and an expert in that foreign language or code is not reasonably available during the interception period, minimization may be accomplished as soon as practicable after such interception." Downing, the assistant deputy chief at the Justice Department's computer crime section, pointed to that language on Friday. Because digital communications amount to a foreign language or code, he said, federal agents are legally permitted to record everything and sort through it later. (Downing stressed that he was not speaking on behalf of the Justice Department.) "Take a look at the legislative history from the mid '90s," Downing said. "It's pretty clear from that that Congress very much intended it to apply to electronic types of wiretapping." EFF's Bankston disagrees. He said that the FBI is "collecting and apparently storing indefinitely the communications of thousands--if not hundreds of thousands--of innocent Americans in violation of the Wiretap Act and the 4th Amendment to the Constitution." Marc Rotenberg, director of the Electronic Privacy Information Center in Washington, D.C., said a reasonable approach would be to require that federal agents only receive information that's explicitly permitted by the court order. "The obligation should be on both the (Internet provider) and the government to make sure that only the information responsive to the warrant is disclosed to the government," he said. Courts have been wrestling with minimization requirements for over a generation. In a 1978 Supreme Court decision, Scott v. United States, the justices upheld police wiretaps of people suspected of selling illegal drugs. But in his majority opinion, Justice William Rehnquist said that broad monitoring to nab one suspect might go too far. "If the agents are permitted to tap a public telephone because one individual is thought to be placing bets over the phone, substantial doubts as to minimization may arise if the agents listen to every call which goes out over that phone regardless of who places the call," he wrote. Another unanswered question is whether a database of recorded Internet communications can legally be mined for information about unrelated criminal offenses such as drug use, copyright infringement or tax crimes. One 1978 case, U.S. v. Pine, said that investigators could continue to listen in on a telephone line when other illegal activities--not specified in the original wiretap order--were being discussed. Those discussions could then be used against a defendant in a criminal prosecution. Ohm, the former Justice Department attorney who presented a paper on the Fourth Amendment, said he has doubts about the constitutionality of full-pipe recording. "The question that's interesting, although I don't know whether it's so clear, is whether this is illegal, whether it's constitutional," he said. "Is Congress even aware they're doing this? I don't know the answers." Copyright ?1995-2007 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Tue Jan 30 09:06:50 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 30 Jan 2007 09:06:50 -0500 Subject: [Infowarrior] - At Microsoft, a Sad Software Lesson Message-ID: At Microsoft, a Sad Software Lesson By Scott Rosenberg Tuesday, January 30, 2007; Page A17 http://www.washingtonpost.com/wp-dyn/content/article/2007/01/29/AR2007012901 450.html Today, Microsoft finally offers consumers Windows Vista, the version of its operating system that's been gestating for five years. When Microsoft's engineers started this project, U.S. troops hadn't yet invaded Iraq, Google was still a relatively small private company, and my now-7-year-old twins were just learning to talk in sentences. Why did it take the world's biggest and most successful software company so long to revamp its flagship product -- the program that controls the basic operations of roughly 90 percent of the country's personal computers? And what do Microsoft's delays tell us about our growing dependence on balky software products? The troubled saga of Vista's development is a matter of public record. Microsoft began work on Vista (then called Longhorn) in 2002 and trumpeted ambitious goals in 2003, including a plan to revamp the file system -- the innards of computers' information storage -- so we could actually find things. A year later, the company announced it was scaling Vista back, dropping the file-system upgrade and delaying the release. At that point, we now know, Microsoft essentially pressed "reset": It threw out most of its work on the operating system and started over. "In my view, we lost our way," Vista's manager, Jim Allchin, wrote in an e-mail (later posted online) to Microsoft founder Bill Gates and chief executive Steve Ballmer. "I would buy a Mac today if I was not working at Microsoft." Ballmer swears that there will never again be a five-year gap between versions of Windows. Perhaps, as some observers predict, Vista will turn out to be the last ever big release of Windows as we know it, and Microsoft will embrace the software industry's new orthodoxy of small upgrades delivered via the Web. But Vista's tale is not just a headache for Microsoft's managers or a source of delight for the company's legions of critics; it's a portent for all of us who rely on software to manage our financial dealings, our public business, even some aspects of our private lives. The sad truth is that Microsoft's woes aren't unusual in this industry. Large-scale software projects are perennially beset by dashed hopes and bedeviling delays. They are as much a tar pit today as they were 30 years ago, when a former IBM program manager named Frederick P. Brooks Jr. applied that image to them in his classic diagnosis of the programming field's troubles, "The Mythical Man-Month." The tar pit has regularly engulfed large corporate efforts to introduce comprehensive software "solutions." Private firms aren't the only ones getting trapped. Both the IRS and the FBI, for instance, have failed in multiple attempts to modernize the software they depend on, at a cost to taxpayers of hundreds of millions of dollars. The software business remains full of optimists who, bless them, think they know how to fix their field's problems and overcome this dismal record. Their confidence springs from the computer industry's experience of the exponential growth in the capacity of its semiconductor-based hardware. Computer chips have reliably doubled in capacity every year or two for the past few decades, and that has made the increased power (and decreasing cost) of personal computers feel like magic. But unlike computer hardware -- the microchips and storage devices that run programs -- software isn't rooted in the physical world. It's still written, painstakingly, line by line and character by character; essentially, it's all made up. Software straddles the wide-open realm of the imagination, where