From rforno at infowarrior.org Sun Jul 1 02:36:54 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 30 Jun 2007 22:36:54 -0400 Subject: [Infowarrior] - Social networking: it's new but it isn't News Message-ID: Social networking: it's new but it isn't News By Liam Proven: Saturday 30 June 2007, 12:20 http://www.theinquirer.net/default.aspx?article=40693 THERE'S ANOTHER NEW social networking site around, from the guy behind Digg. It's called Pownce, it's still invitation-only and if they're offering anything genuinely new and different they aren't shouting about it. In particular, nobody's talking about the feature I want to see. Get connected There are myriads of social networking-type sites these days; Wikipedia lists more than ninety. Some of the big ones are MySpace, Bebo, Facebook and Orkut. Then there are "microblogging" sites like Twitter and Jaiku. Then of course there are all the tired old pure-play blogging sites like LiveJournal and Blogger. I have accounts on a handful of them - in some cases, just so I can comment, because OpenID isn't as well-supported as it deserves to be. They all do much the same sort of thing. You get an account for free, you put up a profile, maybe upload some photos, tunes, video clips or a blog, then you can look up your mates and "add" them as "friends". Mainly, this allows you to get a summary list of what your mates are up to; secondarily, you can restrict who can see what that you're putting up. Doesn't sound like much, but these are some of the biggest and most popular websites on the Internet. That means money: News International paid $580 million for MySpace and its founders are asking for $12.5 million a year each to stay on for another couple of years. The purely social sites, like Myspace, sometimes serve as training wheels for Internet newbies. You don't need to understand email and all that sort of thing - you can talk to your mates entirely within the friendly confines of one big website. After all, there's no phonebook for the Internet - it's hard for friends to find one another, especially if they're not all that Net-literate. A lot of the sites try to keep you in their confines. MySpace offers its own, closed instant-messenging service, for example - so long as you use Windows. Another way is that when someone sends you a message or comment on MySpace or Facebook, the site informs you by email - but the email doesn't tell you what the actual message was. You have to go to the site and sign in to read it. Buzzword alert Some sites aren't so closed - for example, the email notifications from Livejournal tell you what was said and let you respond from within your email client, and its profiles offer basic integration of external IM services. On the other hand, Facebook offers trendy Web 2.0 features, like "applications" that can run within your profile and can be rearranged by simple drag&drop, whereas LJ or Facebook owners who want unique customisations must fiddle with CSS and HTML or use a third-party application. As well as aggregating your mates' blogs, many social networking sites let you syndicate "web feeds" from other sites. A "feed" - there are several standards to choose from, including Atom and various versions of RSS - supplies a constantly-updated stream of new stories or posts from one site into another. For instance, as I write, fifteen people on LiveJournal read The Inquirer through its LJ feed. (If you fancy this aggregation idea but don't want to join a networking site, you can also do this using an "feed reader" on your own computer. There are a growing number of these: as well as standalone applications such as FeedReader or NetNewsWire, many modern browsers and email clients can handle RSS feeds - for example, IE7, Firefox, Outlook and Safari.) But even with feeds, the social networking sites are still a walled garden. If you read a story or a post syndicated from another site, you'll probably get a space to enter comments - but you won't see the comments from users on the original site and they won't see yours. The same goes for users anywhere else reading a syndicated feed - only the stories themselves get passed through, not the comments. A lot of the point of sites like Digg and Del.icio.us is the recently popular concept of "wisdom of crowds". If lots of people "tag" something as being interesting and the site presents a list of the most-tagged pages, then the reader is presented with an instantaneous "what's hot" list - say, what the majority of the users of the site are currently viewing. There are sites doing lots of clever stuff with feeds, such as Yahoo Pipes, which lets you visually put together "programs" to combine the information from multiple feeds - what the trendy Web 2.0 types call a "mashup". What you don't get through a feed, though, is what people are saying. Similarly, the social networking sites are, in a way, parasitic on email: you get more messages than before, but for the most part they have almost no informational content, and in order to communicate with other users, they encourage you to use the sites' own internal mechanisms rather than email or IM. Outside a site like Facebook, you can't see anything much - you must join to participate. Indeed, inside the site, the mechanisms are often rather primitive - for instance, Facebook and Twitter have no useful threading. All you get is a flat list of comments; people resort to heading messages "@alice" or "@bob" to indicate to whom they're talking. Meanwhile, the sites' notifications to the outside world are a read-only 1-bit channel, just signals that something's happened. You might as well just have an icon flashing on your screen. In other words, it's all very basic. Feeds allow for clever stuff, but the actual mechanics of letting people communicate tend to be rather primitive, and often it's the older sites that do a better job. The social sites are in some ways just a mass of private web fora (it's the correct plural of "forum), with all their limitations of poor or nonexistent threading and inconsistent user interfaces. Which seems a bit back-asswards to me. Threaded discussions are 1980s technology, after all. Going back into time Websites have limits. Email may be old-fashioned, but it's still a useful tool, especially with good client software. Google's Gmail does some snazzy AJAX magic to make webmail into a viable alternative to a proper email client - its searching and threading are both excellent. An increasing number of friends and clients of mine are giving up on standalone email clients and just switching to Gmail. The snag with a website, though, is that if you're not connected - or the site is down - you're a bit stuck. When either end is offline, the whole shebang is useless. Whereas if you download your email into a client on your own computer, you can use it even when not connected - if it's in a portable device, underground or on a plane or in the middle of Antarctica with no wireless Internet coverage. You can read existing emails, sort and organize, compose replies, whatever - and when you get back online, the device automatically does the sending and receiving for you. What's more, when you store and handle your own email, you have a major extra freedom - you can change your service provider. If you use Gmail or Hotmail, you're tied to the generosity of those noted non-profit philanthropic organizations Google and Microsoft. The biggest reason email works so well is that it's open: it's all based on free, open standards. Anyone with Internet email can send messages to anyone with an Internet email address. Even someone on one proprietary system, say Outlook and Exchange, can send mail to a user on another, say Lotus Notes. Both systems talk the common protocols: primarily, SMTP, the Simple Mail Transfer Protocol. Outside the proprietary world, most email clients use POP3 or IMAP to receive messages from servers - and again, SMTP to send. Now here's a thought. Wouldn't it be handy if there was an open standard for moving messages between online fora? (It's the correct plural of "forum", not "forums".) So that if you were reading a friend's blog through a feed into your preferred social networking site, you could read all the comments, too, and participate in the discussion? If it worked both ways, on a peer-to-peer basis, the people discussing a story on Facebook could also discuss it with the users on Livejournal. If it was syndicated in from Slashdot, they could talk to all the Slashdot users, too. Now there is a killer feature for a new, up and coming social networking site. Syndication of group discussions, not just stories. It would be a good basis for competitive features, too - like good threading, management of conversations and so on. The sting in the tail The kicker is, there already is such a protocol. It's called NNTP: the Network News Transfer Protocol. The worldwide system for handling threaded public discussions has been around for 26 years now. It's called Usenet and since a decade before the Web was invented it's been carrying some 20,000 active discussion groups, called "newsgroups", all around the world. It's a bit pass? these days - spam originated on Usenet long before it came to email, and although Usenet still sees a massive amount of traffic, 99% of it is encoded binaries - many people now only use it for file sharing. You may never have heard of it, but there's a good chance that your email system supports Usenet. Microsofties can read newsgroups in Outlook Express, Windows Mail and Entourage, or in Outlook via various addons; open sourcerers can use Mozilla's Thunderbird on Windows, Mac OS X or Linux. Google offers GoogleGroups, which has the largest and oldest Usenet archive in the world. There are also lots of dedicated newsreaders - on Windows, Fort?'s Agent is one of the most popular. Usenet is a decentralised network: users download messages from news servers, but the servers pass them around amongst themselves - there's no top-down hierarchy. Companies can run private newsgroups if they wish and block these from being distributed. All the problems of working out unique message identifiers and so on were sorted out a quarter of a century ago. Messages can be sent to multiple newsgroups at once, and like discussion forum posts, they always have a subject line. Traditionally, they are in plain text, but you can use HTML as well - though the old-timers hate it. There are things Usenet doesn't do well. There's no way to look up posters' profiles, for example - but that's exactly the sort of thing that social networking sites are good at. Every message shows its sender's email address - but then, the social networking sites all give you your own personal ID anyway. Big jobs, little jobs It would be a massive task to convert the software driving all the different online discussion sites to speaking NNTP, though. It isn't even remotely what they were intended for. But there's another way. A similar problem already exists if you use a webmail service like Hotmail but want to download your messages into your own email client. Hotmail used to offer POP3 downloads as a free service, but it became a paid-for extra years ago. Yahoo and Gmail offer it for free, but lots of webmail providers don't. Happily, though, there's an answer. If you use Thunderbird, there's an extension called Webmail which can download from Hotmail as well as Yahoo, Gmail and other sites. Like all Mozilla extensions, it runs on any platform that Thunderbird supports. But better still, there's a standalone program. It's called MrPostman and because it's written in Java it runs on almost anything - I've used it on Windows, Mac OS X and Linux. It's modular, using small scripts to support about a dozen webmail providers, including Microsoft Exchange's Outlook Web Access; it can even read RSS feeds. Its developers cautiously say that "Adding a new webmail provider might be as simple as writing a script of 50 lines." And it's GPL open source, so it won't cost you anything. It's a fairly small program, too - it will just about fit on a floppy disk. MrPostman shows that it's possible to convert a web-based email service into standard POP3 - and for this to be done by a third party with no no access to the source code of the server. Surely it can be done for a forum, too? And if it's done right, for lots of fora? It doesn't need the help or cooperation of the source sites, though that would surely help. More to the point, if it was done online, the servers offering the NNTP feeds can be separate from those hosting the sites. What's more, there's a precedent. For users of the British conferencing service CIX, there's a little Perl program called Clink, which takes CoSy conferences and topics and presents them as an NNTP feed, so that you can read - and post to - CIX through your newsreader. It sounds to me like the sort of task that would be ideal for the Perl and Python wizards who design Web 2.0 sites, and it would be a killer feature for any site that acts as a feed aggregator. Rather than reading contentless emails and going off to multiple different sites to read the comments and post replies, navigating dozens of different user interfaces and coping with crappy non-threaded web for a, you could do it all in one place - as the idea spread, whichever site you preferred. And, of course, the same applies to aggregator software as well. When you download this stuff to your own machine, you can read it at your leisure, without paying extortionate bills for mobile connectivity. Download the bulk of the new messages on a fast free connection, then just post replies on the move when you're paying for every kilobyte over a slow mobile link. What's more, in my experience of many different email systems, it's the offline ones that are the fastest and offer the best threading and message management. It could bring a whole new life to discussions on the Web. All this, and all I ask for the idea is a commission of 1 penny per message to anyone who implements it. It's a bargain. ? From rforno at infowarrior.org Sun Jul 1 13:11:53 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 01 Jul 2007 09:11:53 -0400 Subject: [Infowarrior] - TN requires ALL beer buyers to show ID Message-ID: Tennessee Requires Stores to Check ID Card Of Anyone Buying Beer http://www.washingtonpost.com/wp-dyn/content/article/2007/06/30/AR2007063000 790_pf.html By Lucas L. Johnson II Associated Press Sunday, July 1, 2007; A07 NASHVILLE, June 30 -- Comer Wilson hasn't had to show his ID to buy beer in a while. Maybe it's the 66-year-old man's long, white beard. Starting Sunday, gray hair won't be good enough. Wilson and everyone else will be required to show identification before buying beer in Tennessee stores -- no matter how old the buyer appears. "It's the stupidest law I ever heard of," Wilson said. "You can see I'm over 21." Tennessee is the first state to make universal carding mandatory, the National Alcohol Beverage Control Association said. However, the law does not apply to beer sales in bars and restaurants, and it does not cover wine and liquor. Supporters say it keeps grocery store and convenience store clerks from having to guess a customer's age. Democratic Gov. Phil Bredesen said it's a good way to address the problems of underage drinking. And the 63-year-old governor said he won't mind the extra effort to buy beer. "I'll be very pleased when I'm carded, and, in my mind, I'll just imagine it's because I look so young," he said. Rich Foge, executive director of the Tennessee Malt Beverage Association, said he expects there might be initial resistance from the beer-buying public. "But once people live with it for a month or two, it's going to go fine," he said. "It gets routine after a while." Jarron Springer, president of the Tennessee Grocers and Convenience Store Association, said he understands the law "may seem a little odd" to people who are obviously older than 21, but he said it's necessary. "If we're going to hold clerks accountable for their actions, then there's no room for discretion," he said. "It's either all or nothing." The blanket requirement makes it easier for stores to comply, said Steve Schmidt, spokesman for the National Alcohol Beverage Control Association. "There's no need to judge whether someone looks 21, 25 or 30," he said. "It's a set, consistent standard across the entire state." Richard Rollins, who owns a convenience store in Nashville, is already using a computerized scanner to check everyone's driver's licenses when they buy beer. "We just say we're trying to keep our beer permit, and this is the safest way," Rollins said. But it has stopped Jeff Campbell, 43, from shopping at Rollins's market. "I don't mind them asking for my ID, but they don't need my driver's license number," Campbell said. "I'm just buying a six-pack. All they need to know is how old I am." Rollins said scanning licenses has proved beneficial in other ways, such as catching criminals. When one customer tried to make a purchase using a counterfeit bill, Rollins said, police were able to track him down because the receipt from the scanner showed his name and license number -- and his address. The law, which expires after a year unless the Legislature decides to renew it, also creates a voluntary training program for vendors and their employees. Participating businesses would face lower fines if found guilty of selling beer to a minor, and their beer permits cannot be revoked on a first offense. However, they face maximum fines of $1,000 for each underage sale, and they lose their status if they commit two violations in a 12-month period. Another violation could mean suspension or revocation of a license, and a maximum fine of $2,500. Noncertified vendors can face those penalties on a first offense. Marylee Booth, executive director of the Tennessee Oil Marketers Association, which represents gas stations and convenience stores, said the intention is not to hurt vendors but to help them protect minors. From rforno at infowarrior.org Sun Jul 1 13:26:41 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 01 Jul 2007 09:26:41 -0400 Subject: [Infowarrior] - Can cryptography prevent printer-ink piracy? Message-ID: *cough* Cartel? *cough* Monopoly? *cough* RICO? *cough* -rf CNET News.com http://www.news.com/ Can cryptography prevent printer-ink piracy? By Erica Ogg http://news.com.com/Can+cryptography+prevent+printer-ink+piracy/2100-1041_3- 6193424.html Story last modified Wed Jun 27 10:37:34 PDT 2007 In the computer printer business, everyone knows the big money comes from the sale of ink cartridges. Most of these cartridges are made by printer manufacturers and sell for a substantial premium. Some come from unauthorized sources, sell for substantially less and attract the attention of antipiracy lawyers. Cryptography Research Inc. (CRI), a San Francisco company, is developing chip technology aimed at helping printer manufacturers protect this primary source of profit. The company's chips use cryptography designed to make it harder for printers to use off-brand and counterfeit cartridges. "We're not saying we can end piracy, but our system is designed to recover from failure," said Kit Rodgers, CRI's vice president of business development. Not all ink-cartridge remanufacturing is illegal--much of it is, in fact, legitimate--but pirated ink-cartridge technology cuts substantially into original manufacturers' profits. There are three main ways the $60 billion-a-year worldwide printing industry loses money: ? Used cartridges get refilled and sold as "new"-- instead of as remanufactured. ? Cartridges get illegally replicated through reverse engineering. ? Printers get hacked or physically altered to use any type of ink. Although solid figures on counterfeiting are impossible to determine, it's estimated to cost the industry at least $3 billion a year, according to the Image Supplies Coalition, a lobbying group formed to fight piracy and cloning in the ink and toner industry. Cryptography is a method of encrypting data so that only a specific, private key can unlock, or decrypt, the information. It's used in everything from credit cards to digital media. CRI plans to create a secure chip that will allow only certain ink cartridges to communicate with certain printers. Although this concept isn't new, CRI said its chip will be designed for use in standard fabrication processes, eliminating the need for a special--and more expensive--manufacturing process. CRI also said that the chip will be designed that so large portions of it will have no decipherable structure, a feature that would thwart someone attempting to reverse-engineer the chip by examining it under a microscope to determine how it works. "You can see 95 percent of the (chip's) grid and you still don't know how it works," Rodgers said. There also are other, secret elements CRI won't reveal for security and competitive reasons. Skillful hackers can eventually crack almost any code thrown at them and then exploit it for commercial purposes. Once antipiracy encryption is hacked on a product such as high-definition DVDs, for example, it's cracked forever and the discs can be copied and played using the hack. CRI takes a different tack with its protection scheme: its chip generates a separate, random code for each ink cartridge, thus requiring a would-be hacker to break every successive cartridge's code to make use of the cartridge. "We want to make sure you can't repeat the same attack," said Benjamin Jun, CRI's vice president of technology. "If (hackers) have to rebreak it over and over, it's not as good a business model." The chip, called CryptoFirewall, is not in use in this industry yet, but it's been widely deployed in the pay-TV sector, where 25 million set-top boxes have a similar technology from CRI embedded, the company said. CRI will also soon debut a similar copy-protection feature for Blu-ray video discs. The printer technology will be available in early 2008, according to CRI. Counterfeiting and piracy are all but impossible to eradicate, but CRI hopes to at least minimize the financial damage they cause. Today, there are 123 million desktop inkjet printers and 25.6 million laserjet printers in use in the U.S., according to InfoTrends. In terms of making and selling hardware, printers themselves are one of the least profitable sectors. Often the manufacturers are willing to sell their printers at a loss with the goal of making money on sales of ink. Hewlett-Packard, the biggest PC maker in the world, actually makes the most profit from its printer business: 46 percent of its total earnings in the most recent fiscal quarter were generated by its Imaging and Printing Group. And ink is a key. As mentioned, remanufacturing cartridges isn't necessarily a problem. There are plenty of companies that refill cartridges and resell them, offering many consumers and businesses cheaper alternatives to the cartridges sold by printer manufacturers. "There's absolutely nothing wrong with that; it's an accepted part of a competitive industry," according to Tuan Tran, vice president of marketing and sales for HP's supplies business. "That is a legal competition in our minds." About 11 percent of the money spent on inkjet cartridges and 25 percent of the money paid for monochrome laserjet cartridges goes to companies that resell cartridges they did not manufacture, according to John Shane, director of marketing at InfoTrends. "The vast majority of that is perfectly legal. Most people believe (the U.S. market for illegal cartridges is) a lot smaller than the illegal market, say, in China," Shane said. When faced with competition from counterfeiters, HP's Tran said, companies like HP are forced to turn to their "primary weapon" in fighting patent violations, the legal system. "There are other folks who want to avoid the (proper) process altogether and design a cartridge to work with an HP printer," he said. In a high-profile 2003 case, Lexmark International, the company that makes printers for Dell, took printer-supplies specialist Static Control Components to court for selling a chip that allowed Lexmark printers to accept any kind of ink cartridge. Lexmark ultimately lost the case, but it hasn't stopped others from trying fiercely to protect their business. Now on News.com The iPhone has landed New GPL reflects software shifts Putting the 'super' in supercomputer Extra: IBM 1401 Mainframe, the musical Just last month, HP's German subsidiary accused a Swiss print supplier, Pelikan Hardcopy, of using its patented ink formula and last week filed a separate suit claiming the company is selling remanufactured cartridges labeled as new. In 2005, HP sued another cartridge refiller, Cartridge World, for using an ink formula that it said infringed on its patents. There are other, less litigious ways to keep counterfeiters at bay. HP uses a holographic security label on its ink cartridges to identify them as legitimate HP products. InfoTrends' Shane also noted that the printing quality of printer manufacturers' cartridges holds up longer over time when the cartridges are used with the corresponding printers, whose technical specifications can present problems for remanufacturers and counterfeiters. But a technology like CRI's at least has the potential to cut down on future legal fees and weed out counterfeiters early on in the manufacturing process. The idea is intruiguing to printer makers, although companies like HP say they will wait and see until CRI's chip is actually available. "If there was a technology that enabled us to protect our intellectual property, absolutely, any company would be interested in it," Tran said. From rforno at infowarrior.org Mon Jul 2 12:08:41 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 02 Jul 2007 08:08:41 -0400 Subject: [Infowarrior] - Lieberman calls for wider use of surveillance cameras Message-ID: Lieberman calls for wider use of surveillance cameras By Klaus Marre July 01, 2007 http://thehill.com/leading-the-news/lieberman-calls-for-wider-use-of-surveil lance-cameras-2007-07-01.html Sen. Joe Lieberman (D-Conn.), the chairman of the Senate Committee on Homeland Security and Governmental Affairs, said Sunday he wants to ?more widely? use surveillance cameras across the country. ?The Brits have got something smart going in England, and it was part of why I believe they were able to so quickly apprehend suspects in the terrorist acts over the weekend, and that is they have cameras all over London and other of their major cities,? Lieberman said. ?I think it?s just common sense to do that here much more widely,? he added. ?And of course, we can do it without compromising anybody?s real privacy.? Lieberman lamented the ?petty, partisan fighting? in Congress and called on his colleagues to join together to upgrade the nation?s electronic surveillance capabilities. ?Right now, we?re at a partisan gridlock over the question of whether the American government can listen into conversations or follow e-mail trails of non-American citizen,? he said on ABC?s This Week with George Stephanopoulos. ?That?s wrong. We?ve got to solve that problem, pass a law to give the people working for us the ability to protect us.? Lieberman, who is more closely aligned with the GOP than the Democrats he caucuses with on the war in Iraq and many national security issues and insisted Sunday that the surge in Iraq is working. ?You might say that, in Iraq, we?ve got the enemy on the run, but for some reason, in Washington, a lot of politicians are on the run to order a retreat by our troops even as they are beginning to succeed,? he said. Lieberman stated it is not fair to conclude that he is more likely to endorse a Republican for president. But he added that ?so far I would say that Democratic candidates, in the larger questions of American security, have been disappointing, and I hope things will get better as this goes on.? From rforno at infowarrior.org Mon Jul 2 12:10:35 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 02 Jul 2007 08:10:35 -0400 Subject: [Infowarrior] - Universal in Dispute With Apple Over iTunes Message-ID: July 2, 2007 Universal in Dispute With Apple Over iTunes By JEFF LEEDS http://www.nytimes.com/2007/07/02/business/media/02universal.html?ei=5065&en =1b940de192f6dfd7&ex=1184040000&partner=MYWAY&pagewanted=print Steven P. Jobs, the co-founder and chief executive of Apple, is an emerging force in the mobile phone business, thanks to the snaking lines of gadget fans who queued up last week to buy the iPhone. But now he faces a headache in an industry Apple already dominates ? digital music. The Universal Music Group of Vivendi, the world?s biggest music corporation, last week notified Apple that it will not renew its annual contract to sell music through iTunes, according to executives briefed on the issue who asked for anonymity because negotiations between the companies are confidential. Instead, Universal said that it would market music to Apple at will, a move that could allow Universal to remove its songs from the iTunes service on short notice if the two sides do not agree on pricing or other terms in the future, these executives said. Universal?s roster of artists includes stars like U2, Akon and Amy Winehouse. Representatives for Universal and Apple declined to comment. The move, which comes after a standoff in negotiations, is likely to be regarded in the music industry as a boiling over of the long-simmering tensions between Mr. Jobs and the major record labels. With the shift, Universal appears to be aiming to regain a bit of leverage ? although at the risk of provoking a showdown with Mr. Jobs. In the four years since iTunes popularized the sale of music online, many in the music business have become discouraged by what they consider to be the near-monopoly that Mr. Jobs has held in the digital sector ? the one part of the music business that is showing significant growth. In particular, Mr. Jobs?s stance on song pricing and the iPod?s lack of compatibility with music services other than iTunes have become points of contention. By refusing to enter a long-term deal, Universal may continue to press for more favorable terms from Apple or even explore deals to sell its catalog exclusively through other channels. If Universal were to pull its catalog from iTunes, Mr. Jobs would lose access to record labels that collectively account for one out of every three new releases sold in the United States, according to Nielsen SoundScan data. But if Apple were to decide not to carry Universal?s recordings, the music company would likely sustain a serious blow: sales of digital music through iTunes and other sources accounted for more than 15 percent of Universal?s worldwide revenue in the first quarter, or more than $200 million. (Vivendi does not break out revenue from Apple alone). If push came to shove and Universal decided to remove its catalog from iTunes, it might not necessarily instigate a broader insurrection against Apple. The second-biggest corporation, Sony BMG Music Entertainment, recently decided to sign a new one-year contract making its catalog available to iTunes, according to executives briefed on the deal. A spokeswoman for the company, a joint venture of Sony and Bertelsmann, declined to comment. Some industry observers have cautioned against taking on Mr. Jobs directly. ?When your customers are iPod addicts, who are you striking back against?,? said Ken Hertz, an entertainment lawyer who represents artists like Beyonc? and the Black Eyed Peas. ?The record companies now have to figure out how to stimulate competition without alienating Steve Jobs, and they need to do that while Steve Jobs still has an incentive to keep them at the table.? But other music industry executives say the major labels must take a harder line with Apple at some point if they are to recalibrate the relationship. In particular, they say, it is unfair for Mr. Jobs to exert tight control over prices and other terms while profiting from the iPod. Mr. Jobs, in February, noted that less than 3 percent of the music on the average iPod was bought from iTunes, leading music executives to speculate that the devices in many instances are used to store pirated songs. (Of course, users can also fill their players with songs copied from their own CD collections.) Apple has now sold more than 100 million iPods, and the device?s ties to iTunes have helped make Apple the leading seller of digital music by a wide margin. The iTunes service accounts for 76 percent of digital music sales, and the contract talks come as it is on the rise ? Apple recently surpassed Amazon.com to become the third-biggest seller of music over all, behind Wal-Mart and Best Buy, according to data from the market research firm NPD. All of that has transformed Apple into a prominent gatekeeper, wielding influence as a tastemaker by highlighting selected artists on iTunes storefront, and as an architect of the underlying business dynamics. Apple has stuck to a pricing system that charges a flat 99 cents for a song since iTunes started four years ago (except for the recent introduction of songs without copy protection, which carry a higher price). Mr. Jobs has long argued that a uniform system and low prices will invite new consumers and reduce piracy. But some music executives have been chafing at the flat rate that Apple has insisted upon in its contracts with the big record labels, and they have been pressing publicly or privately for the right to charge Apple more for popular songs to capitalize on demand or, in the event of special promotions, to charge less. Edgar Bronfman Jr., the chairman of Warner Music Group, reinforced that idea at a recent investor conference, saying ?we believe that not every song, not every artist, not every album, is created equal.? In the backdrop of the pricing dispute is an investigation by European regulators who are studying the roles of the music companies and Apple in setting prices in certain international markets. At the same time, Mr. Jobs has refused the industry?s calls for Apple to license its proprietary copy restriction software to other manufacturers. Music executives want the software to be shared so that services other than iTunes can sell music that can be played on the iPod, and so that other devices can play songs bought from iTunes. Mr. Jobs has argued that sharing the software with other companies would increase the likelihood that its protections would be cracked by hackers, among other problems. Instead, he asked the music companies to drop their insistence on copy protection altogether. So far, only one of the four music companies, EMI, has made a deal to sell unrestricted music through iTunes. From rforno at infowarrior.org Mon Jul 2 12:18:48 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 02 Jul 2007 08:18:48 -0400 Subject: [Infowarrior] - Any Madison Ave insights here? Message-ID: Anyone here have a good explanation for why Madison Ave marketing geniuses feel that using squeaky-voiced children - mostly girls - who tend to mumble or mispronounce words in TV commercials is a good thing? Think about it: - There was the "it's the m-EAR-ors" girl from TI last fall hawking TVs. Learn to speak, you. - There is the little girl serving as Cisco's new spokesperson for the 'human network'. (At least she can speak well) - There is a little girl telling us how her daddy made more money using Salesgenie.Com. You're just annoying, little one. ...and let's not forget the spork-your-ears-out BMW holidays ad with the kids who did nothing but scream at the top of their lungs for 15 seconds at nearly every commercial spot on CNBC during the 2006 holidays. (After this ad nauseated viewers last year, I vowed never to buy a BMW vehicle.) Is there some subliminal message these kids are supposed to convey? Are we supposed to become all warm and fuzzy at the first sight/sound of such creatures? I like kids just fine, but the logic here escapes me. Inquiring minds want to know. -rick From rforno at infowarrior.org Wed Jul 4 17:28:39 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 04 Jul 2007 13:28:39 -0400 Subject: [Infowarrior] - EC wants to suppress internet bomb-making guides Message-ID: EC wants to suppress internet bomb-making guides Eurocrats, terrorists vie for techno-dunce supremacy By Lewis Page ? More by this author Published Wednesday 4th July 2007 13:49 GMT http://www.theregister.co.uk/2007/07/04/ec_frattini_web_terror_dunce_cap/ The European Commission (EC) has announced plans to frustrate terrorism by suppressing online guides on bomb-making. "It should simply not be possible to leave people free to instruct other people on the internet on how to make a bomb ? that has nothing to do with freedom of expression," EC vice president Franco Frattini said yesterday. Mr Frattini is "responsible for Freedom, Security and Justice." When asked how the EC planned to suppress web bomb manufacture instructions hosted outside EU borders, it appeared that officials planned to act at the level of ISPs in Europe. The Times quoted a commission spokesman as saying: "You always need a provider here that gives you access to websites. They can decide technically which websites to allow. Otherwise, how would China block internet sites? There are no technological obstacles, only legal ones." According to the Telegraph's Brussels correspondent, "internet service providers would face charges if they failed to block websites with bomb-making instructions". Mr Frattini and his EC subordinates appeared to have no plans for dealing with bomb instructions sent via email, browsed over encrypted relays such as Tor, sent by post, or physically transported. Nor did his plan offer any serious chance of websites being blocked at hundreds of ISPs in time to prevent full details being obtained by anyone who wanted them. Nor did it take account of the speed with which controversial information can be - and usually is - mirrored. If the UK papers' reports are correct, Frattini and his advisors are fantastically ignorant of internet realities. The timing of the announcements seemed to respond with recent comically inept terror attempts in London and Glasgow. Given that those involved had clearly failed to do any internet research whatsoever before mounting their addled and ineffectual campaign, Mr Frattini's outburst yesterday wasn't just ignorant, but irrelevant too. Anyone with even very basic net savvy is going to be able to get bomb-making instructions despite the laws Mr Frattini tries to push through this autumn. Even total web dolts with contacts outside the EU will be able to get information forwarded to them. A dunce's cap, please, for Frattini and the EC Freedom, Security and Justice apparat. Off to the corner with them. A rather more crafty - if still, ultimately, doomed - strategy has been seen in recent times. Dame Stella Rimington, head of MI5* in the 1990s, penned spy novel At Risk after she retired. In it, Muslim terrorists seeking revenge for a murderous US air attack in Afghanistan (how balanced) manufacture a homemade bomb. Rimington describes the process in detail, but rather than being the real deal it is lifted wholesale from a spoof webpage. Presumably some wannabe terrorists, cleverer than last weekend's UK ones, but still not too clever, might be taken in by this sort of thing; especially if they had only read Rimington's book, which doesn't include the giveaway at the end. Only a little bit of effort by the spooks could easily see a lot of more realistic fake-instructional websites out there, making the would-be bomber's job that much harder. Serious terrorists, of course, will always carry out tests before going operational; but a spoofing effort would cost very little and could frustrate the less diligent bomber. Even the better class of attackers could be led to waste time and resources, and perhaps to reveal themselves by accident. Such initiatives may well be underway, in fact. They'd be at least as effective as Mr Frattini's plans, but would offer no opportunity for political posturing. Going back to Ms Rimington and her novels, the matter of whether she's playing fair with her paying readers is for them to decide. Given that the first book contained one arguable counter-terror plant, reams of MI5 publicity material and in the end the true villains were revealed to be MI5's hated rivals in the Secret Intelligence Service (aka MI6), one could say that she should pay people to read it rather than the other way round. Once a spook, always a spook, it seems. ? *Actually the UK internally-oriented spooks are formally titled the Security Service. The title MI5 was officially dropped in 1929, but people still use it (perhaps because they might otherwise have to abbreviate to "SS"). From rforno at infowarrior.org Wed Jul 4 17:31:27 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 04 Jul 2007 13:31:27 -0400 Subject: [Infowarrior] - DVD Jon unlocks iPhone Message-ID: http://nanocr.eu/2007/07/03/iphone-without-att/ I?ve found a way to activate a brand new unactivated iPhone without giving any of your money or personal information to AT&T NSA. The iPhone does not have phone capability, but the iPod and WiFi work. Stay tuned! Update: Magic iTunes numbers: Offset 2048912: 33C0C3 Offset 257074: 28 Offset 257013: 33C9B1 Add ?127.0.0.1 albert.apple.com? to c:\windows\system32\drivers\etc\hosts Download Phone Activation Server v1.0 to activate your iPhone for iPod+WiFi use. Note that this application will not do anything unless you understand the magic numbers as well as add the hosts entry. Phone Activation Server (PAS) requires that you have the MS .NET Framework 2.0 installed. Download PAS v1.0 Source Code. http://nanocr.eu/2007/07/03/iphone-without-att/ From rforno at infowarrior.org Sat Jul 7 01:23:43 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 06 Jul 2007 21:23:43 -0400 Subject: [Infowarrior] - Congress to Tweak DHS Color-Warning System Message-ID: Congress to Tweak DHS Color-Warning System http://blog.wired.com/27bstroke6/2007/07/congress-to-twe.html 150hsasAt a blog such as this, we are, unsurprisingly, interested in all things related to the Department of Homeland Security's color-coded threat warning system. Although we'd prefer to just station klaxons like these in every major city, we're stuck for now with DHS's confounding Crayola-hued bad idea (Red means, er, run?). But this may change in the near future. The House and Senate will soon conference similar bills that have passed each chamber to implement security recommendations made by the 9/11 commission. The House bill mandates that DHS "shall not, in issuing any advisory or alert, use color designations as the exclusive means of specifying the homeland security threat conditions...." Both bills would require DHS to include with every alert information about protective measures and countermeasures used in response to a threat. DHS would have to limit the alerts, if possible, to a "specific region, locality, or economic sector believed to be at risk," rather than flood the land with a rainbow of vague declamations about terror that everyone ignores. At least the colors are purty. From rforno at infowarrior.org Sat Jul 7 01:27:22 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 06 Jul 2007 21:27:22 -0400 Subject: [Infowarrior] - Vulnerability auction launches online Message-ID: Vulnerability auction launches online Published: 2007-07-06 http://www.securityfocus.com/brief/542?ref=rss A group of security professionals launched this week what they hope will become the eBay of security research. The Swiss-registered company, WSLabi, boasts that its online portal will allow researchers to sell vulnerabilities they have discovered to software companies and other interested parties through an open market. WSLabi plans to verify the identities and claims of both the buyer and seller. Already, four software flaws -- including a Linux memory leak and a flaw in Yahoo! Messenger 8.1 -- are listed on the site and more than 200 people have registered, according to the firm. The security professionals launched the service to allow researchers to get a fair price for their discoveries and prevent exploits from being sold to cybercriminals, said CEO Herman Zampariolo. "Different security companies, such as iDefense and TippingPoint, are already acting as intermediaries," Zampariolo told SecurityFocus in an interview on Friday. "The only difference is the business model." The sale of vulnerabilities has been a contentious topic, which has received legitimacy only in the past two years due to flaw bounty programs such as TippingPoint's Zero-Day Initiative (ZDI) and iDefense's Vulnerability Contributor Program (VCP). While security researchers have seen some large payoffs from selling vulnerability information to government agencies, for the most part, the closed market for security research favors the buyers. TippingPoint and iDefense typically pay anywhere from $1,000 to $15,000 for vulnerability information, such as the recent QuickTime vulnerability used at the CanSecWest Conference to win the Own to Pwn MacBook contest. Previous attempts at selling vulnerability information on eBay have been quickly taken down, despite many researchers' beliefs that such sales could help security. The team behind WSLabi includes CTO Giacomo Paoni, a former information-technology consultant, and Strategic Director Roberto Preatoni, better known as the founder of defacement database and security site Zone-h.org. From rforno at infowarrior.org Sat Jul 7 01:33:13 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 06 Jul 2007 21:33:13 -0400 Subject: [Infowarrior] - Appeals Court Tosses Anti-NSA Spying Suit Message-ID: Appeals Court Tosses Anti-NSA Spying Suit By Ryan Singel EmailJuly 06, 2007 | 11:29:19 AMCategories: Privacy, Surveillance, The Courts http://blog.wired.com/27bstroke6/2007/07/appeals-court-t.html A federal appeals court threw out a ruling that the government's warrant-free spy program was unconstitutional Friday, finding that the ACLU's plaintiffs had no standing to bring suit against the National Security Agency program since they couldn't prove they were spied upon. That program, revealed in December 2005 by the New York Times, eavesdropped on certain emails and phone calls that involved Americans on American soil conversing internationally with persons the government said it had some reason to suspect had ties to terrorism. The Administration ran the program, dubbed the Terrorist Surveillance Program, outside the purview of the secret court set up to watch over foreign intelligence wiretaps that involve Americans or happen on U.S. soil, an end run that many civil libertarians called illegal. The Administration says the president's wartime powers allow him to wiretap anyone unilaterally. The Sixth Circuit Court of Appeals decision (.pdf)reverses a controversial ruling from last August by Detroit U.S. District Court judge Anna Diggs Taylor. Taylor ruled the spying program "violates the Separation of Powers doctrine, the Administrative Procedures Act, the First and Fourth Amendments to the United States Constitution, the Foreign Intelligence Surveillance Act and Title III (of the Constitution)." While civil liberties groups were publicly ecstatic with Diggs Taylor's August ruling, privately they conceded that the decision had legal flaws and would face tough scrutiny upon appeal. The plaintiffs in the case, which included civil rights lawyers and journalists such as James Bamford -- the nation's premier chronicler of the ultra-secret NSA -- argued that it was likely that their calls had been spied on and that the possibility their conversations might be snooped on produced a "chilling effect" -- essentially making them self-censor themselves. The Sixth Circuit's 2-1 majority decision, written by Judge Alice Batchelder, says that's not enough for the plaintiff's to have the right to sue the government over the program, and sent the case back down to the district court for dismissal. By refraining from communications (i.e., the potentially harmful conduct), the plaintiffs have negated any possibility that the NSA will ever actually intercept their communications and thereby avoided the anticipated harm ? this is typical of declaratory judgment and perfectly permissible. Therefore, the injury that would support a declaratory judgment action (i.e., the anticipated interception of communications resulting in harm to the contacts) is too speculative, and the injury that is imminent and concrete (i.e., the burden on professional performance) does not support a declaratory judgment action. Judge Ronald Lee Gilman dissented, finding not only that the plaintiffs had standing, but that the surveillance program was illegal: The closest question in this case, in my opinion, is whether the plaintiffs have the standing to sue. Once past that hurdle, however, the rest gets progressively easier. Mootness is not a problem because of the government?s position that it retains the right to opt out of the FISA regime whenever it chooses. Its AUMF and inherent-authority arguments are weak in light of existing precedent and the rules of statutory construction. Finally, when faced with the clear wording of FISA and Title III that these statutes provide the ?exclusive means? for the government to engage in electronic surveillance within the United States for foreign intelligence purposes, the conclusion becomes inescapable that the TSP was unlawful. The ACLU is likely to appeal for a hearing by a full panel of Sixth Circuit judges and if that fails then up to the Supreme Court. Standing is also an issue in the more than 50 lawsuits pending in a San Francisco District Court against the nation's telecoms, but at least one suit still ongoing against the government may be able to clear that hurdle. Wendell Belew, a lawyer who represented a now banned Ashland, Oregon Muslim charity, says the government accidentally provided him with proof his conversations were eavesdropped on without a warrant. His case has a hearing in the Ninth Circuit Court of Appeals in August. The government wants his, and all the other cases, thrown out, arguing they endanger national security. Analysis: Orin Kerr; Jonathan Adler; Marty Lederman Updated to reflect that the ACLU can appeal for a full hearing in the Sixth, before appealing to Supreme Court From rforno at infowarrior.org Sat Jul 7 01:33:53 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 06 Jul 2007 21:33:53 -0400 Subject: [Infowarrior] - AT&T/Cingular Voicemail Susceptible to Caller ID Spoofing Message-ID: iPhone Users: AT&T / Cingular Voicemail Susceptible to Caller ID Spoofing http://www.oreillynet.com/onlamp/blog/2007/06/iphone_users_att_cingular_voic .html Saturday June 30, 2007 9:37PM by Nitesh Dhanjani in Technical I just got myself an iPhone and I?m extremely pleased with it. I think it?s the best cell phone on the market - a sheer pleasure to use. The purpose of this post is to alert new iPhone customers about a security vulnerability in AT&T/Cingular?s Voicemail system that has not been fixed for more than a year. I first wrote about this on February 1, 2006: Exploit Cingular Voicemail Vulnerability via Caller ID Spoofing. As soon as I got my new AT&T/Cingular number, I tested for this vulnerability and I can confirm that it still exists for new AT&T/Cingular accounts (atleast for iPhone customers). I can?t force AT&T / Cingular to fix this issue, but I can tell you about it so you know what to do to protect yourself from this vulnerability. Here is an explanation of the vulnerability in a nutshell: The AT&T/Cingular voicemail system is configured by default not to ask for a password when you check your voicemail from the handset (it asks for your voicemail password if you call your number from another cell phone and press * when your voicemail answers). Unfortunately, the AT&T/Cingular voicemail system trusts Caller ID to determine if the handset is calling it. Because Caller ID can be spoofed easily (see below), anyone can gain access into your voicemail by calling you and spoofing your phone number (it will appear as if you are calling yourself when your phone rings) - should you not answer the call, your voicemail will answer and allow the intruder full access to your messages. Here is how to test the vulnerability: 1. Buy a calling card from Spoofcard. This service lets you spoof your caller ID. 2. Use another phone and call your cell phone using Spoofcard. When the Spoofcard asks you what number you want to spoof, enter your number again. 3. Do not pickup your cell phone. When the call goes into voicemail, if you are able to listen to your messages without being prompted for a password, then you are vulnerable. Here is how to protect yourself from this vulnerability: 1. Call your AT&T/Cingular voicemail (dial your own number from the iPhone). 2. Press 4 to go to ?Personal Options?. 3. Press 2 to go to ?Administrative Options?. 4. Press 1 to go to ?Password?. 5. Press 2 to turn your password ?ON?. 6. Hang-up and call your voicemail again from your iPhone. If your voicemail system asks you for your voicemail password you are all set. I sincerely hope that AT&T/Cingular gets around to fixing this huge security hole in their voicemail system. From rforno at infowarrior.org Sat Jul 7 13:09:59 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 07 Jul 2007 09:09:59 -0400 Subject: [Infowarrior] - RIAA Forces YouTube to Remove Free Guitar Lessons Message-ID: Learning Guitar for Free (for Now) on YouTube Listen to this story... by Frank Langfitt http://www.npr.org/templates/story/story.php?storyId=11778602 All Things Considered, April 2, 2007 ? Let's say you want to learn to play guitar ? but you don't have the time or money for lessons. Why not try YouTube? A number of people teach guitar on the video-sharing Web site, offering lessons for free. In the past few months, two teachers have posted around 200 videos that demonstrate everything from basic strumming techniques to the opening riff of "Sweet Home Alabama." So far, people around the world have watched the videos a total of more than 3.5 million times. One of the teachers is David Taub, who lives in San Diego and often appears wearing a flannel shirt and a backwards baseball cap. A one-time bar band rocker from New Jersey, he opens each video with the same line: "What's up, good people!" His most popular video, a simplified version of the Eagles' "Hotel California," has been viewed more than 125,000 times. The other teacher is Justin Sandercoe, who lives in London, where he teaches guitar and plays with a famous pop singer. He's a mellow presence with an impish grin. Among his song lessons is an acoustic version of Britney Spear's "Hit Me Baby One More Time" that is surprisingly affecting. The teachers play slowly and use close-ups, showing each finger movement. If you don't get it at first, you can hit replay. It's like having a teacher with endless patience. The lessons are informal and feel home-made. Sandercoe sometimes appears sitting on his floor, with his hair matted at different angles. Taub's lessons are mostly unedited and include moments like his golden retriever eating his guitar pick. Taub sees the videos, at least in part, as a marketing tool for his paid instructional Web site, NextLevelGuitar.com. His videos emerged last year as an experiment when one of his students, Tim Gilberg, shot video of Taub teaching. "We filmed about 10 minutes in his backyard," Gilberg recalls. "I put it up on Google. Then I forgot about it. Basically, two months later I went to see how many visitors we had. There were about 6,800 visitors, and I was like: Wow!" Then they posted the videos to YouTube, and the audience took off. On the free videos, Taub teaches the basic chords to popular songs, but he holds off explaining some of the riffs so he can drive people to his site. After playing a riff from Sheryl Crow's "If It Makes You Happy," he stops playing and says, "But if you want to learn that, you're going to have to go to our full site for the lead lines, okay?" Gilberg says the Web site has hundreds of members after only six weeks. Justin Sandercoe also has a teaching Web site ? justinguitar.com. He has a few ads and takes donations through Paypal to cover the site's hosting fees. But Sandercoe doesn't charge visitors; he says he sees the site as more of a public service. "I like the idea of being able to deliver quality guitar lessons to people who can't afford lessons, or who are in places where there's not that kind of access to somebody who can teach them the right stuff," he says. When Sandercoe was growing up in Tasmania, it wasn't easy for him to find great teachers. He hopes his videos will help kids in places like Sri Lanka or India who may not be able to learn otherwise. Sandercoe now has fans around the world, who often e-mail him with questions and requests for specific lessons. One is Linda Dumitru, who lives in the Netherlands and used to pay $26 for a half-hour lesson. But she stopped, she says, because she couldn't afford it. Then one day she typed "Johnny B. Goode" into YouTube and found one of Sandercoe's videos. Now, she plays along to his videos in her apartment after dinner. Dumitru says Sandercoe's laid-back approach makes her want to learn. She talks about him as if he were a helpful, next-door neighbor. "Every time he comes, he says: 'Hi, I'm Justin.' He says, 'Don't worry if you have trouble with the chords, because everybody has problems with it.'" She adds: "It's like he understands you. He knows what you're going through." When Sandercoe isn't teaching, he plays with Katie Melua, a star in Europe, so he's used to some attention. But his work on the Internet is raising his profile in ways he didn't expect. "I got recognized on a bus the other day," he says, sounding amazed. "I literally went into town to do a bit of shopping, and I was on the way back and this kid goes: 'Are you Justin, the guy who teaches from YouTube?'" But if learning pop songs for free online sounds too good to be true, it may be. John Palfrey, executive director of the Berkman Center for Internet and Society at Harvard Law School, says most of the songs Sandercoe and Taub teach are under copyright. He thinks it's only a matter of time before a licensing company orders YouTube to take them down. "There's a very strong argument that the re-use of well-known chords in the sequence the instructor played them would be a violation of the copyright," Palfrey says. Sandercoe doesn't think he's doing anything wrong. After all, he says, he rarely plays the songs all the way through. But Palfrey says all it takes is a few notes. And although Sandercoe sees his Internet teaching as a public service, he has benefited from it. Since he put his Web site up last year, he has developed a long waiting list for the lessons he teaches in person. And both he and Taub say that's still the best way to learn. If someone tells Sandercoe to take down his song lessons, he says he will. But his most valuable videos are the ones that teach guitar basics ? things like strumming, scales and finger-picking. And even in the digital age, no one holds a copyright on those things. From rforno at infowarrior.org Mon Jul 9 16:18:23 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 09 Jul 2007 12:18:23 -0400 Subject: [Infowarrior] - New York Plans Surveillance Veil for Downtown Message-ID: New York Plans Surveillance Veil for Downtown By CARA BUCKLEY http://www.nytimes.com/2007/07/09/nyregion/09ring.html?_r=2&hp=&oref=slogin& pagewanted=print By the end of this year, police officials say, more than 100 cameras will have begun monitoring cars moving through Lower Manhattan, the beginning phase of a London-style surveillance system that would be the first in the United States. The Lower Manhattan Security Initiative, as the plan is called, will resemble London?s so-called Ring of Steel, an extensive web of cameras and roadblocks designed to detect, track and deter terrorists. British officials said images captured by the cameras helped track suspects after the London subway bombings in 2005 and the car bomb plots last month. If the program is fully financed, it will include not only license plate readers but also 3,000 public and private security cameras below Canal Street, as well as a center staffed by the police and private security officers, and movable roadblocks. ?This area is very critical to the economic lifeblood of this nation,? New York City?s police commissioner, Raymond W. Kelly, said in an interview last week. ?We want to make it less vulnerable.? But critics question the plan?s efficacy and cost, as well as the implications of having such heavy surveillance over such a broad swath of the city. For a while, it appeared that New York could not even afford such a system. Last summer, Mr. Kelly said that the program was in peril after the city?s share of Homeland Security urban grant money was cut by nearly 40 percent. But Mr. Kelly said last week that the department had since obtained $25 million toward the estimated $90 million cost of the plan. Fifteen million dollars came from Homeland Security grants, he said, while another $10 million came from the city, more than enough to install 116 license plate readers in fixed and mobile locations, including cars and helicopters, in the coming months. The readers have been ordered, and Mr. Kelly said he hoped the rest of the money would come from additional federal grants. The license plate readers would check the plates? numbers and send out alerts if suspect vehicles were detected. The city is already seeking state approval to charge drivers a fee to enter Manhattan below 86th Street, which would require the use of license plate readers. If the plan is approved, the police will most likely collect information from those readers too, Mr. Kelly said. But the downtown security plan involves much more than keeping track of license plates. Three thousand surveillance cameras would be installed below Canal Street by the end of 2008, about two-thirds of them owned by downtown companies. Some of those are already in place. Pivoting gates would be installed at critical intersections; they would swing out to block traffic or a suspect car at the push of a button. Unlike the 250 or so cameras the police have already placed in high-crime areas throughout the city, which capture moving images that have to be downloaded, the security initiative cameras would transmit live information instantly. The operation will cost an estimated $8 million to run the first year, Mr. Kelly said. Its headquarters will be in Lower Manhattan, he said, though the police were still negotiating where exactly it will be. The police and corporate security agents will work together in the center, said Paul J. Browne, the chief spokesman for the police. The plan does not need City Council approval, he said. The Police Department is still considering whether to use face-recognition technology, an inexact science that matches images against those in an electronic database, or biohazard detectors in its Lower Manhattan network, Mr. Browne said. The entire operation is forecast to be in place and running by 2010, in time for the projected completion of several new buildings in the financial district, including the new Goldman Sachs world headquarters. Civil liberties advocates said they were worried about misuse of technology that tracks the movement of thousands of cars and people, Would this mean that every Wall Street broker, every tourist munching a hot dog near the United States Court House and every sightseer at ground zero would constantly be under surveillance? ?This program marks a whole new level of police monitoring of New Yorkers and is being done without any public input, outside oversight, or privacy protections for the hundreds of thousands of people who will end up in N.Y.P.D. computers," Christopher Dunn, a lawyer with the New York Civil Liberties Union, wrote in an e-mail message. He said he worried about what would happen to the images once they were archived, how they would be used by the police and who else would have access to them. Already, according to a report last year by the civil liberties group, there are nearly 4,200 public and private surveillance cameras below 14th Street, a fivefold increase since 1998, with virtually no oversight over what becomes of the recordings. Mr. Browne said that the Police Department would have control over how the material is used. He said that the cameras would be recording in ?areas where there?s no expectation of privacy? and that law-abiding citizens had nothing to fear. ?It would be used to intercept a threat coming our way, but not to collect data indiscriminately on individuals,? he said. Mr. Browne said software tracking the cameras? images would be designed to pick up suspicious behavior. If, for example, a bag is left unattended for a certain length of time, or a suspicious car is detected repeatedly circling the same block, the system will send out an alert, he said. Still, there are questions about whether such surveillance devices indeed serve their purpose. There is little evidence to suggest that security cameras deter crime or terrorists, said James J. Carafano, a senior fellow for homeland security at the Heritage Foundation, a conservative research group in Washington. For all its comprehensiveness, London?s Ring of