it's created, and the fixities of everyday reality, where we expect it to work. And so far, it has proved uniquely resistant to engineering discipline. Without that discipline, too often, software teams get lost in what are known in the field as "boil-the-ocean" projects -- vast schemes to improve everything at once. That can be inspiring, but in the end we might prefer that they hunker down and make incremental improvements to rescue us from bugs and viruses and make our computers easier to use. Idealistic software developers love to dream about world-changing innovations; meanwhile, we wait and wait for all the potholes to be fixed. The writer is a co-founder of Salon.com and the author of "Dreaming in Code: Two Dozen Programmers, Three Years, 4,732 Bugs, and One Quest for Transcendent Software." From rforno at infowarrior.org Tue Jan 30 10:04:14 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 30 Jan 2007 10:04:14 -0500 Subject: [Infowarrior] - More on.....RFI Online Brokerages Message-ID: Some initial responses.........rf ===== My personal IRA accounts are mostly at low-fee brokers like Schwab, Waterhouse, and Scott Trade. Lots of choices, many no-load funds, low fees. My investment club uses AmeriTrade, again for low transaction fee and many choices. We trade mostly single stocks in the investment club. I advise against using any single-family fund brokerages (Fidelity, Vanguard, etc.) because no one fund family has all the best funds, and fund family salesmen have a built-in conflict of interest against giving unbiased advice to the customer. Also, we do not use a sales-based advisor whose fees depend on transaction fees, but rather a fee-based advisor who provides objective advice independent of sales incentives. Usually fee-based advisors charge a small percentage of the portfolio's value, so their interest coincides with the owner's in increasing the value of the portfolio. Use the public library's resources (Value Line, Morningstar, etc.) to obtain low-cost, high-quality advice. Use the many on-line resources (Quicken, for example) to learn more about investing and track the market and performance of stocks, bonds, and funds. Consider joining an investment club to learn more and combine your money with friends to create your own mutal fund. I've been a member for more than ten years and now haveover $10,000 as my share, built from $25 monthly contributions. Hope this is useful. ==== TD Ameritrade works for me! I switched from XP to OS X recently, and have no complaints (well, I use Firefox on both platforms, so maybe that made the switch easier). Anyway, I'd be interested to see what the aggregated list shows. ==== I've found Optionsexpress to be handy and helpful. No frills and decent service. Mostly for options trading, but they do stocks as well. ==== ameritrade and scott trade have gotten rather good reviews. I use eTrade myself because they are a NoVA company and I wasn't overly concerned with trading fees. From rforno at infowarrior.org Tue Jan 30 10:30:02 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 30 Jan 2007 10:30:02 -0500 Subject: [Infowarrior] - More on.....RFI Online Brokerages In-Reply-To: <43FB1967D03EC7449A77FA91322E3648040AB652@SVL1XCHCLUPIN01.enterprise.veritas.com> Message-ID: ------ Forwarded Message Another issue to help you choose an online broker is the security features that they have in place for accessing your account. Not necessarily a recommendation but, with E-Trade, they offer a digital security ID, a one-time randomly generated PIN device, that you use in conjunction with your "hopefully strong" userid/password pair. Don't know about anyone else, but I like the extra layer of security offered when dealing with my money! I have had good service through E-Trade. Very responsive to issues via email or phone as well. ------ End of Forwarded Message From rforno at infowarrior.org Tue Jan 30 11:57:24 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 30 Jan 2007 11:57:24 -0500 Subject: [Infowarrior] - myspace, godaddy and the ongoing trend In-Reply-To: Message-ID: ---------- Forwarded message ---------- From: security curmudgeon To: Declan McCullagh Cc: Fyodor Date: Tue, 30 Jan 2007 03:05:47 -0500 (EST) Subject: myspace, godaddy and the ongoing trend Declan, feel free to post this to Politech if you wish. Late night ramblings from a curmudgeon, nothing more. -- One thing that many people seem to be missing with this entire story is, "why seclists.org?" The full-disclosure mail list [0] is archived on *hundreds* of web servers around the world [1] and even has corporate sponsorship [2]. Was the official archive of the mail list [3] threatened? Or was Fyodor and seclists.org threatned because that site is the first hit on Google if you search for "full disclosure mail list archive"? Did MySpace bother to contact the registrar of the second hit (neohapsis.com) over their archive [4]? I bring this up because once again I am in the middle of a legal threat to remove content off a domain I help manage [5]. At the moment, the full content of the legal threat and my reply have not been published like previous threats [6] but they will in the near future. Like Fyodor/seclists.org, the law firm and company threatening to sue us over publishing material hasn't contacted any other site hosting the same information currently (yes, we've asked). We do know they have sent legal threats in the past to two other sites who run the same type of resource [7], both of which instantly caved in and removed the content without considering the implications (to the integrity of their resource, or the validity of the legal threat). I'm definitely not a lawyer, but if a company wants to protect its interests, doesn't it have to make a marginal effort to contact the people/sites allegedly infringing upon their rights? Or is that how these law firms are operating these days? Threaten the first hit on Google, get them to cave in and then use that action as a basis for claiming your argument has merit in subsequent legal threats. That is certainly what the lawyer who contacted us is doing. In his second mail he cites that other sites have removed the material and so should we. This seems like a vicious snowball effect that allows a legal firm to systematically threaten and stifle free speech, regardless of any legal or ethical merit. jericho attrition.org [0] https://lists.grok.org.uk/mailman/listinfo/full-disclosure [1] http://www.google.com/search?q=full+disclosure+mail+list+archive&start=0&ie= utf-8&oe=utf-8&client=firefox-a&rls=org.mozilla:en-US:official [2] http://secunia.com/ [3] http://lists.grok.org.uk/pipermail/full-disclosure/ [4] http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0282.html [5] http://attrition.org/ [6] http://attrition.org/postal/legal.html [7] http://attrition.org/dataloss/ ------ End of Forwarded Message From rforno at infowarrior.org Tue Jan 30 13:58:32 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 30 Jan 2007 13:58:32 -0500 Subject: [Infowarrior] - Ray guns and plastic ice: Pentagon looks to sci-fi weaponry Message-ID: Ray guns and plastic ice: Pentagon looks to sci-fi weaponry http://www.physorg.com/news89356050.html Fleeing Iraqi insurgents downed by artificial ice sprayed on the road; an angry mob in Afghanistan dispersed by non-lethal ray gun blasts. This is the future of US weaponry, at least for the Pentagon's high-tech arms research division. The space-age weapons of Star Wars are not beyond the imagination of researchers at DARPA, the Defense Advanced Research Projects Agency of the US Department of Defense. The agency sponsors research into numerous aspects of military operations, particularly technology, it says, "where risk and payoff are both very high and where success may provide dramatic advances for traditional military roles and missions." The artificial black ice is one of its newest projects. DARPA recently called for proposals from scientists to develop a polymer-based material that acts like the sheer ice that forms on roads in cold temperatures, sending unwitting drivers spinning out of control. But the polymer ice could be used against enemies in any climate, including hot, arid ones like Iraq and Afghanistan where US troops are currently fighting. The idea is to lay down the ice to cause adversaries to slip, while US troops would make use of a to-be-developed "reversal agent" -- something to be incorporated into their boots and tires -- that would allow them to gain traction on the "ice." "Such a system will provide unprecedented situational control and sustained operational temp," DARPA says, "including the ability to shape the terrain by constraining adversaries to specific areas (and) degrade the ability of our adversaries to shoot and chase us." Closer to development is a ray gun that DARPA unveiled last week, its so-called active denial system (ADS): a weapon that emits a beam of energy that will make the target feel a strong burning sensation on their skin, repelling them without causing genuine injury. Mounted on a trailer, the ADS is a parabolic antenna-like unit that shoots out a focused electromagnetic radio-frequency beam of millimeter waves over 500 meters (yards), giving it a much greater range than many crowd-control devices like rubber bullets or water cannons. When they hit their target, the beams penetrate the skin to about 1/64th of an inch, or 0.4 millimeters, causing a sensation that makes people think their clothes are on fire. This can be used to scare off a menacing mob without causing real injury, according to DARPA. DARPA stresses that ADS is not a laser, nor does it use more dangerous microwave energy. "We need discriminate, non-lethal weapons with longer ranges and universal effects. This is exactly what we get with ADS," said Colonel Kirk Hymes, the head of DARPA's Joint Non-Lethal Weapons Directorate. It has taken DARPA 12 years to get ADS to this point, and it will be several more to get it on the battlefield. Hymes says such weaponry is part of the equipment US soldiers need in the battlefields of the 21st century. "Our warfighters have identified a need for additional non-lethal capabilities, because distinguishing between combatants and non-combatants on the modern battlefield can be very difficult," he said. ? 2007 AFP From rforno at infowarrior.org Wed Jan 31 00:00:18 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 31 Jan 2007 00:00:18 -0500 Subject: [Infowarrior] - Sony BMG Settles Anti-Piracy CDs Charges Message-ID: Sony BMG Settles Anti-Piracy CDs Charges http://hosted.ap.org/dynamic/stories/F/FTC_SONY?SITE=WIRE&SECTION=HOME&TEMPL ATE=DEFAULT WASHINGTON (AP) -- U.S. regulators said Tuesday that Sony BMG Music Entertainment agreed to reimburse consumers up to $150 for damage to their computers from CDs with hidden anti-piracy software. According to the Federal Trade Commission, which announced the settlement with the big media company, its anti-piracy software limited the devices on which music could be played to those made by Sony Corp. or Microsoft Corp. It also restricted the number of copies that could be made and monitored consumers' listening habits to send them marketing messages. The FTC said the software also "exposed consumers to significant security risks and was unreasonably difficult to uninstall." The settlement requires the company to allow consumers to exchange through the end of June the affected CDs purchased before Dec. 31, 2006, and reimburse them up to $150 to repair damage done when they tried to remove the software. It also requires Sony BMG to clearly disclose limitations on consumers' use of music CDs, bars it from using collected information for marketing and prohibits it from installing software without consumer consent. For two years, Sony BMG also must provide an uninstall tool and patches to repair the security vulnerabilities on consumers' computers and must advertise them on its Web site. The company also is required to publish notices describing the exchange and repair reimbursement programs on its Web site. Sony BMG did not admit a law violation and the settlement is subject to public comment for 30 days, after which the FTC will decide whether to make it final. Representatives from New York-based Sony BMG, a joint venture of Sony and Bertelsmann AG, did not immediately return a call for comment Tuesday morning. In 2005, the company shipped more than 12 million compact discs on 52 Sony BMG titles, each loaded with one of two content protection programs, and about 7 million of those CDs were sold. The Digital Rights Management software installed itself on consumers' computers without their knowledge or consent. Last month, the company settled similar cases with more than 40 states, agreeing to pay more than $4 million and to reimburse customers. Shares of Sony slid 19 cents to $46.80 in morning trading Tuesday on the New York Stock Exchange, where they have traded between $37.24 and $52.29 in the past year. ? 