Steel, which was built in the early 1990s to deter Irish Republican Army attacks, did not prevent the July 7, 2005, subway bombings or the attempted car bombings in London last month. But the British authorities said the cameras did prove useful in retracing the paths of the suspects? cars last month, leading to several arrests. While having 3,000 cameras whirring at the same time means loads of information will be captured, it also means there will be a lot of useless data to sift through. ?The more hay you have, the harder it is to find the needle,? said Mr. Carafano. From rforno at infowarrior.org Mon Jul 9 16:40:59 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 09 Jul 2007 12:40:59 -0400 Subject: [Infowarrior] - Google bags hosted security firm Postini for $625m Message-ID: Google bags hosted security firm Postini for $625m Adds security muscle to Google apps By John Leyden ? More by this author Published Monday 9th July 2007 15:15 GMT http://www.theregister.co.uk/2007/07/09/google_postini/ Google has announced a plan to acquire on-demand web security firm Postini for $625m cash. The deal, which is subject to regulatory approval, is expected to close by end of the third quarter 2007, after which Postini will become a wholly-owned subsidiary of Google. Postini's services - which include email filtering, archiving, encryption, and policy enforcement - are used to protect customers' email, instant messaging and other web-based communications from security threats and productivity drains such as spam and viruses. The firm competes with firms such as MessageLabs and BlackSpider (which was bought by SurfControl for around $42m in July 2006, prior to its own $400m acquisition in April 2007). Postini's technology is used by 10 million users at 35,000 firms worldwide. BlackSpider protects 500,000 users at 1,200 customers (mainly in Europe). The difference in size goes a long way towards explaining why Google paid 15 times more for a similar set of hosted security technologies. Google said it plans to use Postini's technology to boost the appeal of its Google Apps package of hosted office applications to larger businesses. It also pledged to continued to invest in Postini's existing line of hosted security products. "The response to Google Apps has been tremendous, with more than 1,000 small businesses signing up for the service every day. At the same time, large businesses have been reluctant to move to hosted applications due to issues of security and corporate compliance. By adding Postini products to Google's technology, businesses no longer have to choose," said Dave Girouard, VP and general manager of Google Enterprise. ? From rforno at infowarrior.org Mon Jul 9 17:09:22 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 09 Jul 2007 13:09:22 -0400 Subject: [Infowarrior] - GAO: The Rise of Intelligence Fusion Centers Message-ID: (c/o SecrecyNews) THE RISE OF INTELLIGENCE FUSION CENTERS One of the few comparatively new features in the post-cold war landscape of U.S. intelligence is the emergence of dozens of domestic intelligence "fusion centers." < - > The 100-page CRS report includes a map and a list of these centers. A copy was obtained by Secrecy News. See "Fusion Centers: Issues and Options for Congress," July 6, 2007: http://www.fas.org/sgp/crs/intel/RL34070.pdf From rforno at infowarrior.org Mon Jul 9 18:30:22 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 09 Jul 2007 14:30:22 -0400 Subject: [Infowarrior] - Windows Vista Privacy Issues Message-ID: (c/o AJR) Forget about the WGA! 20+ Windows Vista Features and Services Harvest User Data for Microsoft - From your machine! By: Marius Oiaga, Technology News Editor http://news.softpedia.com/news/Forget-about-the-WGA-20-Windows-Vista-Feature s-and-Services-Harvest-User-Data-for-Microsoft-58752.shtml Are you using Windows Vista? Then you might as well know that the licensed operating system installed on your machine is harvesting a healthy volume of information for Microsoft. In this context, a program such as the Windows Genuine Advantage is the last of your concerns. In fact, in excess of 20 Windows Vista features and services are hard at work collecting and transmitting your personal data to the Redmond company. Microsoft makes no secret about the fact that Windows Vista is gathering information. End users have little to say, and no real choice in the matter. The company does provide both a Windows Vista Privacy Statement and references within the End User License Agreement for the operating system. Combined, the resources paint the big picture over the extent of Microsoft's end user data harvest via Vista. Reading Between the EULA Lines Together with Windows Vista, Microsoft also provides a set of Internet-based services, for which it has reserved full control, including alteration and cancellation at any given time. The Internet-based services in Vista "coincidentally" connect to Microsoft and to "service provider computer systems." Depending on the specific service, users may or may not receive a separate notification of the fact that their data is being collected and shared. The only way to prevent this is to know the specific services and features involved and to either switch them off or not use them. The alternative? Well, it's written in the Vista license agreement. "By using these features, you consent to the transmission of this information. Microsoft does not use the information to identify or contact you." The Redmond company emphasized numerous times the fact that all information collected is not used to identify or contact users. But could it? Oh yes! All you have to know is that Microsoft could come knocking on your door as soon as you boot Windows Vista for the first time if you consider the system?s computer information harvested. Microsoft will get your "Internet protocol address, the type of operating system, browser and name and version of the software you are using, and the language code of the device where you installed the software." But all they really need is your IP address. What's Covered in the Vista License? Windows Update, Web Content, Digital Certificates, Auto Root Update, Windows Media Digital Rights Management, Windows Media Player, Malicious Software Removal/Clean On Upgrade, Network Connectivity Status Icon, Windows Time Service, and the IPv6 Network Address Translation (NAT) Traversal service (Teredo) are the features and services that collect and deliver data to Microsoft from Windows Vista. By using any of these items, you agree to share your information with the Redmond Company. Microsoft says that users have the possibility to disable or not use the features and services altogether. But at the same time Windows update is crucial to the security of Windows Vista, so turning it off is not really an option, is it? Windows Vista will contact Microsoft to get the right hardware drivers, to provide web-based "clip art, templates, training, assistance and Appshelp," to access digital software certificates designed "confirm the identity of Internet users sending X.509 standard encrypted information" and to refresh the catalog with trusted certificate authorities. Of course that the Windows Vista Digital Rights Management could not miss from a list of services that contact Microsoft on a regular basis. If you want access to protected content, you will also have to let the Windows Media Digital Rights Management talk home. Windows Media Player in Vista for example, will look for codecs, new versions and local online music services. The Malicious Software Removal tool will report straight to Microsoft with both the findings of your computer scan, but also any potential errors. Also, in an effort to enable the transition to IPv6 from IPv4, "by default standard Internet Protocol information will be sent to the Teredo service at Microsoft at regular intervals." Had Enough? I Didn't Think So! Microsoft has an additional collection of 47 Windows Vista features and services that collect user data. However, not all phone home and report to Microsoft. Although the data collection process is generalized across the list, user information is also processed and kept on the local machine, leaving just approximately 50% of the items to both harvest data and contact Microsoft. Still, Microsoft underlined the fact that the list provided under the Windows Vista Privacy Statement is by no means exhaustive, nor does it apply to all the company's websites, services and products. Activation, Customer Experience Improvement Program (CEIP), Device Manager, Driver Protection, Dynamic Update, Event Viewer, File Association Web Service, Games Folder, Error Reporting for Handwriting Recognition, Input Method Editor (IME), Installation Improvement Program, Internet Printing, Internet Protocol version 6 Network Address Translation Traversal, Network Awareness (somewhat), Parental Controls, Peer Name Resolution Service, Plug and Play, Plug and Play Extensions, Program Compatibility Assistant, Program Properties?Compatibility Tab, Program Compatibility Wizard, Properties, Registration, Rights Management Services (RMS) Client, Update Root Certificates, Windows Control Panel, Windows Help, Windows Mail (only with Windows Live Mail, Hotmail, or MSN Mail) and Windows Problem Reporting are the main features and services in Windows Vista that collect and transmit user data to Microsoft. This extensive enumeration is not a complete illustration of all the sources in Windows Vista that Microsoft uses to gather end user data. However, it is more than sufficient to raise serious issues regarding user privacy. The Redmond company has adopted a very transparent position when it comes to the information being collected from its users. But privacy, much in the same manner as virtualization, is not mature enough and not sufficiently enforced through legislation. Microsoft itself is one of the principal contributors to the creation of a universal user privacy model. The activation process will give the company product key information together with a "hardware hash, which is a non-unique number generated from the computer's hardware configuration" but no personal information. The Customer Experience Improvement Program (CEIP) is optional, and designed to improve software quality. Via the Device Manager, Microsoft has access to all the information related to your system configuration in order to provide the adequate drivers. Similarly, Dynamic Update offers your computer's hardware info to Microsoft for compatible drivers. Event Viewer data is collected every time the users access the Event Log Online Help link. By using the File Association Web Service, Microsoft will receive a list with the file name extensions. Metadata related to the games that you have installed in Vista also finds its way to Microsoft. The Error Reporting for Handwriting Recognition will only report to Microsoft if the user expressly desires it to. Through IME Word Registration, Microsoft will receive Word registration reports. Users have to choose to participate in the Installation Improvement Program before any data is sent over at Microsof. Ever used a print server hosted by Microsoft? Then the company collected your data through Internet Printing. Network Awareness is in a league of its own. It does not premeditatedly store of send directly information to Microsoft, but it makes data available to other services involving network connectivity, and that do access the Redmond company. Via Parental Controls, not only you but also Microsoft will monitor all the visited URLs of your offspring. Hashes of your Peer Name tied to your IP address are published and periodically refreshed on a Microsoft server, courtesy of the Peer Name Resolution Service. Every time you install a Plug and Play device, you tell Microsoft about it in order to get the necessary device drivers. The same is the case for PnP-X enabled device, only that Windows Update is more actively involved in this case. The Program Compatibility Assistant is designed to work together with the Microsoft Error Reporting Service, to highlight to Microsoft potential incompatibility errors. For every example of compatibility settings via the Compatibility tab, Microsoft receives an error report. The Program Compatibility Wizard deals with similar issues related to application incompatibility. File properties are sent to Microsoft only with the item that they are associated with. You can also volunteer your name, email address, country and even address to Microsoft through the registration process. A service such as the Rights Management Services (RMS) Client can only function in conjunction with your email address. All the queries entered into the Search box included in the Windows Vista Control Panel will be sent to Microsoft with your consent. The Help Experience Improvement Program also collects and sends information to Microsoft. As does Windows Mail when the users access Windows Live Mail, Hotmail, or MSN Mail. And the Windows Problem Reporting is a service with a self explanatory name. But is this all? Not even by a long shot. Windows Genuine Advantage, Windows Defender, Support Services, Windows Media Center and Internet Explorer 7 all collect and transmit user data to Microsoft. Don't want them to? Then simply turn them off, or use alternative programs when possible or stop using some services altogether. Otherwise, when your consent is demanded, you can opt for NO. What Happens to My Data? Only God and Microsoft know the answer to that. And I have a feeling that God is going right now "Hey, don't get me involved in this! I have enough trouble as it is trying to find out the release date for Windows Vista Service Pack 1 and Windows Seven!" Generally speaking, Microsoft is indeed transparent ? up to a point ? about how it will handle the data collected from your Vista machine. "The personal information we collect from you will be used by Microsoft and its controlled subsidiaries and affiliates to provide the service(s) or carry out the transaction(s) you have requested or authorized, and may also be used to request additional information on feedback that you provide about the product or service that you are using; to provide important notifications regarding the software; to improve the product or service, for example bug and survey form inquiries; or to provide you with advance notice of events or to tell you about new product releases," reads a fragment of the Windows Vista Privacy Statement. But could Microsoft turn the data it has collected against you? Of course, what did you think? "Microsoft may disclose personal information about you if required to do so by law or in the good faith belief that such action is necessary to: (a) comply with the law or legal process served on Microsoft; (b) protect and defend the rights of Microsoft (including enforcement of our agreements); or (c) act in urgent circumstances to protect the personal safety of Microsoft employees, users of Microsoft software or services, or members of the public," reveals another excerpt. And you thought that it was just you... and your Windows Vista. Looks like a love triangle to me... with Microsoft in the mix. From rforno at infowarrior.org Tue Jul 10 03:55:14 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 09 Jul 2007 23:55:14 -0400 Subject: [Infowarrior] - RIAA to feds: Make XM-Sirius pay more, restrict listeners' recording Message-ID: RIAA to feds: Make XM-Sirius pay more, restrict listeners' recording Posted by Anne Broache http://news.com.com/8301-10784_3-9741103-7.html?part=rss&subj=news&tag=2547- 1_3-0-20 The Recording Industry Association of America has already mounted a court challenge against XM Satellite Radio over gadgets like the Pioneer Inno that allow consumers to trap individual songs originally played on air in alleged violation of copyright. Now the industry group is urging that issue to be one of the deciding factors for federal regulators weighing the proposed multibillion-dollar union of XM and its sole competitor, Sirius Satellite radio. In comments filed with the Federal Communications Commission on Monday, the RIAA urged the agency to "make clear that its approval of a merger is conditioned upon the continued protection of sound recordings from unlawful infringement." Under copyright law, separate licenses exist for the "performance" of a song and for the recording or "distribution" of it. Satellite and Internet radio broadcasters (unlike traditional radio) are already required to pay performance-based royalties. But the RIAA said it's concerned that both satellite radio companies have invested in technologies that allow them to shortchange artists on the distribution side "by giving users the ability to download copyrighted sound recordings to portable devices, effectively transforming a radio-like service into a digital distribution subscription service like Rhapsody or Napster." A merger could bolster those investments and "seriously threaten the viability of the music industry as a whole," the RIAA wrote. The group also called on the FCC to require the merged companies to pay higher royalty rates in general to the record industry, arguing the firms are "no longer new, struggling companies" that can get away with paying what it called "below-market rates." The RIAA has already earned some U.S. senators' blessings this year for a bill that would impose new limits on the broadcasters, including a requirement that they cloak their streams with copy-protection technology, but the proposal hasn't gone anywhere yet. XM and consumer advocacy groups that have come to its defense insist that the devices in question don't violate copyright law because they operate within a listener's home recording and fair use rights. The RIAA's comments came on the final day for submitting comments about the public-interest implications of the XM-Sirius deal in general. As of this blog post, more than 5,000 comments had been posted to the FCC's online database. According to a press release distributed Monday afternoon by a firm representing the radio companies, more than 3,500 of those comments came from individuals supporting the deal. The FCC is still accepting comments for at least another month on a more specific question: whether, if it finds the XM-Sirius deal is hunky-dory for the public, it should waive a decade-old rule prohibiting a single operator from controlling all of the satellite radio spectrum. From rforno at infowarrior.org Tue Jul 10 04:02:30 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 10 Jul 2007 00:02:30 -0400 Subject: [Infowarrior] - Gonzales Was Told of FBI Violations Message-ID: Gonzales Was Told of FBI Violations After Bureau Sent Reports, Attorney General Said He Knew of No Wrongdoing By John Solomon Washington Post Staff Writer Tuesday, July 10, 2007; A01 http://www.washingtonpost.com/wp-dyn/content/article/2007/07/09/AR2007070902 065_pf.html As he sought to renew the USA Patriot Act two years ago, Attorney General Alberto R. Gonzales assured lawmakers that the FBI had not abused its potent new terrorism-fighting powers. "There has not been one verified case of civil liberties abuse," Gonzales told senators on April 27, 2005. Six days earlier, the FBI sent Gonzales a copy of a report that said its agents had obtained personal information that they were not entitled to have. It was one of at least half a dozen reports of legal or procedural violations that Gonzales received in the three months before he made his statement to the Senate intelligence committee, according to internal FBI documents released under the Freedom of Information Act. The acts recounted in the FBI reports included unauthorized surveillance, an illegal property search and a case in which an Internet firm improperly turned over a compact disc with data that the FBI was not entitled to collect, the documents show. Gonzales was copied on each report that said administrative rules or laws protecting civil liberties and privacy had been violated. The reports also alerted Gonzales in 2005 to problems with the FBI's use of an anti-terrorism tool known as national security letters (NSLs), well before the Justice Department's inspector general brought widespread abuse of the letters in 2004 and 2005 to light in a stinging report this past March. Justice officials said they could not immediately determine whether Gonzales read any of the FBI reports in 2005 and 2006 because the officials who processed them were not available yesterday. But department spokesman Brian Roehrkasse said that when Gonzales testified, he was speaking "in the context" of reports by the department's inspector general before this year that found no misconduct or specific civil liberties abuses related to the Patriot Act. "The statements from the attorney general are consistent with statements from other officials at the FBI and the department," Roehrkasse said. He added that many of the violations the FBI disclosed were not legal violations and instead involved procedural safeguards or even typographical errors. Each of the violations cited in the reports copied to Gonzales was serious enough to require notification of the President's Intelligence Oversight Board, which helps police the government's surveillance activities. The format of each memo was similar, and none minced words. "This enclosure sets forth details of investigative activity which the FBI has determined was conducted contrary to the attorney general's guidelines for FBI National Security Investigations and Foreign Intelligence Collection and/or laws, executive orders and presidential directives," said the April 21, 2005, letter to the Intelligence Oversight Board. The oversight board, staffed with intelligence experts from inside and outside government, was established to report to the attorney general and president about civil liberties abuses or intelligence lapses. But Roehrkasse said the fact that a violation is reported to the board "does not mean that a USA Patriot violation exists or that an individual's civil liberties have been abused." Two of the earliest reports sent to Gonzales, during his first month on the job, in February 2005, involved the FBI's surveillance and search powers. In one case, the bureau reported a violation involving an "unconsented physical search" in a counterintelligence case. The details were redacted in the released memo, but it cited violations of safeguards "that shall protect constitutional and other legal rights." The second violation involved electronic surveillance on phone lines that was reinitiated after the expiration deadline set by a court in a counterterrorism case. The report sent to Gonzales on April 21, 2005, concerned a violation of the rules governing NSLs, which allow agents in counterterrorism and counterintelligence investigations to secretly gather Americans' phone, bank and Internet records without a court order or a grand jury subpoena. In the report -- also heavily redacted before being released -- the FBI said its agents had received a compact disc containing information they did not request. It was viewed before being sealed in an envelope. Gonzales received another report of an NSL-related violation a few weeks later. "A national security letter . . . contained an incorrect phone number" that resulted in agents collecting phone information that "belonged to a different U.S. person" than the suspect under investigation, stated a letter copied to the attorney general on May 6, 2005. At least two other reports of NSL-related violations were sent to Gonzales, according to the new documents. In letters copied to him on Dec. 11, 2006, and Feb. 26, 2007, the FBI reported to the oversight board that agents had requested and obtained phone data on the wrong people. Nonetheless, Gonzales reacted with surprise when the Justice Department inspector general reported this March that there were pervasive problems with the FBI's handling of NSLs and another investigative tool known as exigent circumstances letters. "I was upset when I learned this, as was Director Mueller. To say that I am concerned about what has been revealed in this report would be an enormous understatement," Gonzales said in a speech March 9, referring to FBI Director Robert S. Mueller. The attorney general added that he believed back in 2005, before the Patriot Act was renewed, that there were no problems with NSLs. "I've come to learn that I was wrong," he said, making no mention of the FBI reports sent to him. Marcia Hofmann, a lawyer for the nonpartisan Electronic Frontier Foundation, said, "I think these documents raise some very serious questions about how much the attorney general knew about the FBI's misuse of surveillance powers and when he knew it." A lawsuit by Hofmann's group seeking internal FBI documents about NSLs prompted the release of the reports. Caroline Fredrickson, a lobbyist for the American Civil Liberties Union, said the new documents raise questions about whether Gonzales misled Congress at a moment when lawmakers were poised to renew the Patriot Act and keenly sought assurances that there were no abuses. "It was extremely important," she said of Gonzales's 2005 testimony. "The attorney general said there are no problems with the Patriot Act, and there was no counterevidence at the time." Some of the reports describe rules violations that the FBI decided not to report to the intelligence board. In February 2006, for example, FBI officials wrote that agents sent a person's phone records, which they had obtained from a provider under a national security letter, to an outside party. The mistake was blamed on "an error in the mail handling." When the third party sent the material back, the bureau decided not to report the mistake as a violation. The memos also detail instances in which the FBI wrote out new NSLs to cover evidence that had been mistakenly collected. In a June 30, 2006, e-mail, for instance, an FBI supervisor asked an agent who had "overcollected" evidence under a national security letter to forward his original request to lawyers. "We would like to check the specific language to see if there is anything in the body that would cover the extra material they gave," the supervisor wrote. Sometimes the FBI reached seemingly contradictory conclusions about the gravity of its errors. On May 6, 2005, the bureau decided that it needed to report a violation when agents made an "inadvertent" request for data for the wrong phone number. But on June 1, 2006, in a similar wrong-number case, the bureau concluded that a violation did not need to be reported because the agent acted "in good faith." From rforno at infowarrior.org Tue Jul 10 12:01:30 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 10 Jul 2007 08:01:30 -0400 Subject: [Infowarrior] - Metasploit: Join the Arms Race Message-ID: Metasploit: Join the Arms Race July 3, 2007 By Paul Rubens Paul Rubens http://www.enterprisenetworkingplanet.com/netsecur/article.php/3687001 What's the biggest threat to your organization's network? Arguably, it's Metasploit, an easy to use hacking system that reduces the job of compromising of computers to a simple point and click exercise. "Metasploit is a genius concept to standardize the development and use of exploits so anyone can use them," says Mati Aharoni, one of the experts behind BackTrack 2, a security oriented Linux distribution based on Slax. "It is a brilliant system, especially for penetration testers, and it has become the number one tool for every security and analysis person." The problem is that Metasploit is freely available to hackers as well as security pros. It's a bit like an arms race then: if the baddies are armed with Metasploit, then you better make sure that you have it too. If not, you'll be the digital equivalent of outgunned. One of the biggest innovations of the latest version of Metasploit, Framework 3, is the db_autopwn feature, a database driven process which scans your network and compromises as many machines as it can automatically using any of the current Metasploit exploits. This is certainly worth trying out on your network because if it succeeds it means you have security problems that anyone running Framework 3 will find without any hacking skills at all. (In fact, if you are going to do this to your own network read up on it first ? some of db_autopwn's actions could crash your machines if they're vulnerable.) There are other powerful penetration testing programs that can "hack" a network automatically ? notably Core Security's Core Impact ? but none that are freely available like Metasploit. For added flexibility, Metasploit also allows users to build their own bespoke attacks. A hacker may discover, using any number of methods (including scanning or asking staff members), that you have a machine on your network susceptible to one of the nearly 200 exploits currently included in Framework 3 ?perhaps a buffer overflow error which allows an attacker to insert and execute arbitrary code. The next question is what arbitrary code ? or payload - should the hacker insert? The particular overrun may offer just 800 bytes in which to insert code, but this is more than enough for just about all of the payloads supplied with Metasploit. So once an attacker has found a vulnerability and selected a payload, and after supplying a few other parameters ? such as the IP address of the machine to be attacked or his own machine, depending on the payload - he is ready to perform the exploit. Or is he? What happens if the attacker has no obvious way of accessing the machine he wants to compromise directly? One answer is to use Metasploit's little known option X. Instead of performing an exploit immediately, Metasploit provides the option ? option X ? of turning the entire exploit, complete with payload and all the other parameters required, into a PE, or Portable Executable .exe file. So all a hacker needs to do is give the file some suitably innocuous name like update.exe, and email it to the victim computer. He'll need some social engineering skills to get the recipient to double click on it, and that, as they say, will be that: the machine will run the payload and be well and truly pwned. Your users will doubtless have been trained never to click on .exe files they receive by email, and with any luck your email filters would stop them being delivered anyway. But it's a simple matter to change a file extension to foil an email filter, and if social engineering can be used to get someone to double click on a file it can certainly be used to get someone to rename a file as an executable. So it's important to realize that, with the help of Metasploit, making this type of Trojan file is really not hard at all. If you are aware of this then at least you can think about the steps you need to take to prevent your users from falling victim to one. If they do fall victim, what kind of payloads might be run on their system using Metasploit? When a machine is compromised by a Metasploit user, what are the implications? Metasploit has payloads for a variety of OSes including Windows, Linux, OS X, BSD and Solaris. The most basic payload is a simple bind shell: an attacker's machine connects to the victim machine and gets a command prompt. There's also a reverse attack, causing the compromised machine to connect back to the attacker and spawn a command shell. With the command shell the hacker can do anything someone sitting at the machine could do, with the privileges of the current user. But there are also more insidious payloads which cause an exploited machine to download an .exe file from a given URL and execute it, or which inject a VNC server onto a compromised machine and connect back to the attacker, providing him with a full color remote desktop experience on the compromised machine. Perhaps the most flexible payload is the Meterpreter "uber-payload," a kind of extensible command shell which an attacker can use to get up to all kinds of mischief. With a Meterpreter shell in place an attacker can use upload and download commands to move files to and from the compromised computer from his own machine. The SAM Meterpreter extension (at the time of writing only available using the older Metasploit Framework 2) also enables a "gethashes" command to easily dump the password hashes from the exploited machine's SAM on to the attacker's machine for cracking. It's pretty clear from this that Metasploit, in the wrong hands, could be used to do a great deal of damage to the machines under your care, so do yourself a favor and make sure the odds aren't stacked against you. Get yourself a copy (it runs on Linux or Windows, and even the tiny handheld Nokia N800 Linux device) and see what vulnerabilities it can exploit before someone else does. You can use this knowledge to put things right. Other Metasploit users exploring your network might not be so kind. From rforno at infowarrior.org Tue Jul 10 12:21:59 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 10 Jul 2007 08:21:59 -0400 Subject: [Infowarrior] - Ex- convicts and addicts may get DoD clearance Message-ID: Ex- convicts and addicts may get DoD clearance The Hill ^ | 7/10/07 | Elana Schor and Roxana Tiron Posted on 07/09/2007 7:03:30 PM PDT by JeanS http://www.freerepublic.com/focus/f-news/1863350/posts At the Pentagon?s request, Senate defense authorizers tucked deep within a defense bill a repeal of the department?s restriction on granting security clearances to ex-convicts, drug addicts and the mentally incompetent. The repeal provision now is creating discord between the Senate Armed Services and the Intelligence committees. In its markup of the 2008 defense authorization bill, the Intelligence panel voted to delete the Armed Services provision. The fate of the provision could become a flashpoint this week as the Senate takes up the bill. The Senate Armed Services panel seeks to repeal a seven-year-old law that established mandatory standards disqualifying certain people from receiving security clearances. Under the law, members of the military services, employees of the Department of Defense or contractors working for the Pentagon cannot receive a security clearance if they were convicted of a crime in any U.S. court and went to prison for at least one year; if they are unlawful users of illegal substances; if they are considered mentally incompetent or if they were dishonorably discharged or dismissed from the armed forces. According to the Senate Armed Services Committee report, the Department of Defense requested the provision?s repeal because the mandatory standards ?unduly limit the ability of the Department to manage its security clearance program and may create unwarranted hardships for individuals who have rehabilitated themselves as productive and trustworthy citizens.? The law negatively affects individuals who have committed a qualifying crime but have determined trustworthy by ?national adjudicative standards,? according a Pentagon spokesman. Because the statute only applies to the Pentagon, it hinders clearance reciprocity with other federal agencies, he added. The Senate Intelligence Committee, however, warned of the dangers of a blanket repeal of the law, which could lead to unintended compromises or mishandling of classified information. In its report on the bill, the panel said the waiver authority provided to the Pentagon to make the case for certain people who have either been convicted of a crime or have been dishonorably discharged is sufficient in providing flexibility. Processing waivers can take up to 18 months, according to several industry sources familiar with the process. The panel also said ?an individual who is currently using illicit substances or is mentally incompetent is not suited for access to classified information.? Although the Intelligence Committee voted 10-5 to oppose the Armed Services panel and the Pentagon?s stance, Chairman Jay Rockefeller (D-W.Va.) and two other panel Democrats made an unexpected break with the majority of the committee. ?As all other members, we would be deeply concerned about the grant of security clearances to persons who have been imprisoned for more than a year or who are current drug users,? Rockefeller and Sens. Russ Feingold (D-Wis.) and Ron Wyden (D-Ore.) wrote in an statement of ?additional views? accompanying their panel?s report on the bill. But the three Democrats endorsed repealing the limit on security clearance standards to expedite the ongoing joint effort to streamline the complex system that began with the Intelligence Reform and Terrorism Prevention Act of 2004, which consolidated the country?s intelligence agencies under one national director. ?[W]e have heard no reason to question ? the assessment of DoD and the Armed Services Committee that national security can be protected without this one DoD-specific statute,? the Democrats wrote. Sen. Kit Bond (R-Mo.), vice chairman of the Intelligence Committee and a fierce defender of classified-information safeguards, wrote his own ?additional views? with four fellow Republicans that strongly defended his amendment. The curb on giving clearances to felons and addicts is a ?reasonable measure ? that should be preserved,? Bond wrote, with Sens. Olympia Snowe (R-Maine), Orrin Hatch (R-Utah), Saxby Chambliss (R-Ga.) and Richard Burr (R-N.C.). ?Further, we believe that we should give serious consideration to extending similar security clearance restrictions to the rest of the Intelligence Community.? The Pentagon is the largest user and granter of security clearances in the government, with 2.5 million clearances of the 3.2 million total, according to 2006 Pentagon data. The Department of Defense has been plagued for several years with a large backlog of security clearances, and contractors with an already granted security clearance have become a hot commodity. Rep. Elijah Cummings (D-Md.) knows from one constituent that the restriction ? dubbed the Smith Amendment for its original author, former Sen. Bob Smith (R-N.H.) ? would take away jobs and opportunities from ?hard-working Americans who made mistakes in the past, but have served their time.? He said the law does not affect one person alone, but people who have given their ?blood, sweat and tears to this country,? and who have paid the price for their mistakes. A constituent in his district who had worked for DISA for 20 years and had a security clearance despite a two-year jail term in the 1970s was facing the prospect of losing a his job, benefits and retirement pay, Cummings said in an interview. Cummings, who introduced a separate bill in the House, stressed that the Pentagon regularly runs security checks on all its employees. ?There is no need to include an added burden,? he said. ?I am very much concerned about making sure that we in this post-9/11 period be very careful.? He said the legislation provides the right balance in addressing homeland security and protecting the rights of people who may have made mistakes in the past but received security clearance ?over and over.? Because President Bush has threatened to veto the defense authorization bill, it is important to have a standalone bill that is supported by the Pentagon, Cummings added. Alan Chvotkin, senior vice president and counsel at the Professional Services Council, said his organization has pushed for uniform standards across the government for receiving security clearances. ?We have always supported a risk-based adjudication,? he added. ?No single factor in and of itself should be the reason why [individuals] should be denied a clearance. That should be a professional judgment by the adjudicator.? The number of people found ineligible for a DoD security clearance under the provisions of the Smith Amendment is relatively small, said the Pentagon spokesman. ?This is not some kind of affirmative action for convicts,? Steven Aftergood, director of the Project on Government Secrecy at the Federation of American Scientists, said. ?We?re not talking about giving clearances to psychopaths and drug dealers, but preserving the ability to employ people who may have been convicted of a crime decades ago in a period of their life they have long since outgrown.? Removing the restriction opens the door to security clearances for high-profile felons, such as I. Lewis ?Scooter? Libby, the senior White House aide whose prison sentence was commuted by President Bush last week. ?Could a Scooter Libby be hired by DoD?? Aftergood said. ?The answer is, he wouldn?t be automatically disqualified.? From rforno at infowarrior.org Tue Jul 10 13:19:10 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 10 Jul 2007 09:19:10 -0400 Subject: [Infowarrior] - RFI: West Point graduates/staff? Message-ID: If anyone reading this is a recent grad of West Point and/or been involved with the school in recent years as faculty/staff/alumnus, please drop me a note......thx -rf From rforno at infowarrior.org Tue Jul 10 13:27:03 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 10 Jul 2007 09:27:03 -0400 Subject: [Infowarrior] - Software lets parents monitor kids' calls Message-ID: Software lets parents monitor kids' calls http://news.com.com/Software+lets+parents+monitor+kids+calls/2009-1025_3-619 5666.html?tag=nefd.lede By Stefanie Olsen Staff Writer, CNET News.com Published: July 10, 2007 4:00 AM PDT In March, 15-year-old Joshua Brumfield got a shiny new BlackBerry Pearl, and his parents got a new way to watch out for their son. The Brumfields signed up to be early users of Radar, software designed to let parents monitor incoming calls on their child's mobile phone. Anytime Joshua gets a call from someone not on a call list approved by his parents, they will receive a real-time text alert on their cell phone or online. For example, during the first two days on the phone, Joshua got six calls from a stranger within a few hours--and the Brumfields got six text alerts. So they asked Joshua about the calls, and he told them they were from a man looking for his ex-girlfriend who didn't believe that her number had changed. The stranger had grown more aggressive with each call, thinking that Joshua was a new boyfriend. "Radar really helped us see this was definitely a problem, one our son wouldn't have said anything about," said Lisa Brumfield, a Laguna Hills, Calif., mother of three boys. Joshua's father called the man to straighten out the situation. The Brumfields were among the first adopters of Radar, which was released this spring by Newport Beach, Calif.-based security company EAgency Systems. Initially, the Radar software, which costs about $10 a month on top of a wireless plan, has worked only with BlackBerry devices and other smart phones, a factor that has limited growth. But according to Bob Lodder, the company's founder, Radar is poised for wider distribution through deals with Motorola and Verizon Wireless. The company is working through a certification process with Motorola so that the software will work with Razr phones. (A Motorola representative didn't immediately return a call for comment.) Lodder also said the company is in talks with Verizon Wireless, which has a subscriber base of more than 60 million. Verizon Wireless representative Jeffrey Nelson said he couldn't comment on any potential relationship with EAgency. A few hundred people have subscribed to Radar so far, Lodder said. Still, Radar could mark a shift toward greater monitoring by parents through cell phones, much the way it happened on the Web years ago. As more kids live their lives on mobile devices--text messaging, sending photos, scheduling school assignments, surfing the Web and calling their social circle--some parents are using tracking software to protect them from predators or bullies, or to simply stay connected. In the last year, several companies have introduced mobile technology that let parents track their kids, primarily between the ages of 8 and 15. Disney, for example, last year started selling a phone service called Disney Mobile, which lets parents set time parameters on their kids' cell phone usage and track the location of their handsets using GPS, among other features. In 2006, Verizon also started selling a service called Chaperone, which for $10 a month lets parents use the phone's embedded GPS chip to locate the cell phone (and presumably the kid). For another $10 a month, Verizon also sells "geo-fencing," a service that lets parents set geographic barriers, or zones, within which their child can use the phone during prescribed times and places, such as within 10 yards of the school yard on weekdays. The wireless carriers don't break out adoption rates for these services, but Verizon's Nelson called it a niche market. "This is a great feature for a pretty finite group of consumers. It's not a giant mass market," Nelson said. Researchers say that tweens are among the fastest growing segments of the cell phone population. Roughly 12 percent of U.S. children ages 8 to 9 have cell phones, and 24 percent of kids ages 10 to 11 have cell phones, according to a February survey from market research firm JupiterResearch. Lodder, who founded EAgency five years ago to make the mobile management software Nice Office, developed Radar as a way to deal with the issues parents face in a mobile-phone culture. He's particularly concerned with the threat of predators using cell phones to get at kids age 8 to 14. "A lot of what was happening online is moving to the cell phone--cyberbullying and harassment--and most of its use is unmonitored. We wanted to help solve those issues," he said. His company developed Web-based software that lets parents log onto a secure site, called Mymobilewatchdog.com, to manage their account. Once a parent signs up for the monthly service, Radar will download the software wirelessly to a compatible phone. The parent then goes online to set up a child's friends and family call list, and can log back on anytime to see a record of all calls (numbers and duration), full text messages, and soon, MMS picture messages, which have been sent to the Radar-installed phone. And if anyone who's not on that approved list tries to call or text-message the child's phone, Radar sends a real-time alert to the parent's phone, regardless of his or her carrier or hardware. Parents can also see a copy of the text message on their phone, or see which numbers have called the phone. For example, Lisa Brumfield got a text message last Saturday at 2 a.m. warning her that a stranger had just called Joshua, who was spending the night at a friend's house. She asked him about it the following morning. "Every time I get an alert of an unusual phone call, I ask him about it. This turned out to be a wrong number," she said. Joshua is well aware that the software is installed on his BlackBerry--the Radar logo is displayed on the phone--and he doesn't mind, he said. But privacy advocates warn that this kind of monitoring can erode trust between parent and child. "Kids' privacy rights are by custom and tradition, like respecting closed doors and journals," said Marc Rotenberg, executive director of the Washington-based privacy group Electronic Privacy Information Center. "Constant surveillance of your kids or secret surveillance of your kids may not be the best way to build trust, and that's something parents need to consider." He added that clever kids will often find a way around tracking software. For example, youngsters have been known to use Web proxies to work around filters installed in school computer labs. Rotenberg said that he's also heard of kids using aluminum foil to disable GPS locators on the cell phone. Still, Lodder is hoping that Radar will be used by law enforcement agencies to catch and convict predators. He said that the tamper-proof data-retention system his company has built creates a record of evidence that could be admissible in a court of law. "We operate on the idea that long before something bad happens to a child, there's a chain of communication and we want to intervene early on that chain." Send insights or tips on this topic to stefanie.olsen at cnet.com. From rforno at infowarrior.org Tue Jul 10 17:25:52 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 10 Jul 2007 13:25:52 -0400 Subject: [Infowarrior] - TSA: Misses the bombs, grabs the water Message-ID: Way to go, TSA! -rf > COLONIE -- Federal inspectors were able to slip a fake bomb through a > checkpoint at Albany International Airport during a test of the facility's > Transportation Security Administration screeners, according to individuals > familiar with the incident. > > The unannounced inspection by TSA officials took place early last week. The > airport's security measures failed in five of seven tests, most of the > problems occurring at the passenger checkpoint, the sources said. > In one test, TSA inspectors hid the components of a fake bomb in carry-on > luggage that also contained a bottle of water. Passengers are prohibited from > carrying containers holding more than three ounces of liquids, gels or > aerosols through airport checkpoints. > > The screeners at Albany International confiscated the water bottle but missed > the bomb. In all, the inspectors slipped four banned items through the main > checkpoint during the test, sources said. More -- http://tinyurl.com/2c8p38 From rforno at infowarrior.org Wed Jul 11 11:41:51 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 11 Jul 2007 07:41:51 -0400 Subject: [Infowarrior] - FBI Plans Initiative To Profile Terrorists Message-ID: Why don't I believe what the FBI is saying here?? ---rf FBI Plans Initiative To Profile Terrorists Potential Targets Get Risk Rating http://www.washingtonpost.com/wp-dyn/content/article/2007/07/10/AR2007071001 871.html?hpid=sec-nations By Ellen Nakashima Washington Post Staff Writer Wednesday, July 11, 2007; Page A08 The Federal Bureau of Investigations is developing a computer-profiling system that would enable investigators to target possible terror suspects, according to a Justice Department report submitted to Congress yesterday. The System to Assess Risk, or STAR, assigns risk scores to possible suspects based on a variety of information, similar to the way a credit bureau assigns a rating based on a consumer's spending behavior and debt. The program focuses on foreign suspects but also includes data about some U.S. residents. A prototype is expected to be tested this year. Justice Department officials said the system offers analysts a powerful new tool for finding possible terrorists. They said it is an effort to automate what analysts have been doing manually. "STAR does not label anyone a terrorist," the report said. "Only individuals considered emergent foreign threats (as opposed to other criminal activity such as U.S. bank robbery threats) will be analyzed." Some lawmakers said, however, that the report raises new questions about the government's power to use personal information and intelligence without accountability. "The Bush administration has expanded the use of this technology, often in secret, to collect and sift through Americans' most sensitive personal information," said Sen. Patrick J. Leahy (D-Vt.), chairman of the Senate Judiciary Committee, which received a copy of the report on data-mining initiatives. The use of data mining in the war on terror has sparked criticism. An airplane-passenger screening program called CAPPS II was revamped and renamed because of civil liberty concerns. An effort to collect Americans' personal and financial data called Total Information Awareness was killed. Law enforcement and national security officials have continued working on other programs to use computers to sift through information for signs of threats. The Department of Homeland Security, for example, flags travelers entering and leaving the United States who may be potential suspects through a risk-assessment program called the Automated Targeting System. STAR is being developed by the FBI's Foreign Terrorist Tracking Task Force, which tracks suspected terrorists inside the country or as they enter. Both the Department of Homeland Security and the FBI's STAR programs create their ratings based on certain rules. In the case of STAR, a person's score would increase if his or her name matches one on a terrorist watch list, for example. A country of origin could also be weighted in a person's score. After STAR has received the names of persons of interest, it runs them through an FBI "data mart" that includes classified and unclassified information from the government, airlines and commercial data brokers such as ChoicePoint. Then it runs them through the terrorist screening center database, which contains hundreds of thousands of names, as well as through a database containing information on non-citizens who enter the country. It also runs the names against information provided by data broker Accurint, which tracks addresses, phone numbers and driver's licenses. The report said access to STAR would be limited to trained users and that data would be obtained lawfully. Results would be kept within the FBI's terrorist task force, the report said. Privacy expert David Sobel, senior counsel for the nonprofit advocacy group Electronic Frontier Foundation, said the government's system depends on potentially unreliable data. "If we can't assess the accuracy of the information being fed into the system, it's very hard to assess the effectiveness of the system." The STAR system would be subject to a privacy-impact assessment before launched in final form. From rforno at infowarrior.org Wed Jul 11 11:45:59 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 11 Jul 2007 07:45:59 -0400 Subject: [Infowarrior] - Surgeon General Sees 4-Year Term as Compromised Message-ID: Surgeon General Sees 4-Year Term as Compromised By GARDINER HARRIS Published: July 11, 2007 http://www.nytimes.com/2007/07/11/washington/11surgeon.html?_r=1&hp=&oref=sl ogin&pagewanted=all WASHINGTON, July 10 ? Former Surgeon General Richard H. Carmona told a Congressional panel Tuesday that top Bush administration officials repeatedly tried to weaken or suppress important public health reports because of political considerations. The administration, Dr. Carmona said, would not allow him to speak or issue reports about stem cells, emergency contraception, sex education, or prison, mental and global health issues. Top officials delayed for years and tried to ?water down? a landmark report on secondhand smoke, he said. Released last year, the report concluded that even brief exposure to cigarette smoke could cause immediate harm. Dr. Carmona said he was ordered to mention President Bush three times on every page of his speeches. He also said he was asked to make speeches to support Republican political candidates and to attend political briefings. And administration officials even discouraged him from attending the Special Olympics because, he said, of that charitable organization?s longtime ties to a ?prominent family? that he refused to name. ?I was specifically told by a senior person, ?Why would you want to help those people?? ? Dr. Carmona said. The Special Olympics is one of the nation?s premier charitable organizations to benefit disabled people, and the Kennedys have long been deeply involved in it. When asked after the hearing if that ?prominent family? was the Kennedys, Dr. Carmona responded, ?You said it. I didn?t.? In response to lawmakers? questions, Dr. Carmona refused to name specific people in the administration who had instructed him to put political considerations over scientific ones. He said, however, that they included assistant secretaries of health and human services as well as top political appointees outside the department of health. Dr. Carmona did offer to provide the names to the committee in a private meeting. Bill Hall, a spokesman for the Department of Health and Human Services, said that the administration disagreed with Dr. Carmona?s statements. ?It has always been this administration?s position that public health policy should be rooted in sound science,? Mr. Hall said. Emily Lawrimore, a White House spokeswoman, said the surgeon general ?is the leading voice for the health of all Americans.? ?It?s disappointing to us,? Ms. Lawrimore said, ?if he failed to use this position to the fullest extent in advocating for policies he thought were in the best interests of the nation.? Dr. Carmona is one of a growing list of present and former administration officials to charge that politics often trumped science within what had previously been largely nonpartisan government health and scientific agencies. Dr. Carmona, 57, served as surgeon general for one four-year term, from 2002 to 2006, but was not asked to serve a second. Before being nominated, he was in the Army Special Forces, earned two purple hearts in the Vietnam War and was a trauma surgeon and leader of the Pima County, Ariz., SWAT team. He received a bachelor?s degree, in biology and chemistry, in 1976 and his M.D. in 1979, both from the University of California, San Francisco. He is now vice chairman of Canyon Ranch, a resort and residential development company. His testimony comes two days before the Senate confirmation hearings of his designated successor, Dr. James W. Holsinger Jr. Two members of the Senate health committee have already declared their opposition to Dr. Holsinger?s nomination because of a 1991 report he wrote that concluded that homosexual sex was unnatural and unhealthy. Dr. Carmona?s testimony may further complicate Dr. Holsinger?s nomination. In his testimony, Dr. Carmona said that at first he was so politically na?ve that he had little idea how inappropriate the administration?s actions were. He eventually consulted six previous surgeons general, Republican and Democratic, and all agreed, he said, that he faced more political interference than they had. On issue after issue, Dr. Carmona said, the administration made decisions about important public health issues based solely on political considerations, not scientific ones. ?I was told to stay away from those because we?ve already decided which way we want to go,? Dr. Carmona said. He described attending a meeting of top officials in which the subject of global warming was discussed. The officials concluded that global warming was a liberal cause and dismissed it, he said. ?And I said to myself, ?I realize why I?ve been invited. They want me to discuss the science because they obviously don?t understand the science,? ? he said. ?I was never invited back.? Dr. Carmona testified under oath at a hearing before the House Oversight and Government Reform Committee headed by Representative Henry A. Waxman, Democrat of California. The topic was strengthening the office of the surgeon general. Dr. C. Everett Koop, surgeon general in the Reagan administration, and Dr. David Satcher, surgeon general during the Clinton administration and the first year of the administration of George W. Bush, also testified. Each complained about political interference and the declining status of the office. Dr. Satcher said that the Clinton administration discouraged him from issuing a report showing that needle-exchange programs were effective in reducing disease. He released the report anyway. Dr. Koop, said he had been discouraged by top officials in the Reagan administration from discussing the AIDS crisis. He did so anyway. All three men urged major changes in the way the surgeon general is chosen and the way the office is financed. Dr. Carmona described being invited to testify at the government?s nine-month racketeering trial of the tobacco industry that ended in 2005. He said top administration officials discouraged him from testifying while simultaneously telling the lead government lawyer in the case that he was not competent to testify. Dr. Carmona testified anyway. Sharon Y. Eubanks, director of the Justice Department?s tobacco litigation team, was in the audience during Dr. Carmona?s testimony. ?What he said is all correct,? she said. ?He was one of the most powerful witnesses. His testimony was very important.? Dr. Carmona said that he felt that the duty of the surgeon general, often called the ?nation?s doctor,? was to tackle many of the nation?s most controversial health topics and to issue balanced reports about the studies underlying them. When stem cells became a focus of debate, Dr. Carmona said he proposed that his office offer guidance ?so that we can have, if you will, informed consent.? ?I was told to stand down and not speak about it,? he said. ?It was removed from my speeches.? The Bush administration rejected the advice of many top scientists on this subject, including that of the director of the National Institutes of Health, Dr. Elias Zerhouni. Similarly, Dr. Carmona wanted to address the controversial topic of sexual education, he said. Scientific studies suggest that the most effective approach includes a discussion of contraceptives. ?However there was already a policy in place that did not want to hear the science but wanted to preach abstinence only, but I felt that was scientifically incorrect,? he said. Dr. Carmona said drafts of surgeon general reports on global health and prison health were still being debated by the administration. The global health report was never approved, Dr. Carmona said, because he refused to sprinkle the report with glowing references to the efforts of the Bush administration. ?The correctional health care report is pointing out the inadequacies of health care within our correctional health care system,? he said. ?It would force the government on a course of action to improve that.? Because the administration does not want to spend more money on prisoners? health care, the report has been delayed, Dr. Carmona said. ?For us, the science was pretty easy,? he said. ?These people go back into the community and take diseases with them.? He added, ?This is not about the crime. It?s about protecting the public.? From rforno at infowarrior.org Wed Jul 11 11:50:59 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 11 Jul 2007 07:50:59 -0400 Subject: [Infowarrior] - What's Hidden in the iPhone's 'Fine Print'? Message-ID: ...not that different from other plans on other phones, but interesting enough to pass along.....rf What's Hidden in the iPhone's 'Fine Print'? Telecom Analyst Bruce Kushnick has inspected the iPhone's terms of service and offers some surprising revelations (emphasis mine): < - > http://directorblue.blogspot.com/2007/07/whats-hidden-in-iphones-fine-print. html From rforno at infowarrior.org Wed Jul 11 11:59:04 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 11 Jul 2007 07:59:04 -0400 Subject: [Infowarrior] - Meet the iPhone hackers Message-ID: Weekly Column | 2007.07.11 Meet the iPhone hackers http://machinist.salon.com/feature/2007/07/11/iphone_hackers/ The coding geniuses who are taking apart Apple's hot device say they're within a few days of making it work with cell networks beyond AT&T. By Farhad Manjoo machinistWhen Steve Jobs, Apple's CEO, unveiled the iPhone, he promised it would put "the Internet in your pocket for the first time ever." So a few days after purchasing this wonder, I was walking around town when I had a delightful epiphany: Hey, now that I've got the Internet in my pocket, I can listen to a live stream of NPR anytime I want! (I'm a fellow of milquetoast impulses.) A quarter-second later the truth hit me. Of course I can't get NPR on my iPhone; it lacks the necessary software. I also can't watch Comedy Central's online videos, nor buy a song from iTunes, nor place a Skype call. Jobs is right; the iPhone is the Internet in your pocket, and at times, having it there feels marvelous. But often the device is a tease: Because Apple and AT&T have locked it down, the iPhone gives you the Internet of 1996, not of 2007. You can look but you can't watch, listen, download or play. In my first review of the iPhone, which I wrote just hours after laying my hands on the thing, I fingered the lockdown as my biggest complaint. Now, a week and a half later, my feelings haven't changed. What has changed is the context. Quickly and assuredly, a distributed crew of determined hackers is breaking down the iPhone's walls. They have managed, so far, to use the iPhone's iPod and Wi-Fi Internet functions without first signing up to AT&T, and they've also accessed the phone's "file system" -- letting them add ring tones and wallpaper, and play with the phone's menu bar. Over the past few days, I've been talking to several of these hackers. They report amazing progress at freeing the iPhone -- what they call escaping the iPhone jail. They say they're about to release a programming "toolchain" that will push them toward their primary goal in a matter of weeks, if not days. That first goal: to unlock the iPhone from AT&T, allowing people to use all of its functions on any compatible cell network in the world. "We're quite close," says GJ, who called me up after I posted a notice on Hackintosh looking to talk to some of the coders who are cracking open the iPhone. Like all the others I spoke to, he wouldn't give me his full name nor much real-world identifying information, but he was quite willing to discuss the group's iPhone hacking efforts. "The phone has got to communicate with the cellular network somehow, and we've found that the radio hardware in the iPhone is actually quite common in the industry," GJ says. "So we know how to get the radio to talk to the