2007 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. Learn more about our Privacy Policy. From rforno at infowarrior.org Wed Jan 31 08:28:08 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 31 Jan 2007 08:28:08 -0500 Subject: [Infowarrior] - Justice Department takes issue with Net-wiretapping report Message-ID: Justice Department takes issue with Net-wiretapping report January 30, 2007 9:40 PM PST http://news.com.com/2061-10796_3-6154934.html?part=rss&tag=2547-1_3-0-20&sub j=news The U.S. Department of Justice is taking issue with an article we published Tuesday that describes how the FBI appears to be using a controversial wiretapping technique. Our article quoted a former Justice Department attorney in the Computer Crime and Intellectual Property Section and Richard Downing, a CCIPS assistant deputy chief, who discussed this at a Stanford Law School event last week. The wiretapping technique is used in certain cases where specific targeting is infeasible and instead all communications on a pipe are recorded for later perusal and data-mining. It raises questions about compliance with both the Wiretap Act and the Fourth Amendment to the U.S. Constitution. We told the Justice Department our deadline was late Monday, but they didn't reply until late in the day Tuesday. Here's what Dean Boyd, a Justice Department spokesman, sent to us in e-mail, unedited: Your article is inaccurate. Nothing has changed from our long-standing practice in implementing court-authorized law enforcement interception orders. The FBI records and retains only that data which it is authorized under law to record and retain -- namely, the communications associated with court-approved targets. For your information, what law enforcement does is isolate the communications associated with the target facility and record only those communications. After law enforcement collects the targeted communications, as specified in the court order, we "minimize" the captured information by sorting it into relevant and non-relevant material (i.e., depending on whether the contents relate to the criminal activity specified in the court's order). Such after-the-fact minimization is done with explicit authorization from the court, and no further use may be made of minimized (non-relevant) communications. On rare occasions involving technical obstacles, we perform real-time filtering on large data connections carrying the traffic of multiple unrelated facilities, but only using automated filters that isolate and retain only the communications associated with the facility identified in the order. All data not relating to the targeted facility is instantly and irreversibly deleted. This data is therefore never read or comprehended by anyone in law enforcement. The bottom line: Nothing has changed. We believe that Professor Ohm, quoted in the article, either was misquoted or misspoke. We had sent Boyd a list of questions, including: What legal authority is DOJ relying on for the "full-pipe" interception, and how long does DOJ believe 18 USC 2518(5) permits the "full-pipe" data to be retained? Do you believe that "communications associated with court-approved targets" can in some cases include the full contents of the pipe that is associated with a target? Does your interpretation of 2518(5) treat digital communications as a code or a foreign language? Was your CCIPS official speaking at the conference incorrect? And, perhaps most importantly, what does the FBI do when the ISP technically is unable to minimize to capture the communications *only* court-appointed targets? (I presume the investigation doesn't abruptly end at that point.) We also asked to do an actual in-person or telephone interview with a Justice Department official rather than relying on an e-mail exchange. But Boyd replied by saying: This is all I have for you on this topic. You are free to use it or not. Thank you. Posted by Declan McCullagh From rforno at infowarrior.org Wed Jan 31 08:30:39 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 31 Jan 2007 08:30:39 -0500 Subject: [Infowarrior] - Green party slams Vista Landfill nightmare Message-ID: Interesting logic, I must admit........rf 29th Jan 2007 Green party slams Vista Landfill nightmare http://www.greenparty.org.uk/news/2851 Microsoft's latest operating system, due for release tomorrow, is defective by design, putting Microsoft and the corporate media in control of your computer. (1) Beneath the gloss they have hidden traps that take away important consumer rights, force expensive and environmentally damaging hardware upgrades. All computer hardware, such as monitors and sound cards, will have to obey Microsoft's rules for encrypting content in order for consumers to use Vista to play 'premium' content, such as Blu-Ray and HD DVD disks. Although it is unlikely to prevent copying, it will make Vista more attractive to Hollywood film distributors, while also locking them into a Vista content distribution system. Derek Wall, Green Party Male Principal Speaker, said: "So-called 'digital rights management' technology in Vista gives Microsoft the ability to lock you out of your computer. Technology should increase our opportunities to consume media, create our own and share it with others. "But Vista helps the corporate media take away our consumer rights. Silence in government betrays a shocking complacency in the face of this latest attack on our rights." Vista will also be power hungry, as it requires more processing time to encrypt and decrypt 'premium' content, and looks around the computer every few milliseconds to check that nothing is trying to distribute de-coded 'premium' video or sound. He continued, "Vista requires more expensive and energy-hungry hardware, passing the cost on to consumers and the environment. This will also further exclude the poor from the latest technology, and impose burdensome costs on small and medium businesses who will be forced to enter another expensive upgrade cycle." Consumers, businesses and government bodies should protect their interests by migrating to free software, rather than upgrading to Vista, says Wall. "Free software can run on existing hardware, reduces licensing costs for small businesses and affords important freedoms to consumers. The UK Government should capitalise on this opportunity to promote the use of free software in public bodies." Greens predict that an enormous amount of hardware will be junked by consumers and companies as Vista will refuse to play Blu-Ray and HD DVD content with current monitors and sound cards. Si?n Berry, Green Party Female Principal Speaker added: "There will be thousands of tonnes of dumped monitors, video cards and whole computers that are perfectly capable of running Vista - except for the fact they lack the paranoid lock down mechanisms Vista forces you to use. That's an offensive cost to the environment. "Future archaeologists will be able to identify a 'Vista Upgrade Layer' when they go through our landfill sites." By controlling the technology that delivers video content on computers, and owning the licenses that make the hardware and software work, Microsoft will be in a very strong position to dictate terms to consumers and content producers. Apple's itunes store works in a similar way already, selling songs that can only be played on Apple ipods and iTunes software. "We should remember that this is about Microsoft trying to dictate the way that video content gets delivered - much as Apple are trying to do with iTunes - in order to corner the market. "Now is the time to act, if we want to see the Microsoft monopoly kept out of the video market." She added that Green Party also supported complaints by computer manufacturers that XAML, a Vista-only internet mark-up standard, would be another attempt to extend Microsoft's virtual monopoly.(2) "Microsoft are determined not to play fair and we hope the EU stand up to them. The best way of course is to insist that we purchase products that work with open rather than closed standards." (1) www.microsoft.com (2) www.theglobeandmail.com From rforno at infowarrior.org Wed Jan 31 12:44:51 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 31 Jan 2007 12:44:51 -0500 Subject: [Infowarrior] - Faster, safer Internet with OpenDNS Message-ID: NewsForge The Online Newspaper for Linux and Open Source http://internet.newsforge.com/ Title Faster, safer Internet with OpenDNS Date 2007.01.31 4:02 Author Mayank Sharma Topic http://internet.newsforge.com/article.pl?sid=07/01/23/1712221 The domain name system (DNS) maps human-understandable Web site addresses into numeric IP addresses. Launched in July 2006, OpenDNS adds a few free services on top of the traditional DNS to block phishing Web sites and auto-correct common misspelled URLs. And thanks to some clever traffic routing and load-balancing technology, OpenDNS can also deliver Web pages faster. "OpenDNS runs a really big, smart cache, so every OpenDNS user benefits from the activities of the broader OpenDNS user base," says Allison Rhodes, community manager of OpenDNS. She says OpenDNS runs a high-performance network that is geographically distributed and serviced by several redundant connections. Currently, OpenDNS has four servers in the US and one in the UK. Live system statistics are available for all the servers. You can also view the current status of the servers and daily DNS requests for the past 30 days. One a typical day last month, Rhodes says OpenDNS responded to half a billion DNS queries. "We have large clusters of servers in each of our five locations," says David Ulevitch, founder and CEO of OpenDNS. "We not only distribute our load locally within each cluster, but we distribute our load globally using the border gateway protocol. Every OpenDNS user always reaches our closest datacenter automatically, no matter where he is on the planet. This means that each time we bring up a new location we increase our reliability, decrease latency, and increase performance for our users." But with servers only in the US and UK, what about users in, for instance, Asia? Ulevitch explains that users in Asia are serviced through the Seattle and Palo Alto datacenters and get a better performance from OpenDNS than their local nameserver, because latency is not the only determinant in nameserver resolution performance. "We operate a high performance nameserver with a large cache on our widely deployed network, which means we are also very close to other nameservers on the Internet." I tested that claim from my home base in India. After switching to OpenDNS, content-laden Web sites like news.com, cnn.com, bbcworld.com, and myspace.com loaded a lot more quickly, ping times were considerably lower, and query response times (measured with dig -x site ) to news.com, lxer.com, osnews.com, distrowatch.org, and bbcworld.com were lower by 10 to 25% compared to times when I was using my ISP's DNS. Users see benefits My tests confirmed what other OpenDNS customers have found. Robert Grabowsky is the vice president of Ra Security Systems, which provides managed security services for companies, universities, and government agencies with between 30 and 10,000 users. "With so many users to satisfy," Grabowsky says, "it's important to tune security devices to balance the greatest protection with the best possible performance. Many aspects of Web browsing performance have been easily controllable, except for DNS." He believes that administrators don't fully appreciate the benefits of DNS. "Once they get it to work, they set it and forget it without much further thought about performance or anything else for that matter." Grabowsky chose OpenDNS primarily for its speed. "For Web pages that reference multiple domains, browser page rendering can be the difference between a couple of seconds and 10, 15, or 20 seconds. That is pretty significant reduction in time, which translates to an increase in user satisfaction." More than just a fast resolver Apart from loading Web pages faster, OpenDNS warns naive users when they try to visit a phishing site. "Not only are their DNS responses quick," Grabowsky says, "but they give back even more by protecting users against known active phishing sites." OpenDNS uses PhishTank, which is an online collaborative anti-phishing database. The PhishTank data, when tied to OpenDNS, protects users by blocking DNS lookup queries that match an entry in the database. "The PhishTank data," says Ulevitch, "comes from the community. Members of PhishTank submit suspected phishing sites via the Web, email, or API. Other members of the community verify whether a submission is or is not a phish. Each member's accuracy over time affects the influence of their vote. Those members who have contributed the most, and been the most accurate, have the most weight in the community decision about whether a site is phishing or not." Another benefit of using OpenDNS is convenience. OpenDNS corrects common spelling mistakes on the fly, so if you accidentally type ".cm" or ".cmo" instead of ".com," you'll still get to the site you intended to visit. If the site doesn't exist, you'll end up on a search results page with advertisements. That's where OpenDNS makes money. "OpenDNS makes money by serving clearly labeled advertisements on search results pages where we cannot resolve the URL you're trying to get to," Rhodes says. To some this might bring back memories of VeriSign's highly unpopular Site Finder service. Verisign used Site Finder to display information about products by redirecting users who tried to access unregistered domains. OpenDNS says that unlike VeriSign, OpenDNS is an opt-in service. In December OpenDNS added another free service called CacheCheck to assist domain owners. Rhodes says, "If you are moving a domain from one DNS host to another, CacheCheck can help you make that transition smoother. In effect, you tell OpenDNS to 'refresh now,' ahead of Time-To-Live (TTL) expiration." This will refresh the OpenDNS cache, flushing the old entry, and will direct visitors to the new location of a domain. CacheCheck can also be used by people trying to visit a domain that isn't resolving. It helps explain the reasons for a domain's non-availability (for example, non-responsive nameservers) and in some cases can help fix the problems themselves by refreshing the cache. Appeals to ISPs With its speed, phishing protection, typo correction, and control, OpenDNS naturally appeals to ISPs, who can use OpenDNS for