cell tower. What we don't understand is how to interact with the radio from the iPhone and to unlock it. But we're quite close." The hack, he says, will most likely work through software -- you'll download a file, patch your iPhone while it's connected to your computer, and then, like that, you'll be able to use it with another network. GJ and others believe that unlocking the phone from AT&T is a first step toward unlocking it generally -- that is, toward making it a platform for which developers across the world, rather than just the developers at Apple, can build useful applications. The iPhone uses a cellular system known as GSM; in the U.S., T-Mobile is the only other big network that can carry its signals. (Verizon and Sprint use an incompatible cell standard called CDMA.) But GSM is the most popular wireless standard in the world, and hackers predict that if they unlock the iPhone, early adopters in Europe and Asia -- where the phone has not yet been released -- would flock to purchase it. And then they too would begin to tinker with it. "By unlocking the platform we are essentially opening the flood gates and 'letting it all in,'" a hacker named Jorge told me in an e-mail message. Conceivably, one of these people could figure out a way to write programs for the phone -- and perhaps, then, to let me stream "All Things Considered." Several loosely affiliated groups are now working to decouple the phone from AT&T. I've been following the largest and most promising of these, the crew that congregates on #iPhone, a chat room that you can get to using the Internet Relay Chat system on the server irc.osx86.hu. At any given time, about 400 people are on the channel, but only about 30 are working full-time on the hack. They're a diverse bunch, spread throughout the U.S. and Europe and bringing various flavors of expertise -- in coding, in cell system design, in old-fashioned operating-system breaking and entering -- to the effort. They're working more or less nonstop, digging, like miners in an unchartered hole, at all of the iPhone's hidden caves, in search of a rich vein. It's a tedious process, one that sometimes leads down dead ends. Over the weekend an American teenager who goes by the handle geohot stayed up all night soldering the connections on his iPhone dock in order to create a direct, "serial interface" to the phone. He succeeded. By the morning, in what seemed like a major breakthrough, he had found a way to issue commands to a key part of the system known as the bootloader. Some in the team thought they'd reached the holy grail; all they'd have to do was issue the correct commands to the iPhone's radio and it would be free. But that didn't work. Many of the commands that the hackers sent to the bootloader came back with "permission denied" errors. Apple, they found, had protected the bootloader cryptographically, meaning that to do anything useful with it, they needed Apple's secret password. They had to find another way. Since then the hackers have been looking to build a toolchain, a programming interface to work with the iPhone's file format (called Mach-O) and processor type (known as ARM). This has been a difficult coding task, one that only a handful of them know how to do -- but today they told me that they're very nearly done with it. And once they have that, unlocking the phone could be around the corner. Hurdles, though, may persist. Even if the hackers manage to break the phone free from AT&T, getting it to run non-Apple-approved programs may be much more difficult. The hackers don't have the programming tools that Apple does, and, moreover, it's unclear if they can get around Apple's cryptographic locks on the phone. They've also faced the problem of defectors: "A couple people have jumped ship and see the possibility of making a profit," Jorge told me. One member of the group managed to build customized ring tones into the iPhone three days ago, he said, "but this person held out on us thinking he was going to be able to sell a service." A more serious threat may come from AT&T and Apple. If hackers unlock the iPhone tomorrow, Apple could lock it back up next week, and then the group might have to start all over again. They could also, of course, face legal threats. I asked Apple and AT&T if people who hacked their iPhones were breaking any rules. Apple did not respond; AT&T did. "The iPhone explicitly requires customers to sign up with AT&T when they buy the device," Susan McCain, a spokeswoman, told me in an e-mail. Anyone who buys the iPhone and doesn't use AT&T is engaging in an "illegitimate use" of the phone, another AT&T representative, Mark Siegel, told the Wall Street Journal. Though this certainly makes economic sense -- AT&T has a lot riding on iPhone exclusivity -- it seems a crazy policy for Apple to have signed on to. "I look at it and I'm like, Guys, what were you thinking?" GJ says. "We're in an age where people want to be able to build our own technology. We're becoming a culture of experimenters. And I think it's a little unfortunate that companies have decided to take this stand against us." From rforno at infowarrior.org Thu Jul 12 11:50:39 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 12 Jul 2007 07:50:39 -0400 Subject: [Infowarrior] - Security Lessons From Toilet Paper Message-ID: Note the bit after the cut below....like with many security controls, there's always the "convenience factor" built in for emergencies or operator convenience.....which can potentially undermine the very solutions the product is designed for, not to mention introducing vulnerabilities or significant points-of-failure for the overall system. Anyone else think this *might* be cost-saving for business, but *is* a really bad idea in general??? -rf http://biz.yahoo.com/ap/070711/auto_toilet_paper.html Automatic Toilet Tissue Dispenser Ready Wednesday July 11, 12:50 am ET By Greg Bluestein, Associated Press Writer ROSWELL, Ga. (AP) -- Richard Thorne grins as he waves his hand under a toilet paper dispenser in a women's restroom. The machine spits five sheets of tissue into his grasp. A year in the works, the electronic tissue dispenser is being rolled out to the masses by Kimberly-Clark Professional as it seeks to capture more of the $1 billion away-from-home toilet paper market. The company believes most people will be satisfied with five sheets -- and use 20 percent less toilet paper. "Most people will take the amount given," says Thorne. Waxing philosophical, he adds, "People generally in life will take what you give them." Kimberly-Clark turned to focus groups and years of internal research to determine just how much is right. Americans typically use twice as much toilet paper as Europeans -- as much as an arm's length each pull, Thorne says. The company decided the best length is about 20 inches -- or precisely five standard toilet paper squares, though the machine can also be adjusted to churn out 16 inches or 24 inches, depending on the demand. < - > The machine isn't completely automated. Each also comes with a suite of "security" features in case the machine malfunctions. There's an emergency feed button, and a manual feed roller lets the users pull the roll around if the motor breaks down or the four D-size batteries run out. There's also an option for a "rescue roll" on one side of the machine just in case the old-fashioned way is preferred. From rforno at infowarrior.org Thu Jul 12 12:47:05 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 12 Jul 2007 08:47:05 -0400 Subject: [Infowarrior] - Security paper shows how application can steal CPU cycles Message-ID: Security paper shows how application can steal CPU cycles By Jeremy Reimer | Published: July 11, 2007 - 11:06PM CT http://arstechnica.com/news.ars/post/20070711-security-paper-shows-how-appli cations-can-steal-cpu-cycles.html The annual Usenix security symposium is a gathering place for all kinds of ideas: those on how to stop security flaws and those about what kinds of new security issues may emerge in the future. A neat example of the latter was presented by Dan Tsafrir, Yoav Etsion, and Dror G. Feitelson in their paper (PDF) entitled "Secretly Monopolizing the CPU Without Superuser Privileges." The team presented a proof-of-concept program for Unix-based systems?although it could theoretically be adopted for any modern multitasking operating system?that allows a specified task to "cheat" and take more CPU cycles than the OS would normally allow it to have. Security breaches fall into one of two categories: either the action is hostile (a program does something the user does not want, such as sending out spam), or it is concealing (the program attempts to conceal hostile actions from being discovered by the user). Most traditional concealing actions, such as rootkits, depend on having full administrative access to the computer in order to run. The utility described in the paper, dubbed "cheat," can run as a regular non-administrative user. In theory, a task could hide itself perfectly by arranging for its process to run just after the CPU interrupt "tick" fires (most operating systems generate this tick from the hardware-based clock and fire it once every few milliseconds) and goes to sleep just before the next tick. Because of this, the standard operating system task accounting procedures would never notice that the process is even running. All normal OS methods of tracking tasks?for example, the "top" command in Linux and Unix, or the Windows Task Manager?will fail to display the cheating task, and this is without any modification of the operating system. The paper goes on to say that arranging a task to always run at such convenient times without administrative (superuser) access is "technically impossible;" instead, several workarounds are demonstrated that allow "cheat" to come close to this ideal behavior without always achieving it. The program uses a more fine-grained timer than the standard operating system interrupt, called a cycle counter: a CPU instruction that can be accessed at the user level by issuing an assembly command. Seven different operating systems were examined in the paper as potential platforms for the attack. Of the seven, only Mac OS X was found to be immune to the "cheat" attack; not because of a superior security architecture, but because it uses a different scheduling algorithm for its timers. Other operating systems that would be safe from attack include real-time OSes such as QNX, which guarantee execution of programs within a certain time limit. The exploit may or may not find its way into use in the malware world. While it is handy to avoid detection in task lists, using up most of a user's CPU cycles will have the very visible result of creating a slow computer, which would raise most people's suspicion levels. Still, programs could be written to cheat just a little bit, and such applications would be extremely hard to detect and remove. The authors found that they could protect the operating system against such attacks, but at the cost of performance. From rforno at infowarrior.org Thu Jul 12 20:14:41 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 12 Jul 2007 16:14:41 -0400 Subject: [Infowarrior] - The computer virus turns 25 Message-ID: The computer virus turns 25 http://machinist.salon.com/ The computer virus turns 25 years old this year. It's been a rocky quarter-century -- but according to Richard Ford and Eugene Spafford, two computer scientists writing in this week's issue of the journal Science, viruses can look forward to a long, fruitful life. The researchers say that in today's hyper-connected world, when everything's got a chip in it and is running software, stopping malware is basically an impossible task. (Their article is not online.) The computer virus conception story begins in 1981, when a tech-savvy 9th grader named Richard Skrenta got an Apple II for Christmas. Over the following few months he began cooking up ways to trick his friends using the machine. "I had been playing jokes on schoolmates by altering copies of pirated games to self-destruct after a number of plays," Skrenta once told the tech news site Security Focus. "I'd give out a new game, they'd get hooked, but then the game would stop working with a snickering comment from me on the screen." When his friends realized his tricky ways, they banned Skrenta from their machines. And that's when he had an epiphany: He could put his code on the school's computer, and rig it to copy itself onto floppy disks that students used on the system. Thus was born Elk Cloner, the world's first computer virus to spread in the wild. The virus didn't do much damage; it infected the Apple II's OS and copied itself to other floppies, and every so often would display a tittering message on the screen: Elk Cloner: The program with a personality It will get on all your disks It will infiltrate your chips Yes it's Cloner! It will stick to you like glue It will modify RAM too Send in the Cloner! Ford and Spafford note that in the years since, as viruses spread to other computer platforms and throughout the world, wreaking billions in damages, there has been little progress in fighting them. There is a scientific reason for this: "Building a computer program that can tell with absolute certainty whether any other program contains a virus is equivalent to a famous computer science conundrum called the 'halting problem,'" they write. The halting problem concerns the difficulty of spotting whether a program will terminate or continue to run forever. "It has no solution in the general case and has no approximate solution for our current computing environments without also generating too many false results," they write. Ford and Spafford also take on the idea that Microsoft is to blame for our current virus ills. Certainly MS has neglected to secure Windows, but any platform that obtains ubiquity will become a target for attack, they note. Some say the solution is to have a diverse computing environment -- if the world ran all kinds of different platforms, rather than a Windows monoculture, viruses would spread much less slowly. But diversity, Ford and Spafford point out, creates its own problems -- if the Mac, Linux and Windows all had roughly equal share, you'd need anti-virus teams working to protect all three platforms, any one of which could serve as a weak point for wider network destruction. Platform diversity, that is, increases the "attack surface," they write. Worse still is the potential for completely computer-free computer viruses. They point to a chain e-mail message that counseled people to delete a particular file from their computer to keep it secure. "The file they deleted was critical to the system," it turned out. The "virus" that caused its deletion was "executing" only in people's minds. And you can't get a virus checker for the brain. So right: Happy birthday, computer virus. Many happy returns! From rforno at infowarrior.org Fri Jul 13 11:45:09 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 13 Jul 2007 07:45:09 -0400 Subject: [Infowarrior] - OT: Insightful security cartoon In-Reply-To: Message-ID: Today's Dilbert -- not security-exactly, but explains a ton about TSA and DHS and much about current security practices in general. http://www.dilbert.com/comics/dilbert/archive/dilbert-20070713.html Happy Friday! -rf From rforno at infowarrior.org Fri Jul 13 18:51:55 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 13 Jul 2007 14:51:55 -0400 Subject: [Infowarrior] - Fees for VA Driving Infractions to Be Reassessed Message-ID: Fees for Driving Infractions to Be Reassessed GOP Lawmakers in Va. Rue 'Mistake' of Including Minor Offenses After Protests By Tim Craig Washington Post Staff Writer Friday, July 13, 2007; B01 http://www.washingtonpost.com/wp-dyn/content/article/2007/07/12/AR2007071202 054_pf.html RICHMOND, July 12 -- Virginia Republican leaders, faced with growing opposition to the "abusive driver" fees that went into effect July 1, said Thursday that they will consider scrapping some of them when the General Assembly convenes in January. The fees, some of which exceed $1,000 per infraction, were part of a transportation plan that lawmakers approved this year. They were designed to raise millions of dollars each year for road and transit projects by imposing surcharges onto the fines for Virginia motorists convicted of serious traffic offenses, such as driving under the influence. But because of what legislators call an "error" and a "mistake," the fees also can be assessed on motorists who are convicted of less serious offenses. The surcharges did not receive much attention when lawmakers approved them Feb. 24., but the reaction has been overwhelmingly negative since Virginia residents learned about the fees this month. "As a part-time legislature, we will make mistakes, and we will have to correct them," said House Majority Leader H. Morgan Griffith (R-Salem), who wants to revisit which misdemeanors the fees cover. For example, someone criminally charged with driving too fast for road conditions will have to pay $300 a year for three years, in addition to the regular fine. A motorist convicted of having an obstructed view of traffic will have to pay $350 a year for three years, as will anyone convicted of driving more than 80 mph on an interstate, according to an analysis by the Supreme Court of Virginia. "I think clearly the overwhelming majority of delegates and senators never meant or expected it would apply to these lesser charges," said Del. C.L. "Clay" Athey Jr. (R-Warren). "There was obviously a drafting error." The fees, which Gov. Timothy M. Kaine (D) supported as part of the bipartisan transportation agreement, have become a top issue in this fall's legislative races. Many residents have contacted their legislators, expressing outrage that the fees do not apply to out-of-state motorists. Sen. Kenneth W. Stolle (R-Virginia Beach) said the General Assembly probably will try to limit the fees to "truly reckless drivers." Stolle said some lawmakers also want to collect the fees from out-of-state motorists. But some GOP legislators, who spoke on condition of anonymity because they don't want to offend House leaders, said they do not want to wait until January to act. Noting that drivers will be legally required to pay the fees in the interim, some lawmakers are advocating a special session this summer or fall. A coalition of anti-tax activists and advocates for the poor also has started an online petition drive calling for a special session. The group wants the General Assembly to eliminate all of the new fees, not just those for Class 3 or 4 misdemeanors. As of Thursday, more than 1,200 people had signed the petition. Another petition received more than 36,000 signatures. Sherry D. Sherry of Leesburg, who helped organize the petition drive, said the fees could trap drivers with limited incomes in a cycle of debt. She noted that someone convicted of a first-time DUI will have to pay $750 a year for three years. "I am not trying to defend someone who gets a DUI, but I just know if someone gets a ticket and wants to rehabilitate their life and they work in a low-salary industry, this ticket will put them in a hole they will never climb out of," Sherry said. Kaine, who has been advocating for the abuser fees since taking office, said through a spokesman Thursday that he "remains open to the possibility" of revising the charges. But Kevin Hall, the spokesman, said the governor still thinks the fees will make Virginia roads safer. "It is important to remember most of these enhanced fees only apply to a small percentage of motorists who engage in criminal, reckless driving that causes accidents and injures and kills other people," Hall said. The fees, which could raise as much as $65 million annually, were intended to be a partial substitute for a statewide tax increase, which Kaine supported but the Republican-controlled House opposed. Stolle said the Senate, which had supported a tax increase, had tried to keep revenue generated from the fees to $28 million annually. But he said House Republican leaders insisted on at least $65 million, which meant the fees had to be higher and cover more offenses. "The more money you try to generate, the more violations you have to pick up," said Stolle, adding that some lawmakers may want to cut the amount of money raised by $40 million to $50 million by scaling back the abuser fees. In addition to the fees for misdemeanor and felony traffic convictions, motorists with eight or more points on their driving records will have to pay more. Those drivers have to pay $100 for the eight points and $75 for every additional point. Failure to pay will result in suspension of licenses. Del. Brian J. Moran (D-Alexandria), who wants all of the new fees eliminated, said they "cause more problems than they solve." "It is going to generate more driving on suspended licenses, which will clog up the court system and generate other expenses to society," Moran said. Del. Thomas Davis Rust (R-Fairfax), one of the architects of the abuser-fee law, said he's surprised "by the volume of the outcry." "If you don't break the law, you don't have a problem," said Rust, noting that the average Virginia motorist gets a ticket once every seven years. But Rust's Democratic opponent, Jay Donahue, said he plans to make an issue of the fees in the fall. "It is indefensible for legislators to adopt proposals that discriminate in favor of out-of-state drivers, excusing them from paying their fair share of our road construction and maintenance costs," Donahue wrote in an editorial scheduled to appear in local newspapers Friday. From rforno at infowarrior.org Sun Jul 15 22:57:32 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 15 Jul 2007 18:57:32 -0400 Subject: [Infowarrior] - Robot Air Attack Squadron Bound for Iraq Message-ID: Robot Air Attack Squadron Bound for Iraq Jul 15, 1:59 PM (ET) By CHARLES J. HANLEY http://apnews.myway.com/article/20070715/D8QD61V80.html BALAD AIR BASE, Iraq (AP) - The airplane is the size of a jet fighter, powered by a turboprop engine, able to fly at 300 mph and reach 50,000 feet. It's outfitted with infrared, laser and radar targeting, and with a ton and a half of guided bombs and missiles. The Reaper is loaded, but there's no one on board. Its pilot, as it bombs targets in Iraq, will sit at a video console 7,000 miles away in Nevada. The arrival of these outsized U.S. "hunter-killer" drones, in aviation history's first robot attack squadron, will be a watershed moment even in an Iraq that has seen too many innovative ways to hunt and kill. That moment, one the Air Force will likely low-key, is expected "soon," says the regional U.S. air commander. How soon? "We're still working that," Lt. Gen. Gary North said in an interview. (AP) Lt. Col. Stephen Williams, Commander for the 332nd Expeditionary Aircraft Maintenance Squadron,... Full Image The Reaper's first combat deployment is expected in Afghanistan, and senior Air Force officers estimate it will land in Iraq sometime between this fall and next spring. They look forward to it. "With more Reapers, I could send manned airplanes home," North said. The Associated Press has learned that the Air Force is building a 400,000-square-foot expansion of the concrete ramp area now used for Predator drones here at Balad, the biggest U.S. air base in Iraq, 50 miles north of Baghdad. That new staging area could be turned over to Reapers. It's another sign that the Air Force is planning for an extended stay in Iraq, supporting Iraqi government forces in any continuing conflict, even if U.S. ground troops are drawn down in the coming years. The estimated two dozen or more unmanned MQ-1 Predators now doing surveillance over Iraq, as the 46th Expeditionary Reconnaissance Squadron, have become mainstays of the U.S. war effort, offering round-the-clock airborne "eyes" watching over road convoys, tracking nighttime insurgent movements via infrared sensors, and occasionally unleashing one of their two Hellfire missiles on a target. (AP) An MQ-4 Predator controlled by the 46th Expeditionary Reconnaissance Squadron stands on the tarmac... Full Image >From about 36,000 flying hours in 2005, the Predators are expected to log 66,000 hours this year over Iraq and Afghanistan. The MQ-9 Reaper, when compared with the 1995-vintage Predator, represents a major evolution of the unmanned aerial vehicle, or UAV. At five tons gross weight, the Reaper is four times heavier than the Predator. Its size - 36 feet long, with a 66-foot wingspan - is comparable to the profile of the Air Force's workhorse A-10 attack plane. It can fly twice as fast and twice as high as the Predator. Most significantly, it carries many more weapons. While the Predator is armed with two Hellfire missiles, the Reaper can carry 14 of the air-to-ground weapons - or four Hellfires and two 500-pound bombs. "It's not a recon squadron," Col. Joe Guasella, operations chief for the Central Command's air component, said of the Reapers. "It's an attack squadron, with a lot more kinetic ability." "Kinetic" - Pentagon argot for destructive power - is what the Air Force had in mind when it christened its newest robot plane with a name associated with death. "The name Reaper captures the lethal nature of this new weapon system," Gen. T. Michael Moseley, Air Force chief of staff, said in announcing the name last September. General Atomics of San Diego has built at least nine of the MQ-9s thus far, at a cost of $69 million per set of four aircraft, with ground equipment. The Air Force's 432nd Wing, a UAV unit formally established on May 1, is to eventually fly 60 Reapers and 160 Predators. The numbers to be assigned to Iraq and Afghanistan will be classified. The Reaper is expected to be flown as the Predator is - by a two-member team of pilot and sensor operator who work at computer control stations and video screens that display what the UAV "sees." Teams at Balad, housed in a hangar beside the runways, perform the takeoffs and landings, and similar teams at Nevada's Creech Air Force Base, linked to the aircraft via satellite, take over for the long hours of overflying the Iraqi landscape. American ground troops, equipped with laptops that can download real-time video from UAVs overhead, "want more and more of it," said Maj. Chris Snodgrass, the Predator squadron commander here. The Reaper's speed will help. "Our problem is speed," Snodgrass said of the 140-mph Predator. "If there are troops in contact, we may not get there fast enough. The Reaper will be faster and fly farther." The new robot plane is expected to be able to stay aloft for 14 hours fully armed, watching an area and waiting for targets to emerge. "It's going to bring us flexibility, range, speed and persistence," said regional commander North, "such that I will be able to work lots of areas for a long, long time." The British also are impressed with the Reaper, and are buying three for deployment in Afghanistan later this year. The Royal Air Force version will stick to the "recon" mission, however - no weapons on board. From rforno at infowarrior.org Mon Jul 16 14:15:12 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 16 Jul 2007 10:15:12 -0400 Subject: [Infowarrior] - Global broadband prices revealed Message-ID: Global broadband prices revealed http://news.bbc.co.uk/go/pr/fr/-/1/hi/technology/6900697.stm Broadband users in 30 of the world's most developed countries are getting greatly differing speeds and prices, according to a report. The Organisation for Economic Co-operation and Development (OECD) report says 60% of its member countries net users are now on broadband. The report said countries that had switched to fibre networks had the best speeds at the lowest prices. In Japan net users have 100Mbps lines, 10 times higher than the OECD average. Japan's price for broadband per megabit per second is the lowest in the OECD at $0.22 (0.11p), said the report. The most expensive is Turkey at $81.13 (?40.56). In the US, the cheapest megabit per second broadband connection is $3.18 (?1.59) while in the UK it is $3.62 (?1.81). CHEAPEST ENTRY LEVEL BROADBAND* Sweden $10.79 Denmark $11.11 Switzerland $12.53 US $15.93 France $16.36 Netherlands $16.85 New Zealand $16.86 Italy $17.63 Ireland $18.18 Finland $19.49 *Source: OECD. Figures for October 2006 Subscribers to Japan's fibre networks can also upload at the same speed they can download, which is not possible with ADSL (broadband over a telephone line) and most cable subscriptions. Sweden, Korea and Finland also offer 100Mbps net connections, as all four countries have switched to fibre optic networks. The OECD represents 30 of the leading democratic economics, from Australia to the US, France to Japan. "Broadband is very quickly becoming the basic medium for sevice delivery on both fixed and wireless networks," said the report. JupiterResearch telecoms analyst Ian Fogg said: "It's very hard to draw comparisons across 30 countries globally because there are different trends happening in each of them. However, he said the entry price for broadband was an incredibly important criteria to compare. "Because the market is very fragmented consumers care about cheap prices." According to the report, broadband prices for DSL connections across the 30 countries have fallen by 19% and increased in speed by 29% in the year to October 2006. Cable prices and speeds followed a similar trend. The least expensive monthly subscription for always-on broadband was in Sweden, where $10.79 (?5.40) bought a 256kbps connection. The country with the most expensive entry point for broadband access was Mexico, where it cost $52.36 (?26.18)for 1mbps. Mr Fogg said: "In many of the OECD countries those people without broadband and making the transition are feeling their way and are very conscious of price. They haven't seen the need to go to broadband historically." The entry-level price points do not take into account bundled deals, such as incorporating free broadband with a TV contract, which are becoming increasingly important to the market. Mr Fogg said many countries had seen a jump in broadband speeds over the last few years as many ISPs utilising existing telephone lines had started to push ADSL2+. ADSL2+ is a technology which doubles the frequency band of a typical ADSL connection over a phone line, in effect doubling the amount of data which can be sent downstream to a user. The theoretical maximum speed of an ADSL2+ line is 24Mbps, still much slower than speeds over fibre optic networks. "ADSL2+ hasn't happened everywhere and it's happened at different times in different countries," explained Mr Fogg. "France was the first country in the western world to use the technology, about two or three years ago. "BT (in the UK) has been very slow to switch across. The only option for UK customers has been to get it from competitors, notably Be, which is owned by O2, and Sky." Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/1/hi/technology/6900697.stm Published: 2007/07/16 13:01:58 GMT From rforno at infowarrior.org Mon Jul 16 23:56:00 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 16 Jul 2007 19:56:00 -0400 Subject: [Infowarrior] - US Drug Czar: Weed growers are terrorists and help other terrorists Message-ID: Drug czar gives warning Federal official calls marijuana growers dangerous terrorists By Dylan Darling (Contact) Friday, July 13, 2007 The nation's top anti-drug official said people need to overcome their "reefer blindness" and see that illicit marijuana gardens are a terrorist threat to the public's health and safety, as well as to the environment. John P. Walters, President Bush's drug czar, said the people who plant and tend the gardens are terrorists who wouldn't hesitate to help other terrorists get into the country with the aim of causing mass casualties. Walters made the comments at a Thursday press conference that provided an update on the "Operation Alesia" marijuana-eradication effort. "Don't buy drugs. They fund violence and terror," he said. After touring gardens raided this week in Shasta County, Walters said the officers who are destroying the gardens are performing hard, dangerous work in rough terrain. He said growers have been known to have weapons, including assault rifles. "These people are armed; they're dangerous," he said. He called them "violent criminal terrorists." Walters, whose official title is director of the White House Office of National Drug Control Policy, said too many people write off marijuana as harmless. "We have kind of a 'reefer blindness,' " he said. < - > http://www.redding.com/news/2007/jul/13/drug-czar-gives-warning/ From rforno at infowarrior.org Mon Jul 16 23:57:07 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 16 Jul 2007 19:57:07 -0400 Subject: [Infowarrior] - Sunrocket halts VOIP operations Message-ID: http://www.nytimes.com/2007/07/17/business/17sunrocket.html?hp Internet Phone Company Halts Operations By MATT RICHTEL Published: July 17, 2007 SunRocket, an Internet telephone company, has ceased operations and is moving its customers to one or more other companies, according to a person briefed on its status. A recording on SunRocket?s customer service line said the company ?is no longer taking customer service or sales calls.? Executives of SunRocket, which was founded in 2004 and is based in Vienna, Va., could not be reached for comment. Telecommunications industry analysts said the development highlights the struggles of start-ups trying to offer telephone service over the Internet. These start-ups face enormous competitive pressure from the biggest players in the telecommunications industry, both cable and traditional telephone companies. The cable companies in particular have made a strong push into the telephone market by offering the service as part of a product bundle with television and Internet access. The start-ups, like SunRocket and Vonage, the best known of the group, tend to offer a single product, and they do not have the same power as the larger companies to control quality of service because they do not operate their own telecommunications lines, said Richard Greenfield, a media analyst at Pali Research in New York. In April, SunRocket announced that it had reached 200,000 subscribers and said the milestone was a testament to consumers? embrace of Internet telephony, which allows telephone calls to be transmitted as data over the Internet. One of SunRocket?s main pitches to potential customers was its offer of $199 for a year of unlimited calling to the United States, Canada and Puerto Rico. Vonage, which went public last year, was a pioneer in the commercialization of the technology. But its fortunes have floundered too, along with its stock, which has been on a steady slide over the last year, closing Wednesday at $2.95. Alan Bezoza, an analyst at Oppenheimer & Co., said Vonage had continued to add subscribers, but the cost of attracting them had put the company deep into the red. He said that in its first quarter this year, Vonage added 166,000 customers, but lost $73 million. The start-ups ?are going up against the marketing muscle of very large companies, like cable and telecom companies,? Mr. Bezoza said. Mr. Bezoza said that he believed that stand-alone Internet telephone companies could wind up as successful niche players in the market, but their investors would have to be willing to endure a substantial period of losses before they built enough of a customer base to be profitable. From rforno at infowarrior.org Tue Jul 17 12:01:44 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 17 Jul 2007 08:01:44 -0400 Subject: [Infowarrior] - Judge Awards $68, 685.23 in Attorneys Fees Against RIAA in Capitol v. Foster Message-ID: Judge Awards $68,685.23 in Attorneys Fees Against RIAA in Capitol v. Foster In Capitol v. Foster, in Oklahoma, the Court has order the RIAA to pay the defendant Debbie Foster $68,685.23 in attorneys rees and costs. This is the first attorneys fee award, of which we are aware, against the RIAA. Ms. Foster was represented by Marilyn Barringer-Thomson of Oklahoma City, Oklahoma. July 16, 2007, Order and Decision Directing RIAA to Pay $68,685.23 in Attorneys Fees* http://recordingindustryvspeople.blogspot.com/2007/07/judge-awards-68000-in- attorneys-fees.html From rforno at infowarrior.org Tue Jul 17 17:50:21 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 17 Jul 2007 13:50:21 -0400 Subject: [Infowarrior] - Flaw auction site highlights disclosure issues Message-ID: Flaw auction site highlights disclosure issues Robert Lemos, SecurityFocus 2007-07-13 http://www.securityfocus.com/print/news/11474 Four years ago, rootkit guru Greg Hoglund found himself a day away from launching an auction site for vulnerabilities. The security researcher had created the Web site, lined up a handful of vulnerabilities to kick off the auction, and even had leaked the story to SecurityFocus. Riffing off eBay's fame, Hoglund had christened the site ZeroBay. Yet, a day away from launching, the researcher pulled the plug instead. "I had a frank discussion with my wife, and we decided that the business would have too many potential legal issues," said Hoglund, who now heads up digital forensics firm HBGary. "We didn't want to accept the financial liability for it." The story serves as a cautionary tale for the creators of the first public vulnerability auction site, the oddly named WabiSabiLabi, which went live last week. The site has garnered wildly varied reactions from researchers and professionals in the security industry -- some approving, others not -- but all agree that the auction site is breaking new ground. Run by start up firm WSLabi, a Swiss-owned company, WabiSabiLabi launched with four vulnerabilities -- including flaws in Linux, Yahoo Messenger and SquirrelMail -- on the block at prices ranging from ?500 to ?2,000. The company is manned with relatively unknown members of the security industry, many from Italy. Perhaps the best known member of the team, Roberto Preatoni, is the founder of defacement tracking and security Web site Zone-H.org. The site is off to a rocky start: The company has already had to pull two of the vulnerabilities for sale. Researchers were able to pore through the SquirrelMail code and find that flaw, while the Linux kernel issue was found to be already public. Preatoni, director for strategy at WSLabi, said such setbacks are expected. "It will take time to see what (the auction model) will produce, either for bad or for good," Preatoni said. "We are just doing our best to find a viable way to redesign the vulnerability market in favor of the researchers." Yet whether the auction model is right for the security world is a big question in the minds of many security professionals. A big ethical consideration is whether the auction model will result in vulnerabilities being fixed, or bought for use against unsuspecting targets. Some worry that vulnerabilities will be sold to cybercriminals that will use them for malicious reasons. "The bottom line is that we know that selling vulnerability information can be dangerous," said Terri Forslof, manager of security response for the Zero Day Initiative, a vulnerability bounty program run by 3Com subsidiary TippingPoint. WSLabi does not notify the vendor of the vulnerabilities put on the auction block but leaves that decision to the researcher selling the information. The company is not the owner of the information, so the decision to notify a vendor is not its to make, WSLabi's Preatoni said. "The point is that we are not selling," Preatoni said in an e-mail interview with SecurityFocus. "This is what most people didn't understand in our business model. We just run facilities, offer visibility, and do the marketing communications. The researcher is selling." That's a deal breaker for others in the security industry. The ethical problems and potential legal issues scuttled any thought of using auctions for the Zero Day Initiative, TippingPoint's Forslof said. "I'm not personally opposed to an auction," she said. "That was one of the models we talked about ourselves with the Zero-Day Initiative. But we could never find a way to make it work responsibly and make it fit into our corporate value system." TippingPoint would never consider bidding in the auctions, Forslof said. Microsoft also nixed the idea. "We do not believe that offering compensation for vulnerability information is the best way we can help protect our customers," the software giant said in a statement sent to SecurityFocus. "Our policy is to credit finders who report vulnerabilities to us in a responsible manner." While auction models might not help vendors, they do allow researchers to potentially profit more from their discoveries. In a recent paper, security researcher Charles Miller described his experiences in selling vulnerabilities. One sale could have netted Miller $80,000, but because he could not get the exploit code working for a specific version of Linux, Miller settled for $50,000. The other sale, for $12,000, was scuttled when Microsoft fixed the vulnerability in question. Auctions level the playing field and allow competition for the information, said Miller, who is a principal security analyst for Independent Security Evaluators. For that reason, he supports WSLabi. "I think it's a great idea, in theory," he said. Yet, the company has some major hurdles ahead, he added. Selling information is a tricky game. Give away too much to the seller, and they don't need to buy the information any more. On the other hand, the seller requires some information to place a value on the vulnerability. That's why most people that sell vulnerability information have already established credentials and trust with the buyers. Miller believes that WSLabi currently lacks the credentials to act as a middleman. "These are, basically, people that I have never heard of before and I have no reason to trust them," he said. "With TippingPoint and iDefense, you basically don't have to worry about them screwing you over." HBGary's Hoglund agrees. At the time when ZeroBay was ready to launch, he was a known quantity in the industry and believes he had the clout to get the concept off the ground. WSLabi has a way to go, he said. "I don't think anyone knows who they are," Hoglund told SecurityFocus. "They don't have any industry credibility and they are incorporated in a country that does not appear to be their home country." The reasons for the company's Swiss registration are no secret, said WSLabi's Preatoni. The owners are based in Switzerland, so they decided to incorporate in that country. However, the Swiss registration also heads off many of the legal issues that the company might have in the United States or in the European Union, he said. "Switzerland has far more clear laws (regarding WSLabi's business model), while, generally speaking, the laws in the EU are old laws subject to the personal interpretation of the court (and represents) a huge gray area in terms of legislation, which needs to be sorted out as soon as possible." In the United States, while the auctioning of information is not illegal, the act could create a great deal of liability for a U.S.-based company, according to Jennifer Granick, executive director of the Center for the Internet and Society at Stanford University's School of Law. "Distributing the vulnerability to someone who is unknown -- but who is only recommended by their ability to pay the highest price -- and then not telling anyone else, adds liability," Granick said. While the company does request that people who register to be a buyer or seller provide identification, such a measure could be easily circumvented, she added. The auction site has shown one definite benefit, however: Publicly selling vulnerabilities stokes interest in finding the flaws first. ISE's Miller joined others in trying to track down the SquirrelMail vulnerability, which was eventually found and even appears to have been previously submitted to iDefense's Vulnerability Contributor Program. "I don't think anyone would have looked at the code for SquirrelMail," Miller said. "The fact that they had (the flaw) on there, made me look at the code." While proponents of open-source software frequently argue that public source code means that more people -- or "many eyes' -- will audit the code for vulnerabilities, many open-source projects do not get frequent reviews. If the auction site takes off, however, security researchers may continue to try and beat buyers to the punch -- and that's a good thing, said HBGary's Hoglund. "As soon as you post up an auction, everyone in the industry is going to take a look at the (the application)," he said. "And that puts thousands of eyes on that code." From rforno at infowarrior.org Tue Jul 17 18:07:22 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 17 Jul 2007 14:07:22 -0400 Subject: [Infowarrior] - Privacy: MS patents 'mother of all adware systems' Message-ID: (possible privacy and confidentiality issues......not a good thing......rf) Microsoft patents the mother of all adware systems http://arstechnica.com/news.ars/post/20070717-microsoft-patents-the-mother-o f-all-adware-systems.html By John McBride | Published: July 17, 2007 - 09:45AM CT It's such a tremendously bad idea that it's almost bound to succeed. Microsoft has filed another patent, this one for an "advertising framework" that uses "context data" from your hard drive to show you advertisements and "apportion and credit advertising revenue" to ad suppliers in real time. Yes, Redmond wants to own the patent on the mother of all adware. The application, filed in 2006, describes a multi-faceted, robust ad-delivering system that lives on a "user computer, whether it's part of the OS, an application or integrated within applications." "Applications, tools, or utilities may use an application program interface to report context data tags such as key words or other information that may be used to target advertisements," says the filing. "The advertising framework may host several components for receiving and processing the context data, refining the data, requesting advertisements from an advertising supplier, for receiving and forwarding advertisements to a display client for presentation, and for providing data back to the advertising supplier." The adware framework would leave almost no data untouched in its quest to sell you stuff. It would inspect "user document files, user e-mail files, user music files, downloaded podcasts, computer settings, computer status messages (e.g., a low memory status or low printer ink)," and more. How could we have been so blind as to not see the marketing value in computer status messages? The software would also free advertising from its traditional browser yoke. "A word processor may display a banner ad along the top of a window, similar to a toolbar, while a graphical ad may be displayed in a frame associated with the application. A digital editor for photos or movies may support video-based advertisements," the patent application says. The patent application, first unearthed by InformationWeek, gives the impression that your software would have more control over the advertising than you would. "An e-mail client may specify that ads from competitors must be excluded, that its own display client must be used... (that) no more than 4 ads per hour are allowed, and that only text or graphical... advertisements are supported." The patent makes no mention of any method by which an actual user might exert control, nor does it mention very real privacy or security concerns. That's okay. It's still a good thing. It says so right in the application: "The ability to derive and process context data from local sources rather than monitor interactions with a remote entity, such as a server, benefits both consumers and advertisers by delivering more tightly targeted advertisements. The benefit to the user is the perception that the ads are more relevant, and therefore, less of an interruption. The benefit to the advertiser is better focus and a higher chance of conversion to a sale." The patent is a fascinating exercise in advertising delivery systems. But surely that's all it is?an exercise. No way anyone would ever actually make a thing like this. Right? From rforno at infowarrior.org Tue Jul 17 18:58:23 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 17 Jul 2007 14:58:23 -0400 Subject: [Infowarrior] - New Harry Potter Book Makes Its Way to the Web Message-ID: July 17, 2007 New Harry Potter Book Makes Its Way to the Web By MOTOKO RICH http://www.nytimes.com/2007/07/17/books/17cnd-potter.html?_r=1&hp=&oref=slog in&pagewanted=print Photos of what appeared to be every page of ?Harry Potter and the Deathly Hallows,? the breathlessly awaited seventh and final installment in the wildly popular series by J.K. Rowling, were circulating around the Web today, potentially upsetting the most elaborate marketing machine ever mobilized for a book. Various file-sharing Web sites were carrying what looked like amateur photographs of each pair of facing pages of the book, which officially goes on sale at 12:01 a.m. Saturday morning. The pictures show the book laid out on a green and red-flecked looped carpet with somebody?s fingers holding it open. Some of the photos make the text difficult to read, but the ending is definitely legible. Kyle Good, a spokeswoman for Scholastic, the book?s United States publisher, said that she was aware of at least three different versions of the file ?that look very convincing? with what she described as ?conflicting content.? In a court filing on Monday, Scholastic sought ?materials hosted on Photobucket.com?s system? that it said might violate the book?s copyright, Bloomberg News reported today. Photobucket is a unit of the News Corporation. In addition, Bloomberg said, Scholastic sent a subpoena to Gaia Interactive in San Jose asking the identity of someone who had posted a copy of the book on Gaia?s social networking Web site, gaiaonline.com. A spokesman for Gaia told Bloomberg that it had complied with the subpoena, turned the name over to Scholastic, removed the material and banned the user from the site. In Britain, where the book is published by Bloomsbury, Sarah Beal, a spokeswoman, said: ?We are encouraging people not to do this. This happens with every book, and there are a lot of them out there, and we appeal to everybody not to put them up. It?s amazing how creative people can be. It may look real, but it doesn?t mean they are.? Hype and frenzy have been building for weeks, as readers anticipate the release of the final book, in which Ms. Rowling has hinted that two or more characters are likely to die, leading to speculation from many fans that Harry might not survive his own series. Fans have been guessing about other important plot points, as well, such as who will end up with whom, or whether Professor Severus Snape, a character whose moral character has been in question, is genuinely evil. Bookstores across the country are gearing up for festivities Friday night and are expecting long lines of readers who want to get their hands on a copy, which comes out in hardcover. Scholastic is publishing a record-setting print run of 12 million copies. From rforno at infowarrior.org Wed Jul 18 02:01:09 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 17 Jul 2007 22:01:09 -0400 Subject: [Infowarrior] - Experts: Unclassified Report 'Pure Pablum, ' Hides Truth Message-ID: Experts: Unclassified Report 'Pure Pablum,' Hides Truth Share July 17, 2007 12:10 PM http://blogs.abcnews.com/theblotter/2007/07/experts-unclass.html Intelligence analysts and the former White House counterterror official describe as "pure pablum" the unclassified version of the National Intelligence Estimate released today on terror threats to the United States. "Nothing in here is going to surprise anybody who's been following this," said one senior U.S. intelligence official. "It's more about what it doesn't say than what it does say," says Richard Clarke, the former White House official who is now an ABC News consultant. "What is left out of the version released publicly is the explicit statement that al Qaeda is back and has operations underway," Clarke says. The 2006 version of the National Intelligence Estimate claimed U.S. efforts had "seriously damaged the leadership of al-Qa'ida and disrupted its operations." "That's no longer the case in 2007, and you have to read between the lines to understand how we have lost ground," Clarke says. The current White House counterterrorism official, Fran Townsend, the assistant to the president for homeland security, told reporters today, "Al Qaeda is weaker today than if we had not taken strong action against them." She said she would not address still-classified aspects of the intelligence estimate that al Qaeda had regained strength at levels not seen since before the 9/ll attacks. The Blotter on ABCNews.com reported last week that senior law enforcement and intelligence officials had "multiple and credible" reports that an al Qaeda terror cell may be on its way to the United States or could already be in the country. Today's report also concludes that "al-Qa'ida will probably seek to leverage the contacts and capabilities of al-Qa'ida in Iraq (AQI)." "Given that there was no al Qaeda in Iraq until we invaded there," says Clarke, "it's hard not to draw the conclusion that going to Iraq has created a further threat to the United States." From rforno at infowarrior.org Wed Jul 18 02:02:03 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 17 Jul 2007 22:02:03 -0400 Subject: [Infowarrior] - There's No Such Thing as the Homeland Message-ID: There's No Such Thing as the Homeland By Ryan Singel http://blog.wired.com/27bstroke6/2007/07/theres-no-such-.html A declassified version of a new National Intelligence Estimate regarding the threat to the U.S. by terrorism was made public today, concluding that radical Islamic fundamentalist plotters are still out there and some jackasses inside the country could get radicalized enough to launch small scale attacks. An advanced class of 7th graders with access to the internet could have collectively written a more incisive report relying simply on open source documents. Danger Room's Noah knows it and ABC's Brian Ross sees the same thing. In fact, what's most notable about the report outside of its inanity, is that one single word is repeated continually through the report. That word is "Homeland." Take for example, this sentence: > We assess that al-Qa?ida?s Homeland plotting is likely to continue to > focus on prominent political, economic, and infrastructure targets with the > goal of producing mass casualties, visually dramatic destruction, significant > economic aftershocks, and/or fear among the US population. Overlook, if you will, the absolute banality of the observation that Al Qaeda wants to hit prominent targets in the United States with a devastating attack. (It's about the equivalent of writing a news story that geeks with money like and buy gadgets.) Instead, think about the use of the word "Homeland" to describe the United States. The estimate repeats the term 11 times in its meager two pages of "key findings". That repetitions signals more than anything that this report is a document crafted for political purposes by an apparatus with a dangerous world view or at least by an apparatus headed by folks who hunger for a conflict. People who write and think of their country as the Homeland with a capital H tend to think that they can redefine torture, ignore international treaties, fund disinformation efforts to keep morale high, launch wars based on hunches and emphasize the power of the executive branch because they consider themselves the good guys who are the only ones who know what's right for the country. They only want to protect the Homeland, don't you see? The vocabulary is symptomatic of a rigid, nationalistic world view. There is no such thing as a Homeland. The United States is not Franco's Spain, the National Socialist Party's Germany, or Mussolini's Italy. We do not face imminent destruction of our country or way of life. Al Qaeda is not Nazi Germany. They are a rabid, fundamentalist religious cult that wants to roll back the modern world for the comfortable certainty of a militant religion, and the movement woos converts by exploiting legitimate and fabricated grievances against Muslims around the world. The group is fighting a rear-guard and ultimately doomed fight against the onslaught of modernity and its squadrons of lattes, fashion trends and cultural dislocations. White Al Qaeda's rabid and utterly predictable response to modernity was falling out of favor with most Muslims and Muslim-dominated governments throughout the Nineties, it has been re-fueled by this Administration's historically ignorant, testosterone-and-ego-driven post 9/11 foreign policy. Any fool can see this Administration's imperial ambitions repeat the mistakes of colonialism. The National Intelligence Estimate, at least the unclassified version, doesn't come out and say it, but this Administration has been feeding the animals. In fact, by using the vocabulary of Fascism, the Intelligence Community itself feeds the animals. So please stop it already. This isn't the Homeland. This is the United States of America. Change the words and the policy will follow. From rforno at infowarrior.org Wed Jul 18 02:27:52 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 17 Jul 2007 22:27:52 -0400 Subject: [Infowarrior] - UK: Road cameras expand Big Brother network Message-ID: 'Big Brother' plan for police to use new road cameras http://politics.guardian.co.uk/terrorism/story/0,,2128878,00.html Alan Travi, home affairs editor Wednesday July 18, 2007 The Guardian "Big Brother" plans to automatically hand the police details of the daily journeys of millions of motorists tracked by road pricing cameras across the country were inadvertently disclosed by the Home Office last night. Leaked Whitehall background papers reveal that Home Office and transport ministers have clashed over plans for legislation this autumn enabling the police to get automatic "real-time" access to the bulk data from the traffic cameras now going into operation. The Home Office says the police need the data from the cameras, which can read and store every passing numberplate, "for all crime fighting purposes". But transport ministers warn of concerns about privacy and "the potential for adverse publicity relating to plans for local road pricing" also due to be unveiled this autumn. There are already nearly 2,000 automatic number plate recognition (ANPR) cameras in place and they are due to double as road pricing schemes are expanded across the country. Douglas Alexander, who was transport secretary until three weeks ago, told the Home Office the bulk transfer of data to the police was out of proportion to the problem and "might be seen as colouring the debate about road charging (that material being collected for traffic purposes is being used for other outcomes)". The leaked Home Office note emerged yesterday as it was announced that the home secretary, Jacqui Smith, had waived Data Protection Act safeguards to allow the bulk transfer of data from London's congestion charge and traffic cameras to the Metropolitan police for the specific purpose of tracking potential terrorists in and around the capital. Transport for London was very reluctant to hand over the data without the home secretary issuing a special certificate exempting it from legal action from motorists worried about breach of their privacy. The leaked paper reveals that Home Office officials rate even this limited proposal as "highly controversial," never mind extending it across the whole country for "crime fighting". "Civil rights groups and privacy campaigners may condemn this as further evidence of an encroaching 'big brother' approach to policing and security, particularly in light of the recent e-petition on roads pricing," says a Home Office note on its 'handling strategy' for the issue in reference to the runaway success of a petition on the Downing Street website against road charging. "Conversely, there may be surprise that the data collected by the congestion charge cameras is not already used for national security purposes and may lead to criticism that the matter is yet to be resolved." The leaked document also reveals the scale of possible national surveillance with ANPR. The police can compare details of vehicles entering the London congestion charge zone against a hotlist of target vehicles, and identify cars that have been at several sites at key times. The police say this could help pinpoint finds of terrorist material. At present the police can apply for the London congestion zone records only on a case by case basis. The new power will give police live access to all the data. The Liberal Democrat home affairs spokesman, Nick Clegg, said the "unintended act of open government" had revealed the disingenuous attitude of ministers towards public fears about a creeping surveillance state: "No wonder Douglas Alexander was keen to tone down these proposals, since he must know that public resistance to a road charging scheme will go through the roof if it is based on technology which poses a threat to personal privacy. Bit by bit, vast computer databases are being made inter-operable and yet the government seems to running scared of a full and public debate." Shami Chakrabarti, the director of Liberty, said: "It is one thing to ask the public for special measures to fight the grave threat of terrorism, but when that becomes a Trojan horse for mass snooping for more petty matters it only leads to a loss of trust in government." From rforno at infowarrior.org Wed Jul 18 02:30:10 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 17 Jul 2007 22:30:10 -0400 Subject: [Infowarrior] - Secret Buildings You May Not Photograph, Part 643 Message-ID: Secret Buildings You May Not Photograph, Part 643 http://blog.washingtonpost.com/rawfisher/?hpid=news-col-blogs If you happen by 3701 N. Fairfax Drive in Arlington and decide you have a sudden craving for a photograph of a generic suburban office building, and you point your camera at said structure, you will rather quickly be greeted by uniformed security folks who will demand that you delete the image and require that you give up various personal information. When Keith McCammon unwittingly took a picture of that building, he was launched on an odyssey that has so far involved an Arlington police officer, the chief of police and the defense of the United States of America. McCammon could not have been expected to know when he wandered by the building that it houses the Defense Advanced Research Projects Agency, a low-profile wing of the Defense Department that conducts all manner of high-tech research that evolves into weapons systems and high-order strategery. DARPA's presence at 3701 N. Fairfax is hardly a government secret--Google finds nearly 10,000 pages listing the agency's use of the building. But there's no big fat sign on the building, so how was McCammon to know that this was a building he dared not photograph? And why would the government care if anyone took a picture of the exterior of an office building? This is as silly and hypersensitive as the now-common harassment of people who innocently take pictures of random federal buildings in the District. McCammon decided to fight back. He demanded to know why he had been stopped, why the government needed his personal information, and why any record of the incident should be kept in government records. He got quick, polite responses from Arlington officials. "I hope that you would agree that the security of any such building is of great importance and every law enforcement officer is duty bound to investigate all suspicious activity," wrote Arlington Acting Police Chief Daniel Murray. "I am certainly not implying that a person taking photographs is inherently 'suspicious,' but when the appearance is that the subject of a photograph is a government installation, officers have a duty to ensure the safety of the occupants of this structure." Hmmm. Any government installation? This overly broad approach to security is why we end up with ridiculous horror stories about innocent tourists getting hassled for taking photos of the Lincoln Memorial or the Department of the Interior. The good news here is that Arlington police didn't take a report or create a file on McCammon. The bad news is that they did pass his information along to "the internal security agency for this installation." Which means that somewhere in the vast security apparatus that we have constructed since 9/11--utterly ignoring the fact that the Soviet empire collapsed under the weight of its own paranoid security apparatus--there is now a report on Keith McCammon, photographer. The bottom line is that McCammon was caught in a classic logical trap. If he had only known the building was off-limits to photographers, he would have avoided it. But he was not allowed to know that fact. "Reasonable, law-abiding people tend to avoid these types of things when it can be helped," McCammon wrote. "Thus, my request for a list of locations within Arlington County that are unmarked, but at which photography is either prohibited or discouraged according to some (public or private) policy. Of course, such a list does not exist. Catch-22." The only antidote to this security mania is sunshine. Only when more and more Americans do as McCammon has done and take the time and effort to chronicle these excesses and insist on answers from authorities will we stand a chance of restoring balance and sanity to the blend of liberty and security that we are madly remixing in these confused times From rforno at infowarrior.org Wed Jul 18 12:04:53 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 18 Jul 2007 08:04:53 -0400 Subject: [Infowarrior] - Miro launches: Democracy Player evolves into a 1.0 Message-ID: Miro launches: Democracy Player evolves into a 1.0 product! http://www.boingboing.net/2007/07/17/miro_launches_democr.html Miro is the new name for the awesome Internet TV player previously known as "Democracy Player." Now that Democracy has gone 1.0, it's got a new name, new features, and an incredible future ahead of it. Miro is easy: just pick some channels -- video podcast feeds -- and Miro will download all the video from your channels. Miro downloads with Bittorrent, meaning that there's never a problem with popular sites going down because they're clobbered by too many requests. Miro can play any video, because it incorporates the free/open video player called VLC, which plays practically every video format under the sun. Miro also grabs YouTube videos, and has access to more HD content than any other source online or off. The future of Internet TV is too important to belong to one company. Internet TV needs to live atop something open and free, the way that the Web lives on top of the open and free Firefox browser. That's why Miro is licensed under the GPL, the gold standard in open/free licensing, meaning that anyone can take Miro and run with it, improve it, sell it, or give it away. Miro is created by a charitable foundation called the Participatory Culture Foundation, an organization that also makes complimentary, free packages like Broadcast Machine (for publishing your own video channels) and VideoBomb (like Digg, but for video). The foundation pays programmers to improve the technology, and it's entirely free to use and improve. Miro is available for Linux, Mac OS X and Windows. From rforno at infowarrior.org Wed Jul 18 16:22:13 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 18 Jul 2007 12:22:13 -0400 Subject: [Infowarrior] - FBI remotely installs spyware to trace bomb threat Message-ID: July 18, 2007 1:00 AM PDT FBI remotely installs spyware to trace bomb threat Posted by Declan McCullagh http://news.com.com/8301-10784_3-9746451-7.html The FBI used a novel type of remotely installed spyware last month to investigate who was e-mailing bomb threats to a high school near Olympia, Wash. Federal agents obtained a court order on June 12 to send spyware called CIPAV to a MySpace account suspected of being used by the bomb-threat hoaxster. Once implanted, the software was designed to report back to the FBI with the Internet Protocol address of the suspect's computer, other information found on the PC and, notably, an ongoing log of the user's outbound connections. Screen snapshot of 'timberlinebombinfo' MySpace account The suspect, former Timberline High School student Josh Glazebrook, was sentenced this week to 90 days in juvenile detention after pleading guilty to making bomb threats and other charges. While there's been plenty of speculation about how the FBI might deliver spyware electronically, this case appears to be the first to reveal how the technique is used in practice. The FBI did confirm in 2001 that it was working on a virus called Magic Lantern but hasn't said much about it since. The two other cases in which federal investigators were known to have used spyware--the Scarfo and Forrester cases--involved agents actually sneaking into offices to implant key loggers. An 18-page affidavit filed in federal court by FBI Agent Norm Sanders last month and obtained by CNET News.com claims details about the governmental spyware are confidential. The FBI calls its spyware a Computer and Internet Protocol Address Verifier, or CIPAV. "The exact nature of these commands, processes, capabilities, and their configuration is classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other ongoing investigations and/or future use of the technique," Sanders wrote. A reference to the operating system's registry indicates that CIPAV can target, as you might expect given its market share, Microsoft Windows. Other data sent back to the FBI include the operating system type and serial number, the logged-in user name, and the Web URL that the computer was "previously connected to." News.com has posted Sanders' affidavit and a summary of the CIPAV results that the FBI submitted to U.S. Magistrate Judge James Donohue. There have been hints in the past that the FBI has employed this technique. In 2004, an article in the Minneapolis Star Tribune reported that the bureau had used an "Internet Protocol Address Verifier" that was sent to a suspect via e-mail. But bloggers at the time dismissed it--in hindsight, perhaps erroneously--as the FBI merely using an embedded image in an HTML-formatted e-mail message, also known as a Web bug. Finding out who's behind a MySpace account An interesting twist in the current case is that the county sheriff's office learned about the MySpace profile -- timberlinebombinfo -- when the creator tried to persuade other students to link to it and at least one of their parents called the police. The sheriff's office reported that 33 students received a request to post the link to "timberlinebombinfo" on their own MySpace pages. In addition, the bomb hoaxster was sending a series of taunting messages from Google Gmail accounts (including dougbrigs at gmail.com) the week of June 4. A representative excerpt: "There are 4 bombs planted throughout Timberline High School. One in the math hall, library hall, and one portable. The bombs will go off in 5 minute intervals at 9:15 am." The FBI replied by obtaining account logs from Google and MySpace. Both pointed to the Internet Protocol address of 80.76.80.103, which turned out to be a compromised computer in Italy. That's when the FBI decided to roll out the heavy artillery: CIPAV. "I have concluded that using a CIPAV on the target MySpace 'Timberlinebombinfo' account may assist the FBI to determine the identities of the individual(s) using the activating computer," Sanders' affidavit says. CIPAV was going to be installed "through an electronic messaging program from an account controlled by the FBI," which probably means e-mail. (Either e-mail or instant messaging could be used to deliver an infected file with CIPAV hidden in it, but the wording of that portion of the affidavit makes e-mail more likely.) After CIPAV is installed, the FBI said, it will immediately report back to the government the computer's Internet Protocol address, Ethernet MAC address, "other variables, and certain registry-type information." And then, for the next 60 days, it will record Internet Protocol addresses visited but not the contents of the communications. Putting the legal issues aside for the moment, one key question remains a mystery: Assuming the FBI delivered the CIPAV spyware via e-mail, how did the the program bypass antispyware defenses and install itself as malicious software? (There's no mention of antivirus defenses in the court documents, true, but the bomb-hoaxster also performed a denial of service attack against the school district computers -- which, coupled with compromising the server in Italy, points to some modicum of technical knowledge.) One possibility is that the FBI has persuaded security software makers to overlook CIPAV and not alert their users to its presence. Another is that the FBI has found (or paid someone to uncover) unknown vulnerabilities in Windows or Windows-based security software that would permit CIPAV to be installed. From the FBI's perspective, this would be the most desirable: for one thing, it would also obviate the need to strong-arm dozens of different security vendors, some with headquarters in other countries, into whitelisting CIPAV. Earlier this week, News.com surveyed 13 security vendors and all said it was their general policy to detect police spyware. Some, however, indicated they would obey a court order to ignore policeware, and neither McAfee nor Microsoft would say whether they had received such a court order. The verbatim results of our survey are here. From rforno at infowarrior.org Thu Jul 19 12:29:56 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 19 Jul 2007 08:29:56 -0400 Subject: [Infowarrior] - A random idea for tv networks Message-ID: Wouldn't it be great if all TV commercials were meta-tagged and, as with browsers and cookies, you could use your remote control to block ones that you didn't want to encounter --- either one-by-one, or by company/organization? I don't mind commercials, but I resent being carpet-bombed by certain ones. With customers armed with such capabilities, companies and networks alike would think twice about broadcasting annoying commercials and then airing them endlessly...and thus angering/turning away potential customers. (Are you listening, Ditech, GE, CNBC, Scottrade, Comcast, Salesgenie, and the National Autism Foundation?) Just a thought......and btw list traffic will be light this week, I'm off for a weekend holiday up north. -rf From rforno at infowarrior.org Fri Jul 20 13:54:59 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 20 Jul 2007 09:54:59 -0400 Subject: [Infowarrior] - Scary executive order just signed Message-ID: http://www.boingboing.net/2007/07/19/white_house_kisses_g.html The latest Executive Order from the War Criminal Administration facilitates and sanctions the taking away of property of anyone who is deemed to be "undermining efforts to promote economic reconstruction and political reform in Iraq or to provide humanitarian assistance to the Iraqi people". Left in those terms, it isn't too much of a stretch to envision this Administration deciding that any particularly vocal critic of the Iraq occupation is "undermining efforts" and thus a target for seizure of property or assets, Fifth Amendment be damned. Big news indeed, and yet it has received scant little attention in the media. Shameful in every regard, but it troubles me even more that this latest criminal act has crossed a new threshold in reckless disregard for the US Constitution, and yet hardly a soul even knows about it. Link to EO: http://www.whitehouse.gov/news/releases/2007/07/20070717-3.html From rforno at infowarrior.org Sun Jul 22 19:53:47 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 22 Jul 2007 15:53:47 -0400 Subject: [Infowarrior] - Anonymizer cancels web service In-Reply-To: Message-ID: http://blog.wired.com/monkeybites/2007/07/anonymizer-web-.html Anonymizer Web-Based Service Bites The Dust By Scott Gilbertson EmailJuly 20, 2007 Anonymizer Without fanfare or explanation long-time anonymous browsing service Anonymizer has discontinued the web-based and toolbar versions of its "Private Surfing." The desktop version of Anonymizer is still available, but there are already several other desktop packages that do the same thing and cost less ?Tor comes to mind? what made Anonymizer unique was the web-based component. Even worse for Mac, Windows Vista and Linux users, the desktop version of Anonymizer is only available for Windows 2000 and XP. Though I haven't actually used Anonymizer in years (I gave up basically), I'll credit the site and its re-routing web-service with introducing me to the concept of anonymous web browsing and why it's necessary. From rforno at infowarrior.org Mon Jul 23 02:07:53 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 22 Jul 2007 22:07:53 -0400 Subject: [Infowarrior] - Serious Security Questions at Sky Harbor Airport Message-ID: Jul 22, 2007 6:57 PM Serious Security Questions at Sky Harbor Airport By Investigator Lisa Fletcher ABC15.com http://www.abc15.com/news/local/story.aspx?content_id=568d6b4d-67b7-4116-909 8-4c35d8b5ce38#top It's what you have to do when you fly - use X-ray machines, metal detectors, and deal with liquid restrictions in your carry-on luggage. You know the drill. Security checkpoints are just part of travel these days. They're supposed to keep us safe, so we use them - but not all of us and not all the time. We've discovered a 4.5 hour time frame each night when virtually anything can be brought into the secure side of Phoenix Sky Harbor Airport. There's no metal detector, no X-ray machine, and it's apparently not a problem. Afraid to show her face, one long time Sky Harbor employee talks about the security most people don't see. Lisa Fletcher: "You're telling me Sky Harbor's not safe?" Employee: "I'm telling you Sky Harbor's not safe and hasn't been for a long time." It's what we discovered in the middle of the night - TSA agents going away, and security guards taking over. It's 4.5 hours - every night - when an employee badge becomes an all-access pass. Night after night, our hidden cameras captured what security experts tell us is a disaster waiting to happen. The X-ray machines were off, the metal detectors were closed, and bags with unknown contents were carried to the secure side of the airport where the planes are. We watched as a security guard let people with purses, coolers and suitcases walk right through - bags unchecked. Even more surprising, some of the people you trust to keep you safe planned it this way. Larry Wansley is widely regarded as one of the nation's top airline security experts. "It's a frightening situation, I've just simply never seen anything like it," he said. "I really honestly have not." He's the former head of security for American Airlines, and currently consults the U.S. Government and airports around the world. We brought him in to take a look at what we found. "It is not security," he said. "It truly is not security. Anything can be going through there. I don't get it." Larry watched for hours and saw the same thing we did - guys with huge backpacks showing their ID and walking through without ever opening their bags. A flight attendant, with three suitcases in tow, flashed her badge and breezed by. A huge load of newspapers on a cart was also pulled right passed the guard and a floor cleaner was pushed by without any inspection. Even a guy with his bike just showed his ID and was able to ride through with his crate on the back, never checked. In the time we watched, dozens made it past this checkpoint, bags unchecked. Larry Wansley couldn't believe it. Clearly this is a very, very imminently dangerous situation," he said. "You've got the front door, TSA that has locked it up for the better part of the day, the majority of the day. And then you throw open the back door to be exploited by those that would simply destroy us. And I simply do not understand it and I'm appalled. I'm shocked and I'm amazed." The airport employee we talked with said she is afraid. "No one's doing anything about it," she said. "Management knows. I know management knows. I know my superiors know. I know the security guards know. Everybody knows what's going on, but nobody's doing anything about it." You would think the director of Sky Harbor, or even a spokesperson from the TSA, would trip over themselves to talk about this issue, but you would be wrong. All of them have refused on camera interviews to talk about the kind of security they've employed to keep us safe. Video Updated Video: Watch Phoenix Mayor Phil Gordon speak about Sky Harbor security concerns Documents obtained by the ABC15 Investigators show they've known for two years that this is going on. In 2005, airport officials hired an outside company to handle security during the times when passenger flights are done for the day. The documents said the guards would not search personal items or the people. Here's the rub: A TSA memo we obtained requires whoever controls airport access to follow federal guidelines that, "provide security against an unauthorized weapon, explosive, or incendiary onto an aircraft." It's tough to prevent that if you're not checking bags. It's even tougher if you're asleep. One on-duty security guard we talked to said it was hard sometimes to keep from falling asleep. In fact, a document we obtained, given to the airport from law enforcement - proves one guard did fall asleep for nearly 20 minutes. Our airport source said it happens a lot. "I've seen security guards fast asleep where they've not even looked up to see somebody walk through the checkpoint," she said. Airport officials told ABC15 that not checking employee bags is a common practice. So why then, when the clock strikes 4:30 a.m. does it all change back? TSA takes over, the X-ray machines are back on, the metal detectors are working, and everyone, including incoming employees just like the ones we watched all night long, are screened. We asked one of the TSA employees that question when we were at Sky Harbor. "We have no control over what the City of Phoenix does," the employee said. So we then asked him if passengers should feel safe. "That's up to the passengers to determine that," he said. The airport employee we talked to said passengers never had a choice in this. "I'm trying to explain how unsafe Sky Harbor Airport is so that you and I and everyone else don't get blown up on a plane that everyone else seems to have access to," she said. Airport security expert Larry Wansley said this needs to be fixed immediately. "You've got all sorts of items that are going into the secure part of an airport unchecked," he said. "I think that presents a very, very dangerous situation that can be exploited that can lead to disaster. That concerns me." Lisa: Are there any reasons that the airport management could give you that could change your mind and make this acceptable?" Larry: "I can't think of any." Lisa: "We're essentially a ticking time bomb?" Larry: "Bingo." ?2007 The E.W. Scripps Co. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. From rforno at infowarrior.org Tue Jul 24 02:12:33 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 23 Jul 2007 22:12:33 -0400 Subject: [Infowarrior] - Educause CFA: College Filesharing Amendment Message-ID: http://connect.educause.edu/blog/hwachs/urgentcalltoaction/44790?time=118524 3074 ____________________________________________ TO: Institutional Primary Reps RE: EDUCAUSE Urgent Request URGENT, ACT TODAY: AMENDMENT HARMFUL TO HIGHER EDUCATION Dear Colleague, I am writing to ask your help in a matter of urgency to higher education in general and the IT community in particular: U.S. Senate Majority Leader Harry Reid (D-NV) intends to offer a very harmful amendment, involving illegal file sharing, to the Higher Education Reauthorization Act when the Senate turns to this issue on July 22-23. The amendment can be found at . The amendment: * Makes the Secretary of Education an agent of the entertainment industry; * Requires the Secretary to take action using data given to her by the entertainment industry that is terribly inaccurate; * Requires targeted colleges and universities to plan for implementing a "technical solution" to illegal file sharing that does not yet exist for many campus environments; * Is aimed only at colleges and universities, and NOT other Internet service providers; * Ignores the fact that the higher education and entertainment communities are working together to develop a mutually acceptable technological solution to illegal file sharing, a process that should be allowed to continue without interference from the Federal government; * Ignores the fact that the bill already contains a provision that requires all colleges and universities to submit an annual report to the Secretary of Education providing details of the education and enforcement strategies being used on campus to reducing illegal file-sharing; and * Is yet another attempt by the Federal government to dictate the day-to-day operations of colleges and universities. It is important that your institution (CEO, government relations official, and yourself) CALL today, not write, your state?s U.S. senators? staff members for higher education issues and tell them how much higher education opposes this amendment. Please also call Senator Reid?s office (202-224-3542), Senator Edward Kennedy?s office (202-224-4543), and Senator Michael Enzi?s office (202-224-3424). Thank you for your help. EDUCAUSE will provide you with further information when it is available, but please do not wait to make your calls. Best regards, Mark Luker Vice President EDUCAUSE From rforno at infowarrior.org Tue Jul 24 12:05:57 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 24 Jul 2007 08:05:57 -0400 Subject: [Infowarrior] - GAO Report on Cybercrime Challenges Message-ID: Public and Private Entities Face Challenges in Addressing Cyber Threats http://www.gao.gov/new.items/d07705.pdf Summary Cybercrime has significant economic impacts and threatens U.S. national security interests. Various studies and experts estimate the direct economic impact from cybercrime to be in the billions of dollars annually. The annual loss due to computer crime was estimated to be $67.2 billion for U.S. organizations, according to a 2005 Federal Bureau of Investigation (FBI) survey. In addition, there is continued concern about the threat that our adversaries, including nation-states and terrorists, pose to our national security. For example, intelligence officials have stated that nation-states and terrorists could conduct a coordinated cyber attack to seriously disrupt electric power distribution, air traffic control, and financial sectors. Also, according to FBI testimony, terrorist organizations have used cybercrime to raise money to fund their activities. Despite the estimated loss of money and information and known threats from adversaries, the precise impact of cybercrime is unknown because it is not always detected and reported (cybercrime reporting is discussed further in GAO?s challenges section). Numerous public and private entities have responsibilities to protect against, detect, investigate, and prosecute cybercrime. The Departments of Justice, Homeland Security, and Defense, and the Federal Trade Commission have prominent roles in addressing cybercrime within the federal government, and state and local law enforcement entities play similar roles at their levels. Private entities such as Internet service providers and software developers focus on the development and implementation of technology systems to detect and protect against cybercrime, as well as gather evidence for investigations. In addition, numerous cybercrime partnerships have been established between public sector entities, between public and private sector entities, and internationally, including information-sharing efforts. Entities face a number of key challenges in addressing cybercrime, including reporting cybercrime and ensuring that there are adequate analytical capabilities to support law enforcement (see table). While public and private entities, partnerships, and tasks forces have initiated efforts to address these challenges, federal agencies can take additional action to help ensure adequate law enforcement capabilities. What GAO Found Why GAO Did This Study Computer interconnectivity has produced enormous benefits but has also enabled criminal activity that exploits this interconnectivity for financial gain and other malicious purposes, such as Internet fraud, child exploitation, identity theft, and terrorism. Efforts to address cybercrime include activities associated with protecting networks and information, detecting criminal activity, investigating crime, and prosecuting criminals. GAO?s objectives were to (1) determine the impact of cybercrime on our nation?s economy and security; (2) describe key federal entities, as well as nonfederal and private sector entities, responsible for addressing cybercrime; and (3) determine challenges being faced in addressing cybercrime. To accomplish these objectives, GAO analyzed multiple reports, studies, and surveys and held interviews with public and private officials. What GAO Recommends GAO recommends that the Attorney General and the Secretary of Homeland Security help ensure adequate law enforcement analytical and technical capabilities. In written comments on a draft of this report, the FBI and the U.S. Secret Service noted efforts to assess and enhance these capabilities. http://www.gao.gov/new.items/d07705.pdf From rforno at infowarrior.org Tue Jul 24 20:06:45 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 24 Jul 2007 16:06:45 -0400 Subject: [Infowarrior] - Google acquires ImageAmerica to boost mapping Message-ID: Google acquires ImageAmerica to boost mapping Posted by Stephen Shankland http://news.com.com/8301-10784_3-9748227-7.html?part=rss&subj=news&tag=2547- 1_3-0-20 Google has acquired ImageAmerica, a company that builds high-resolution cameras and uses them to take aerial photographs. The search engine giant announced the move Friday on its LatLong blog about Google Earth and its other mapping efforts. It didn't disclose terms of the deal. "We're excited about how ImageAmerica's technology will contribute to our mapping services down the road," Product Manager Stephen Chau said on the blog. "Since we're in the research and development phase right now it may be some time before you see any of this imagery in Google Maps or Earth." ImageAmerica supplied Google Earth with high-resolution aerial photos of New Orleans after Hurricane Katrina struck in 2005. According to older pages from the Internet Archive's Wayback Machine, Clayton, Mo.-based ImageAmerica specialized in creating aerial photos with "accuracy, quick delivery and low cost," selling primarily to city, county, state and federal governments and to corporate customers. In addition to developing its DDP-2 (Direct Digital Panoramic) camera system, the company has its own aircraft to house it. The high-resolution camera can capture details as small as 6 to 12 inches, and the company's processing system can produce orthorectified imagery that's been corrected for perspective distortions. Google has extensive efforts under way to add geographic data to its already vast repository of information. Its Google Earth application lets users view satellite imagery, and its Google Maps service provides aerial views as well. Google also has begun integrating street-level views into its maps, a move that has raised some privacy hackles. Topics: Google, From rforno at infowarrior.org Tue Jul 24 20:18:33 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 24 Jul 2007 16:18:33 -0400 Subject: [Infowarrior] - Universities win Senate fight over anti-P2P amendment Message-ID: Universities win Senate fight over anti-P2P amendment Posted by Declan McCullagh http://news.com.com/8301-10784_3-9749071-7.html?part=rss&subj=news&tag=2547- 1_3-0-5 Senate Majority Leader Harry Reid has withdrawn anti-file-sharing legislation that drew yowls of protest from universities over the past few days. Reid, without explanation, on Monday nixed his own amendment that would have required universities--in exchange for federal funds--to use technology to "prevent the illegal downloading or peer-to-peer distribution of intellectual property." The proposal would have been tacked on to the Higher Education Reauthorization Act of 2007. That alarmed lobbyists for universities, which tend to be delighted to accept federal largesse but rather dislike the government placing conditions on the cash. Even worse, in their opinion, must have been the requirement that the U.S. Department of Education annually identify the 25 colleges and universities receiving the "highest number of written" complaints from copyright owners. Educause, a group that represents universities and related organizations, sent out an "URGENT CALL TO ACTION" on Friday that called Reid's amendment "yet another attempt by the federal government to dictate the day-to-day operations of colleges and universities." It urged recipients to phone Congress immediately "and tell them how much higher education opposes this amendment." It's unclear why the Democratic senator yanked the anti-P2P amendment on Monday evening--saying only that "I ask that the Reid amendment be withdrawn"--but perhaps the last-minute pressure worked. Reid's office did not immediately respond to a request for comment on Tuesday. What's a little odd is that Reid actually offered a revised version of the amendment earlier Monday that would have effectively gutted it. It said the Department of Education "shall not find any of the 25 institutions of higher education...to be ineligible for continued participation in a program authorized under this subchapter because of failure to comply with this section." Translation: Universities could ignore the requirements of creating "a technology-based deterrent to prevent the illegal downloading or peer-to-peer distribution of intellectual property" without suffering any financial consequences. The only downside would be the potential for bad publicity, but even that appeared to have been enough. From rforno at infowarrior.org Wed Jul 25 01:14:25 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 24 Jul 2007 21:14:25 -0400 Subject: [Infowarrior] - White House privacy adviser: We don't need more authority Message-ID: White House privacy adviser: We don't need more authority Posted by Anne Broache http://news.com.com/8301-10784_3-9749388-7.html?part=rss&subj=news&tag=2547- 1_3-0-20 WASHINGTON--Congress is already well on its way to bestowing new powers on an internal White House panel that's supposed to judge whether Bush administration programs like the National Security Agency's electronic surveillance regime pose privacy and civil liberties concerns. But the board's chairman on Tuesday had one message for the politicians backing the new authority: thanks, but no thanks. Civil liberties advocates have long dogged the Privacy and Civil Liberties Oversight Board--which was created within the White House by Congress in 2004 at the recommendation of the 9/11 Commission but didn't meet until 2006--for its perceived inability to make real assessments without executive branch officials looking over its shoulder and its lack of transparency to the public. In fact, what is supposed to be a five-member body has already recorded one dropout--former Clinton Administration special counsel Lanny Davis--who cited precisely those concerns when he stepped down in May. So both the House of Representatives and the Senate have passed bills this year that attempt to address those concerns. The House version proposes the more drastic changes: severing the body from the White House and making it a standalone, independent agency with subpoena power. (The Senate version would leave the board within the White House but require the chairman to work full time and confirmation of all members--not just the chairman and vice chairman--to staggered six-year terms.) But at an hour-long hearing Tuesday afternoon in a House of Representatives Judiciary subcommittee, board vice chairman Alan Raul said the House approach in particular is "potentially unwise." He argued such a move would deprive the board of its current "unparalleled" access to executive branch officials, would be inefficient in that it requires appointment of a whole new board, and could limit the number of private meetings members are permitted to have. Raul, a partner at the law firm Sidley Austin in Washington and a former Reagan White House attorney, also complained that Congress never bothered to hold "formal hearings" to hear board members' views before passing those bills. (The two chambers are currently meeting to reconcile the differences between those two proposals, which focus more broadly on implementing 9/11 Commission recommendations.) Davis, who left the board, said he tried to give the structure of the panel a fair chance but ultimately decided the setup was akin to "a square peg in a round hole." His concerns escalated this spring, he said, when the White House edited and made "significant deletions" to the board's annual report on its findings to Congress--although most of the deletions were ultimately restored after Davis aired his complaints. The committee members, for their part, didn't really comment on Raul's views--perhaps because the bills have already moved so far along. Some Democrats, addressing no one in particular, did rehash familiar concerns that the Bush administration's various antiterrorist and law enforcement programs may pose threats to Americans' rights. "I'm worried our liberties have