free. Jeffrey A. Campbell is the general manager of Express High Speed Internet, a broadband ISP in the Turks & Caicos Islands, British West Indies. "Our connectivity is via sub-sea fiber to the US Internet backbone. Our upstream provider has poor US connectivity, and as a result DNS lookups were taking a very long time to complete," Campbell says. He says that since Express High-Speed started using OpenDNS, it has saved 80ms+ in lookup time. "As we do about 3,400 Web requests a minute, and move approximately 65GB a day of Web data, this can make a huge difference in perceived end user response time. Overall, unscientifically, users noticed a 1-3sec improvement in loading a complex Web page like www.news.com." Campbell says, "We added OpenDNS to our network as our primary forward resolvers on both of our large Web caches (2TB and 400GB), which handle our Web load 80/20. We run Bind9 locally on both of the machines to cache responses so that we don't introduce extra latency when the cache confirms each IP." Campbell says his users appreciate other features of OpenDNS as well, such as typo correction and phishing protection. "I've been in the ISP business since 1994 and I think [OpenDNS] is one of the most dramatic and easily implemented performance enhancements available." Using OpenDNS Setting up OpenDNS is fairly simple. There's no software to download. All it requires is changing your default DNS nameservers to those of OpenDNS. If you know where to specify the DNS nameservers, simply replace your existing ones with OpenDNS's 208.67.222.222 and 208.67.220.220. If you aren't sure, use OpenDNS's detailed instructions with screenshots for several popular routers, operating systems, and mobile phones. You can also register a free account with OpenDNS that will allow you to control the DNS features provided by OpenDNS. You can, for example, disable typo correction and phishing protection on your IP address or enable dynamic DNS update if you want to use OpenDNS and don't have a static IP address. In addition to this, users also get a couple of graphs showing traffic details on their IP address for the last 30 days. "There is no other service," Ulevitch says, "that delivers different DNS preferences to different users in real-time, giving the user management of network preferences at the DNS level." He says that this transfer of control of DNS settings to users signifies the "open" in the company name. As to the future of OpenDNS, Rhodes says, "We're seeing that ISPs and enterprises have found tremendous value in the service we provide. So as we continue to improve OpenDNS for our current customers, we're also working on features that will be useful to ISPs and enterprises." Links 1. "OpenDNS" - http://www.opendns.com/ 2. "Live system statistics" - https://www.opendns.com/stats/ 3. "current status of the servers and daily DNS requests for the past 30 days" - http://system.opendns.com/ 4. "border gateway protocol" - http://en.wikipedia.org/wiki/BGP 5. "Ra Security Systems" - http://www.rasecurity.com/ 6. "PhishTank API" - http://www.phishtank.com/api_documentation.php 7. "PhishTank" - http://www.phishtank.com/ 8. "Site Finder service" - http://en.wikipedia.org/wiki/Site_Finder 9. "CacheCheck" - http://www.opendns.com/cache/index.php 10. "appeals to ISPs" - http://www.opendns.com/isp/ 11. "Express High Speed Internet" - http://www.express.tc/ 12. "detailed instructions" - http://www.opendns.com/start/ 13. "register a free account" - https://www.opendns.com/account/ 14. "dynamic DNS" - http://www.opendns.com/account/dynamic_dns.php ? Copyright 2007 - NewsForge, All Rights Reserved From rforno at infowarrior.org Wed Jan 31 13:33:43 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 31 Jan 2007 13:33:43 -0500 Subject: [Infowarrior] - Teen accuses record companies of collusion Message-ID: Teen accuses record companies of collusion http://news.yahoo.com/s/ap/20070131/ap_on_hi_te/music_download_suit&printer= 1;_ylt=Aijd9MjVCU0UAqGPy_m8WrBk24cA;_ylu=X3oDMTA3MXN1bHE0BHNlYwN0bWE- By JIM FITZGERALD, Associated Press WriterWed Jan 31, 12:46 AM ET A 16-year-old boy being sued by five record companies accusing him of online music piracy accused the recording industry on Tuesday of violating antitrust laws, conspiring to defraud the courts and making extortionate threats. In papers responding to the record companies' lawsuit, Robert Santangelo, who was as young as 11 when the alleged piracy occurred, denied ever disseminating music and said it's impossible to prove that he did. Santangelo is the son of Patti Santangelo, the 42-year-old suburban mother of five who was sued by the record companies in 2005. She refused to settle, took her case public and became a heroine to supporters of Internet freedom. The industry dropped its case against her in December but sued Robert and his sister Michelle, now 20, in federal court in White Plains. Michelle has been ordered to pay $30,750 in a default judgment because she did not respond to the lawsuit. Robert Santangelo and his lawyer, Jordan Glass, responded at length Tuesday, raising 32 defenses, demanding a jury trial and filing a counterclaim against the companies that accuses them of damaging the boy's reputation, distracting him from school and costing him legal fees. His defenses to the industry's lawsuit include that he never sent copyrighted music to others, that the recording companies promoted file sharing before turning against it, that average computer users were never warned that it was illegal, that the statute of limitations has passed, and that all the music claimed to have been downloaded was actually owned by his sister on store-bought CDs. Robert Santangelo also claims that the record companies, which have filed more than 18,000 piracy lawsuits in federal courts, "have engaged in a wide-ranging conspiracy to defraud the courts of the United States." The papers allege that the companies, "ostensibly competitors in the recording industry, are a cartel acting collusively in violation of the antitrust laws and public policy" by bringing the piracy cases jointly and using the same agency "to make extortionate threats ... to force defendants to pay." The Recording Industry Association of America, which has coordinated most of the lawsuits, issued a statement saying, "The record industry has suffered enormously due to piracy. That includes thousands of layoffs. We must protect our rights. Nothing in a filing full of recycled charges that have gone nowhere in the past changes that fact." From rforno at infowarrior.org Wed Jan 31 14:29:59 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 31 Jan 2007 14:29:59 -0500 Subject: [Infowarrior] - U.S. Officials Agree to Release Domestic Spying Documents Message-ID: U.S. Officials Agree to Release Domestic Spying Documents By Dan Eggen Washington Post Staff Writer Wednesday, January 31, 2007; 1:50 PM http://www.washingtonpost.com/wp-dyn/content/article/2007/01/31/AR2007013100 921_pf.html Attorney General Alberto R. Gonzales and other officials said they have agreed to turn over classified documents about the government's domestic spying program to the congressional judiciary and intelligence committees as early as today, ending a standoff that had included threats of subpoenas from Capitol Hill. The agreement follows Gonzales's announcement two weeks ago that the Bush administration was abandoning a controversial program that allowed the National Security Agency to spy on Americans without warrants because it now has approval for the monitoring from a secret intelligence court. But the administration has refused to release the court's Jan. 10 orders publicly, and leaders of the House and Senate Judiciary committees had been rebuffed in their demands for copies of the documents. Gonzales--at a briefing to announce the formation of a new "human trafficking unit" in the Justice Department--downplayed the conflict with lawmakers. "It's never been the case where we said we would never provide the access," Gonzales said. Officials said the documents, including court orders and the applications that led to them, would be provided to Senate Judiciary Chairman Patrick J. Leahy (D-Vt.) and ranking Republican member Arlen Specter (R-Pa.). Some members and staff on the House and Senate Intelligence committees also will have access to the records, authorities said. Some of those people were previously briefed on details of the program because they have the necessary security clearances. Gonzales said the orders will not be released publicly, however, because the subject matter is "highly classified." Leahy said he welcomed the administration's agreement to turn over the court orders. "Only with an understanding of the contours of the wiretapping program and the scope of the court's orders can the Judiciary Committee determine whether the administration has reached the proper balance to protect Americans while following the law and the principles of checks and balances," Leahy said in a statement. "I look forward to reviewing the court's orders and then deciding what further oversight or legislative action is necessary." Shortly after the Sept. 11, 2001, attacks, President Bush authorized the NSA to monitor telephone calls between the United States and overseas without warrants if one of the parties was believed to be linked to al-Qaeda or related groups. The program's existence was first disclosed by media reports in December 2005. Critics, including both Democratic and Republican lawmakers, said the spying was illegal under the Foreign Intelligence Surveillance Act, or FISA, and unconstitutional. But administration officials said the NSA program could not be accommodated under FISA and that Bush had the authority to authorize the wiretapping on his own. The administration abruptly changed course earlier this month, however, by obtaining approval for the spying from the 11-member court that administers FISA, a 1978 law governing clandestine surveillance in the United States. The precise outlines and parameters of the new effort is unclear because the government has refused to publicly release documents or other details. Several sources familiar with the program have said it is a hybrid that includes both individual warrants and the authority for eavesdropping on more broadly defined groups of people. The NSA spying effort prompted a series of legal challenges around the country, including a case in Michigan in which a federal judge ruled that the program was unconstitutional. The Justice Department argues that the new arrangement renders that lawsuit moot, and attorneys are scheduled to offer oral arguments in the case later today at the 6th Circuit U.S. Court of Appeals in Cincinnati. From rforno at infowarrior.org Wed Jan 31 19:50:08 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 31 Jan 2007 19:50:08 -0500 Subject: [Infowarrior] - Molly Ivins Dies of Cancer at 62 Message-ID: Molly Ivins Dies of Cancer at 62 By KELLEY SHANNON The Associated Press Wednesday, January 31, 2007; 7:19 PM http://www.washingtonpost.com/wp-dyn/content/article/2007/01/31/AR2007013101 767_pf.html AUSTIN, Texas -- Best-selling author and columnist Molly Ivins, the sharp-witted liberal who skewered the political establishment and referred to President Bush as "Shrub," died Wednesday after a long battle with breast cancer. She was 62. David Pasztor, managing editor of the Texas Observer, confirmed her death. The writer, who made a living poking fun at Texas politicians, whether they were in her home base of Austin or the White House, revealed in early 2006 that she was being treated for breast cancer for the third time. More than 400 newspapers subscribed to her nationally syndicated column, which combined strong liberal views and populist-toned humor. Ivins' illness did not seem to hurt her ability to deliver biting one-liners. "I'm sorry to say (cancer) can kill you but it doesn't make you a better person," she said in an interview with the San Antonio Express-News in September, the same month cancer claimed her friend former Gov. Ann Richards. To Ivins, "liberal" wasn't an insult term. "Even I felt sorry for Richard Nixon when he left; there's nothing you can do about being born liberal _ fish gotta swim and hearts gotta bleed," she wrote in a column included in her 1998 collection, "You Got to Dance With Them What Brung You." In a column in mid-January, Ivins urged readers to stand up against Bush's plan to send more troops to Iraq. "We are the people who run this country. We are the deciders. And every single day, every single one of us needs to step outside and take some action to help stop this war," Ivins wrote in the Jan. 11 column. "We need people in the streets, banging pots and pans and demanding, 'Stop it, now!'" Ivins' best-selling books included those she co-authored with Lou Dubose about Bush. One was titled "Shrub: The Short but Happy Political Life of George W. Bush" and another was "BUSHWHACKED: Life in George W. Bush's America." Ivins' jolting satire was directed at people in positions of power. She maintained that aiming it at the powerless would be cruel. "The trouble with blaming powerless people is that although it's not nearly as scary as blaming the powerful, it does miss the point," she wrote in a 1997 column. "Poor people do not shut down factories ... Poor people didn't decide to use `contract employees' because they cost less and don't get any benefits." In an Austin speech last year, former President Bill Clinton described Ivins as someone who was "good when she praised me and who was painfully good when she criticized me." Ivins loved to write about politics and called the Texas Legislature, which she playfully referred to as "The Lege," the best free entertainment in Austin. "Naturally, when it comes to voting, we in Texas are accustomed to discerning that fine hair's-breadth worth of difference that makes one hopeless dipstick slightly less awful than the other. But it does raise the question: Why bother?" she wrote in a 2002 column about a California political race. Born Mary Tyler Ivins, the California native grew up in Houston. She graduated from Smith College in 1966 and attended Columbia University's journalism school. She also studied for a year at the Institute of Political Sciences in Paris. Her first newspaper job was in the complaint department of the Houston Chronicle. She worked her way up at the Chronicle, then went on to the Minneapolis Tribune, becoming the first woman police reporter in the city. Ivins counted as her highest honors that the Minneapolis police force named its mascot pig after her and that she was once banned from the campus of Texas A&M University, according to a biography on the Creators Syndicate Web site. In the late 1960s, according to the syndicate, she was assigned to a beat called "Movements for Social Change" and wrote about "angry blacks, radical students, uppity women and a motley assortment of other misfits and troublemakers." Ivins later became co-editor of The Texas Observer, a liberal Austin-based biweekly publication of politics and literature that was founded more than 50 years ago. She joined The New York Times in 1976. She worked first as a political reporter in New York and later was named Rocky Mountain bureau chief, covering nine mountain states. But Ivins' use of salty language and her habit of going barefoot in the office were too much for the Times, said longtime friend Ben Sargent, editorial cartoonist with the Austin American-Statesman. "She's a force of nature," Sargent said. Ivins returned to Texas as a columnist for the Dallas Times-Herald in 1982, and after it closed she spent nine years with the Fort Worth Star-Telegram. In 2001, she went independent and wrote her column for Creators Syndicate. In 1995, conservative humorist Florence King accused Ivins in "American Enterprise" magazine of plagiarism for failing to properly credit King for several passages in a 1988 article in "Mother Jones." Ivins apologized, saying the omissions were unintentional and pointing out that she credited King elsewhere in the piece. She was initially diagnosed with breast cancer in 1999, and she had a recurrence in 2003. Her latest diagnosis came around Thanksgiving 2005. ___ Associated Press writers April Castro in Austin and Matt Curry in Dallas contributed to this report. From rforno at infowarrior.org Wed Jan 31 19:56:12 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 31 Jan 2007 19:56:12 -0500 Subject: [Infowarrior] - The Infamous 'Up To' Broadband Qualifier Message-ID: The Infamous 'Up To' Broadband Qualifier Australian regulators have had enough... http://www.dslreports.com/shownews/81315 The Australian Competition and Consumer Commission (ACCC) has issued a warning to Australia ISPs to come clean about their broadband speeds and stop using the "up to" marketing term, or face possible litigation. "Most consumers won't understand what 'up to' means and then they are significantly disappointed when they don't achieve those speeds," says ACCC chairman Graeme Samuel. "We know all the technicians know that in most cases the speeds that you are claiming as the headline speeds are not achievable," he warns. There's been a similar debate here in the States. While technicians and informed users know that an "up to 3Mbps" connection means under optimal conditions (line quality, CO distance), less informed consumers are repeatedly surprised when they perform their first speed test and notice they're getting significantly less. While some have suggested regulator-enforced speed tests to ensure customers are getting what they pay for, there's too many factors to consider (trojan infection? poor home wiring?) to make proper enforcement practical. Our resident ISP techs will be the first to tell you that residential broadband is a "best effort" service, and users desiring guaranteed speed and reliability should look toward business class lines with SLAs. Users on the other side of the fence argue you don't pay for "up to" a gallon of gasoline, with the gas station saying .7 gallons was their "best effort" in getting it from the ground to your tank. Either way, if there's a problem with the "up to" tag, it's a marketing department issue. Is the "up to" tag misleading? Is it something regulators should squash? From rforno at infowarrior.org Wed Jan 31 20:06:59 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 31 Jan 2007 20:06:59 -0500 Subject: [Infowarrior] - CFP: Trademark Dilution: Theoretical and Empirical Inquiries Message-ID: *Symposium Announcement and Call for Papers* Trademark Dilution: Theoretical and Empirical Inquiries October 5, 2007 Santa Clara, California Symposium website: http://www.scu.edu/law/tmdilution/ Sponsored by the High Tech Law Institute, Santa Clara University School of Law *About the Symposium* This one-day symposium will bring together legal scholars and social scientists to examine trademark dilution as a legal and social phenomenon. Through the cross-disciplinary conversation, this conference will shed more light on the purported harms caused by trademark dilution and possible policy approaches to address those harms. The Santa Clara Computer & High Tech Law Journal anticipates publishing a complementary symposium edition of the journal. In addition, trademark dilution research will be collected at the symposium website ( http://www.scu.edu/law/tmdilution/ ), and videos from the event will be posted there as well. *Confirmed Speakers* (subject to change) Barton Beebe, Benjamin N. Cardozo School of Law Robert Bone, Boston University School of Law Ron Butters, Department of English, Duke University Shari Diamond, Northwestern University School of Law Graeme Dinwoodie, Chicago-Kent College of Law Christine Haight Farley, American University Washington College of Law Jacob Jacoby, New York University Stern School of Business Xuan-Thao Nguyen, SMU Dedman School of Law Kenneth L. Port, William Mitchell College of Law Rebecca Tushnet, Georgetown University Law Center David Welkowitz, Whittier Law School *Call for Papers* If you are conducting empirical or theoretical research on trademark dilution and would be interested in presenting your research at the symposium or contributing to the symposium issue, please contact Eric Goldman ( egoldman at gmail.com ). Preference will be given to inquiries made prior to March 31, 2007. *For More Information * Professor Eric Goldman Director, High Tech Law Institute Santa Clara University School of Law 500 El Camino Real Santa Clara, CA 95053 Phone: (408) 554-4369 Email: egoldman at gmail.com