come under attack by our own government," said Rep. John Conyers (D-Mich.), the Judiciary Committee's chairman. Raul, meanwhile, touted the board's work in its 35 "formal" meetings since March 2006. Among other things, the board has evaluated National Security Agency surveillance programs, the State Department's e-passport initiative, the Treasury Department's terrorist finance tracking program and the FBI's misuse of national security letters to capture telephone and Internet records, of which Raul said was "highly critical." From rforno at infowarrior.org Wed Jul 25 01:18:57 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 24 Jul 2007 21:18:57 -0400 Subject: [Infowarrior] - More on...Universities win Senate fight over anti-P2P amendment In-Reply-To: Message-ID: Funny how the entertainment industry (or the politicos they own) manages to equate filesharing to anything if it means Congress will talk about it. I wonder when they'll claim P2P leads to cancer, adult onset diabetes, and rickets........rf ------ Forwarded Message From: dan But the fight isn't over yet. Now the battle cry is "national security", as we are to believe the P2P compromises Homeland security. http://news.zdnet.com/2100-1009_22-6198585.html?part=rss&tag=feed&subj=zdnn WASHINGTON--Politicians charged on Tuesday that peer-to-peer networks can pose a "national security threat" because they enable federal employees to share sensitive or classified documents accidentally from their computers. At a hearing on the topic, Government Reform Committee Chairman Henry Waxman (D-Calif.) said, without offering details, that he is considering new laws aimed at addressing the problem. He said he was troubled by the possibility that foreign governments, terrorists or organized crime could gain access to documents that reveal national secrets. Also at the hearing, Mark Gorton, the chairman of Lime Wire, which makes the peer-to-peer software LimeWire, was assailed for allegedly harming national security through offering his product. [...] From rforno at infowarrior.org Wed Jul 25 12:20:00 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 25 Jul 2007 08:20:00 -0400 Subject: [Infowarrior] - Spammers dump images, switch to PDF files Message-ID: Spammers dump images, switch to PDF files Robert Lemos, SecurityFocus 2007-07-18 http://www.securityfocus.com/news/11475?ref=rss Foiled by increasingly accurate corporate spam filters, spammers have dumped pictures for PDFs in their bulk e-mailings, according to the latest data from security firms. Image spam, which at the beginning of the year accounted for nearly 60 percent of all junk e-mail, has plummeted and now accounts for only about 15 percent of spam. Taking its place, the number of junk e-mail messages using an attachment in the Portable Document Format (PDF) has steadily climbed since mid-June, accounting for as much as a third of spam. "It went from zero to -- when the spammers started experimenting -- fifty-fifty image spam and PDF spam," said Matt Sergeant, senior antispam technologist for e-mail security firm MessageLabs. "Now, its gone to wholesale PDF spam." The ebb and flow of different types of spam is an indicator of the arms race between spammers and network defenders. Image spam took off in late 2006, primarily as a way to tout penny stocks and manipulate the volatile over-the-counter markets. Yet, other types of spam, advertising products from fraudulent pharmaceuticals to sexual enhancement devices, soon started using embedded images as well. The growth of image spam peaked earlier this year, making up as much as two-thirds of all spam in January. Companies have adapted to the attack, however, detecting the unwanted images and blocking them, said MessageLabs' Sergeant. "The volume of image spam was so great that a number of large businesses took to wholesale blocking of e-mails coming in with image attachments," he said. The better filtering has led spammers to change tactics and experiment with PDF files. While security firms agreed that PDF files started regularly appearing as spam attachment about mid-June, estimates for the volume of PDF spam varied somewhat between companies. MessageLabs, which filters out virus-laden and spam e-mail messages for its clients, estimated that about 30 percent of all spam now uses PDF files. Security firm McAfee had a more modest estimate that 2.6 percent of all junk e-mail messages carried PDF files. While Symantec, the owner of SecurityFocus, has found the fraction varies between 2 and 7 percent. "The spammers are doing the old cat-and-mouse game," said Guy Roberts, senior research manager for anti-spam at McAfee. "Vendors have caught up to spammers and detection is pretty good for image spam, so (the spammers) are changing tactics in order to get their message across." The growth of spam e-mail messages with PDF attachments have also caused the total bandwidth of spam to grow quickly, because PDF files tend to be much larger than the GIF images that the files are replacing. >From a spammers point of view, the strength of PDF is that many companies require that their e-mail systems allow the documents to be passed to the user, said Menashe Eliezer, director of anti-spam research for security firm CommTouch. Because PDFs are ubiquitous in the business world, such attachments are more likely to reach the users, he said. "Now, they are using professional looking PDFs, and if it doesn't look like spam, that's even better," Eliezer said. While moving unwanted advertisements from images to PDFs may make it more likely that the message reaches the intended recipient, whether or not that person opens the attachment is another question, said Doug Bowers, senior director of anti-spam engineering for Symantec. "We are interested in seeing if this is really effective in getting a spam message, not just delivered, but also read," Bowers said. In the end, if PDF spam cannot deliver more eyeballs to spammers, the trend may end up being a short-lived phase, he said. From rforno at infowarrior.org Wed Jul 25 12:20:25 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 25 Jul 2007 08:20:25 -0400 Subject: [Infowarrior] - CFP: Technology in Wartime Conference In-Reply-To: Message-ID: Technology in Wartime Conference CALL FOR PARTICIPATION Sponsored by: Computer Professionals for Social Responsibility (CPSR) Date: January 26, 2008 Location: Stanford University CPSR seeks proposals for a winter 2008 conference called Technology in Wartime. This conference will explore how computer technology is used during war -- both for the purposes of combat/defense, as well as for human rights interventions into war-torn regions. Topics will range from high tech weapons systems and internet surveillance, to privacy-enhancing technologies that aid human rights workers documenting conditions in war-torn countries and help soldiers communicate their experiences in blogs and e-mail. We are also interested in the history of computer-aided weapons systems. Our goal will be to consider the ethical implications of wartime technologies and how these technologies are likely to affect civilization in years to come. Ultimately we want to engage a pressing question of our time: What should socially-responsible computer professionals do in a time of high tech warfare? We welcome proposals from technology experts, military professionals, policy-makers, scholars, and human rights workers on the issues outlined above. Possible topics include: weaponizing computer technologies; robotics; UAVs; sensor networks; internet surveillance; human rights technologies; datamining; biometric software; CCTV; surveillance camera networks; cyberterrorism; privacy-enhancing technologies for dissidents, human rights workers and journalists in wartime; the history of computer-aided warfare; high tech antiwar protests; geolocation and GPS; smart armor; blogs/podcasts in war zones; embedded bloggers; and life-saving technologies for soldiers. We are interested in factual reports on these issues as well as social commentary. The proceedings will be broadcast live on the Web, and the presentations collected in book form online, released under a CC license, and made available to the public and policy makers looking for expert opinions on wartime technology issues during the election year. Technology in Wartime will not be pro-war or anti-war, right-wing or left-wing -- it will deal with the facts of wartime technologies, and consider ethical effects from many perspectives. About submitting a proposal: Proposals are welcome in the form of paper presentations, descriptions of current research projects, and panels. Technical demonstrations are also a possibility. All participants (including panelists) are expected to produce a ready-for-publication article to be published in the proceedings. Reasonable travel expenses (coach airfare to conference location plus two nights hotel) will be reimbursed. If you are submitting a proposal for a panel, be sure to include information about each of the proposed speakers and topics. Please submit a one-page abstract of your proposal, a short biography, and cover letter by Oct. 15, 2007 to techinwar at cpsr.org. We will notify speakers by Nov. 1. About CPSR (cpsr.org): Since incorporating in 1983, CPSR has been at the forefront of discussions about the ethical uses of computer technology. CPSR educates policymakers and the public on a wide range of issues, and has incubated numerous projects such as Privaterra, the Public Sphere Project, EPIC (the Electronic Privacy Information Center), the 21st Century Project, the Civil Society Project, and the CFP (Computers, Freedom & Privacy) Conference. Originally founded by U.S. computer scientists, CPSR now has members in 26 countries on six continents. From rforno at infowarrior.org Wed Jul 25 12:30:32 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 25 Jul 2007 08:30:32 -0400 Subject: [Infowarrior] - FBI Seeks To Pay Telecoms For Data Message-ID: FBI Seeks To Pay Telecoms For Data $5 Million a Year Sought for Firms To Keep Databases By Ellen Nakashima Washington Post Staff Writer Wednesday, July 25, 2007; A07 http://www.washingtonpost.com/wp-dyn/content/article/2007/07/24/AR2007072402 479_pf.html The FBI wants to pay the major telecommunications companies to retain their customers' Internet and phone call information for at least two years for the agency's use in counterterrorism investigations and is asking Congress for $5 million a year to defray the cost, according to FBI officials and budget documents. The FBI would not have direct access to the records. It would need to present a subpoena or an administrative warrant, known as a national security letter, to obtain the information that the companies would keep in a database, officials said. "We have never asked for the ability to have direct access to or to 'data mine' telephone company databases," said John Miller, the FBI's assistant director for public affairs. "The budget request simply seeks to absorb the cost to the service provider of developing an efficient electronic system for them to retain and deliver the information after it is legally requested." The proposal has raised concerns by civil libertarians who point to telecom companies' alleged involvement in the government's domestic surveillance program and to a recent Justice Department inspector general's report on FBI abuse of national security letters. In one case, a senior FBI official signed the letters without including the required proof that they were linked to FBI counterterrorism or espionage investigations. The report also disclosed that the bureau was issuing "exigent letters," telling telephone companies that the bureau needed information immediately and would follow up with subpoenas later. In many cases, agents did not follow up. Moreover, Inspector General Glenn A. Fine found, there was no legal basis to compel the disclosure of information using such letters. The proposal "is circumventing the law by paying companies to do something the FBI couldn't do itself legally," said Michael German, American Civil Liberties Union policy counsel on national security. "Going around the Fourth Amendment by paying private companies to hoard our phone records is outrageous." Mark J. Zwillinger, a Washington lawyer who represents Internet service providers, said companies have no "business reason" to keep the data. Moreover, he said he did not think telecom companies "are in the business of becoming the investigative arm for the government, keeping data just so the government can get access to it. That's really what the government is asking for: 'Keep data on hundreds of millions of users just in case we need to get data for 15 individuals.' " Last year, according to industry sources, U.S. Attorney General Alberto R. Gonzales and FBI Director Robert S. Mueller III urged telecom providers to keep subscriber information and network data for two years. Legislation is pending in Congress that would require companies to keep the data. What type and for how long would be up to the attorney general. The administration is also attempting to win immunity for telecom companies from criminal and civil liability for any role in the surveillance program. Telecoms have been providing data legally to the government and then charging for it, said a government official not authorized to speak publicly about the matter and who spoke on condition of anonymity. The cost is about $1.8 million a year since the Sept. 11, 2001, attacks, the official said. The idea now, the official said, is to have the telecom companies create and maintain databases of phone and Internet records so that when they receive a subpoena or national security letter, they can deliver the information expeditiously in electronic form. Zwillinger, an Internet and data protection expert with Sonnenschein Nath & Rosenthal and a former federal prosecutor, said that merely retaining the records creates "a very attractive trove" of data that can be subpoenaed by other entities, such as lawyers in divorce proceedings or other civil litigation. The FBI's proposal to pay companies for the records was reported previously by ABC News. From rforno at infowarrior.org Wed Jul 25 18:56:15 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 25 Jul 2007 14:56:15 -0400 Subject: [Infowarrior] - FBI Proposes Building Network of U.S. Informants Message-ID: FBI Proposes Building Network of U.S. Informants Share July 25, 2007 1:01 PM http://blogs.abcnews.com/theblotter/2007/07/fbi-proposes-bu.html Justin Rood Reports: Fbiproposesbu_mn_2 The FBI is taking cues from the CIA to recruit thousands of covert informants in the United States as part of a sprawling effort to boost its intelligence capabilities. According to a recent unclassified report to Congress, the FBI expects its informants to provide secrets about possible terrorists and foreign spies, although some may also be expected to aid with criminal investigations, in the tradition of law enforcement confidential informants. The FBI did not respond to requests for comment on this story. The FBI said the push was driven by a 2004 directive from President Bush ordering the bureau to improve its counterterrorism efforts by boosting its human intelligence capabilities. The aggressive push for more secret informants appears to be part of a new effort to grow its intelligence and counterterrorism efforts. Other recent proposals include expanding its collection and analysis of data on U.S. persons, retaining years' worth of Americans' phone records and even increasing so-called "black bag" secret entry operations. To handle the increase in so-called human sources, the FBI also plans to overhaul its database system, so it can manage records and verify the accuracy of information from "more than 15,000" informants, according to the document. While many of the recruited informants will apparently be U.S. residents, some informants may be overseas, recruited by FBI agents in foreign offices, the report indicates. The total cost of the effort tops $22 million, according to the document. The bureau has arranged to use elements of CIA training to teach FBI agents about "Source Targeting and Development," the report states. The courses will train FBI special agents on the "comprehensive tradecraft" needed to identify, recruit and manage these "confidential human sources." According to January testimony by FBI Deputy Director John S. Pistole, the CIA has been working with the bureau on the course. The bureau apparently mulled whether to adopt entire training courses from the CIA or from the Defense Intelligence Agency (DIA), which like the CIA recruits spies overseas. But the FBI ultimately determined "the courses offered by those agencies would not meet the needs of the FBI's unique law enforcement." The FBI report said it would also give agents "legal and policy" training, noting that its domestic intelligence efforts are "constitutionally sensitive." "It's probably a good sign they are not adopting CIA recruitment techniques wholesale," said Steven Aftergood of the Federation of American Scientists, an expert on classified programs. U.S. intelligence officers abroad can use bribery, extortion, and other patently illegal acts to corral sources into working for them, Aftergood noted. "You're not supposed to do that in the United States," he said. From rforno at infowarrior.org Thu Jul 26 01:52:15 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 25 Jul 2007 21:52:15 -0400 Subject: [Infowarrior] - How Fresh Is Your Cable News? Check the Label Message-ID: FINALLY! Someone calls the media on this cheap theatrics!! ----rf How Fresh Is Your Cable News? Check the Label http://www.washingtonpost.com/wp-dyn/content/article/2007/07/24/AR2007072402 434_pf.html By Paul Farhi Washington Post Staff Writer Wednesday, July 25, 2007; C01 This just in! There's no more news on TV, at least not on the cable news networks. Plain old news apparently just isn't good enough anymore, so TV news stories have been getting new and improved names. President Bush's latest news conference? CNN labels it a "Developing Story." A car bombing in Baghdad? The banner on MSNBC reads, "Breaking News." A blown transformer in New York City? Fox News Channel is on it, with a graphic that announces, "Very Latest." Sometimes a story is a "News Alert." Sometimes it's a "Bulletin." And sometimes the banner reads, "New Developments" (although if there are new developments in a "Developing Story," shouldn't it really say "Developing Developing Story"?). The dizzying world of news labels raises many questions. Is it possible for a "Developing Story" to become "Developed," like a Polaroid picture or a post-adolescent woman? Does "Breaking News" ever become "Broken" (and if so, can it be "fixed")? And can a "Developing Story" ever morph into a "Breaking Story" and vice versa? Or are they like oil and water, matter and antimatter, Alec Baldwin and Kim Basinger? Perhaps the biggest question is why the news needs such quickened-breath labels at all. Isn't all news just, you know, new information? Jeremy Gaines, a spokesman for MSNBC, replies that the labels "telegraph the story in a visual way" for channel-surfing viewers. Ah. Kind of makes sense. With all the talk shows and shouting heads on TV, with all the opinion-mongering and vicious partisanship, a banner on the screen reading "News Alert" reminds viewers that the news channels still sometimes get around to . . . covering the news. And that's the Very Latest. From rforno at infowarrior.org Thu Jul 26 02:00:57 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 25 Jul 2007 22:00:57 -0400 Subject: [Infowarrior] - =?iso-8859-1?q?11_Web_Hosts_That_Won_=B9_t_Dump_Y?= =?iso-8859-1?q?ou_at_the_First_Sign_of_Controversy?= Message-ID: Free Speech Hosting: 11 Web Hosts That Won?t Dump You at the First Sign of Controversy Posted on July 25th, 2007 in Free Speech | The Internet, once the last bastion of truly free speech, is slowly being overrun by lawyers and government officials the world over. Certainly, there are criminals who need to be apprehended for their online exploits, but those of us who are merely exercising our first amendment right should feel protected. Sadly, many mainstream Web hosts will drop your site as soon as you attract the smallest amount of opposition. They are, after all, intimidated by the threat of losing money in a lawsuit. Luckily, there are still a few brave Web hosting companies that cherish free speech and that will stand behind your site. Below, we have listed 11 hosts that won?t dump you at the first sign of controversy. < - > http://dedicatedhostingguide.net/2007/free-speech-hosting-11-web-hosts-that- wont-dump-you-at-the-first-sign-of-controversy/ From rforno at infowarrior.org Thu Jul 26 11:35:53 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 26 Jul 2007 07:35:53 -0400 Subject: [Infowarrior] - Why MSNBC.com Needs To Dump MSN's Video Platform Message-ID: Why MSNBC.com Needs To Dump MSN's Video Platform Posted on Jul 26th, 2007 with stocks: MSFT http://internet.seekingalpha.com/article/42423?source=feed Dan Rayburn submits: I first wrote about this back in March and I am amazed that even since then, MSNBC.com still can't get its live video streaming to work for anyone with a Firefox or Safari browser. And the worst part, they have no problem delivering you a 15 second ad in the player first, BEFORE they tell you that your browser does not currently support live video. So I have to sit through a video ad only to then be told that I can't see the live stream I clicked on. MSNBC's video player has said it is in "beta" ever since it launched, which was at least a year ago. And it's still in beta? The technology behind MSNBC.com's video offering is "powered by MSN" (MSFT) which in my eyes is even worse. If MSN can't provide the video functionality MSNBC.com should have, then MSNBC.com should fire MSN and use a platform that actually works. But of course that won't happen. MSN is completely clueless when it comes to its video offering if they think users are going to stay loyal to MSNBC.com as their news source when every other news site does it better. If MSNBC.com was smart, they would dump MSN video immediately and or fire whoever manages their video offering. But they won't do that as Microsoft wants to push their IE browser on you, except that they don't make IE for the Mac, so Mac users are basically just screwed as well as PC users who don't want to use IE and prefer to use Firefox instead. Last time I posted about this, some readers wrote in to say: - "It's not just Mac users. I have a PC as well, and many of MSNBC's videos won't play on it either if I'm using Firefox. If I use IE, then I'm okay." - "I've also enjoyed using Firefox on my laptop, but i can NEVER get MSNBC video to ! work with Firefox on my laptop - it is so frustrating!" - "Come on MSNBC, get your stuff together. If amateur webmasters can make this stuff work, so can you. You just don't want to." 2007 marks the 14th year that streaming media technology was first used on the Internet and it's sites like MSNBC.com that make the technology look like it has barely evolved in that time and gives the entire industry and technology a black eye. As much as MSN says video is an important part of their business, clearly their lack of interest in making their videos work properly says otherwise. It's as simply as being greedy and wanting to push IE on us, including those platforms they don't even make IE for. Microsoft as a company has been late to the game when it comes to all aspects of the Internet and video is no different. MSN, MSNBC.com, Soapbox etc... are all behind the times when it comes to their video offering. You'd think they would want to prove the opposite by having a quality video offering but they are stuck in the politics and red tape of a company that can't get out of it's own way. My suggestion to MSN: get out of the video business. You have no concept of what a good user experience is, you can't provide basic functionality that ever other major news outlet has been providing for years and you're insulting users by making them sit through ads when they can't get to the content they want. You can't even provide a basic player check to see if the user has the system requirements that are needed - which companies were doing back in 1998. Give up MSN. Throw up your hands and move on. You can't win in the video game. From rforno at infowarrior.org Fri Jul 27 12:22:38 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 27 Jul 2007 08:22:38 -0400 Subject: [Infowarrior] - Senate Votes Against REAL ID Funding Message-ID: Senate Votes Against REAL ID Funding Today the Senate voted to kill an amendment to the Homeland Security Appropriations Bill that would have provided $300 million in funding for REAL ID. CDT applauds the Senate for this significant vote. In a letter sent to key Senators this week, CDT called on Congress to rectify the serious privacy and security holes in REAL ID before it even considers funding the measure. Today's vote represents the first time the Senate has voted up or down on REAL ID specifically. When the Act was initially passed in 2005, it was attached to a must-pass war and hurricane relief bill; and last month the REAL ID requirement for employment verification was buried in the massive immigration bill. July 26, 2007 http://cdt.org/ From rforno at infowarrior.org Fri Jul 27 12:27:27 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 27 Jul 2007 08:27:27 -0400 Subject: [Infowarrior] - Travelers Face Greater Use of Personal Data Message-ID: Travelers Face Greater Use of Personal Data Pact Covers Passengers Flying From Europe to U.S. By Paul Lewis and Spencer S. Hsu Washington Post Staff Writers Friday, July 27, 2007; A07 http://www.washingtonpost.com/wp-dyn/content/article/2007/07/27/AR2007072700 159_pf.html The United States and the European Union have agreed to expand a security program that shares personal data about millions of U.S.-bound airline passengers a year, potentially including information about a person's race, ethnicity, religion and health. Under the agreement, airlines flying from Europe to the United States are required to provide data related to these matters to U.S. authorities if it exists in their reservation systems. The deal allows Washington to retain and use it only "where the life of a data subject or of others could be imperiled or seriously impaired," such as in a counterterrorism investigation. According to the deal, the information that can be used in such exceptional circumstances includes "racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership" and data about an individual's health, traveling partners and sexual orientation. Airlines do not usually gather such data, but officials say it could wind up in passenger files as a result of requests for special services such as wheelchairs, or through routine questioning by airline personnel and travel agents about contacts, lodging, next of kin and traveling companions. Even a request for a king-size bed at a hotel could be noted in the database. The data now stored includes names, addresses and credit card information as well as telephone and e-mail contacts, itineraries, and hotel and rental car reservations. The deal, signed yesterday by the United States and approved Monday in Europe, provoked alarm from privacy and civil-liberties groups on both sides of the Atlantic. "What Americans should be concerned about is it is now here in black and white: The government will maintain a database of all travelers -- including travelers of U.S. citizenship, including people who are believed to be no risk or threat . . . the government will maintain that and data-mine it," said Jim Dempsey, policy director for the Center for Democracy and Technology, a Washington-based advocacy group. Peter Hustinx, the E.U.'s privacy supervisor, expressed "grave concern" over the plan, which he said is "without legal precedent." He wrote to E.U. officials on June 27, "I have serious doubts whether the outcome of these negotiations will be fully compatible with European fundamental rights." U.S. Homeland Security Secretary Michael Chertoff praised the pact as an "essential screening tool for detecting potentially dangerous transatlantic travelers." If available at the time of the Sept. 11, 2001, attacks, Chertoff said, such information would have, "within a matter of moments, helped to identify many of the 19 hijackers by linking their methods of payment, phone numbers and seat assignments." U.S. customs officials began collecting Passenger Name Record data in 1992 for inbound international flights and enforced the requirement after the 2001 attacks. The government now stores data on nearly all 87 million passengers who arrive in the country by air each year, most of them from Europe, in a master border security database, Homeland Security officials said. The government combines such information with terrorist watch lists, other databases and sophisticated computer algorithms to detect high-risk travelers, in ways that watchdog groups say it has not adequately explained. The agreement announced yesterday extends and expands a 2004 arrangement between the United States and the European Union. That pact was struck down on a technicality in May by Europe's highest court, which gave both sides until July 31 to negotiate a new deal. The United States had threatened to turn back flights otherwise. Paul Rosenzweig, Homeland Security's deputy assistant secretary for policy, said sensitive information that is subject to extensive restrictions in Europe, such as data on religious beliefs and sex partners, is routinely filtered out by U.S. computer systems. To his knowledge, he said, the U.S. government has never invoked its authority to use such information. On the other hand, Rosenzweig said, such data might be important if U.S. authorities learn of an alert about passengers who request wheelchairs hiding bombs in leg casts, or a warning about a threat to a political gathering, or a health emergency affecting people with communicable diseases such as tuberculosis. Mostly, Rosenzweig said, it is threats that authorities have not thought about that worry them. "We are just not going to bind ourselves not to have full access to information that might be in Passenger Name Records if there is a severe predication and reason to do that," he said. Under the new accord, which will take effect in August and continue through July 2014, Europe allowed the United States to extend how long it can store data -- to 15 years from 3 1/2 years. Beginning in January 2008, airlines will be required to send, or "push," data from their reservation systems to the Homeland Security Department 72 hours before a flight departs, expanding an existing "pull" system in which the department retrieves information from carriers. Washington won the authority to share data liberally within the government and with third countries at the discretion of Homeland Security officials, but agreed to E.U. demands to limit its uses to counterterrorism, probes of serious crimes, public health emergencies and flights from custody. The United States reduced the number of fields from which it will collect information about each passenger, from 34 to 19, but expanded the amount of data covered by some fields. Washington assured the European Union that its citizens will continue to have the same administrative protections as Americans to obtain information collected about them and to seek to correct errors. Although Homeland Security has said it will move passenger information to "dormant" status after seven years and "expects" to erase it after 15 years, it notified the E.U. that expiration of data will be subject to "further discussions." Dutch lawmaker Sophia in't Veld, the European Parliament's standing rapporteur on Passenger Name Records, said the agreement gives a green light to U.S. authorities to use confidential information for unstated purposes. Stavros Lambrinidis of Greece, vice chairman of the parliament's civil liberties, justice and home affairs committee, warned that it allows extra data collection not just in counterterrorism cases but for "a vast and in some cases unidentified number of crimes. So we have function creep." U.S. officials said the agreement with Europe -- which has stronger data-protection laws than many countries, including the United States -- is likely to serve as a template for similar U.S. agreements covering travelers from Asia, South America and other regions, and for Europeans to set up their own, similar system. Staff writer Ellen Nakashima contributed to this report. From rforno at infowarrior.org Fri Jul 27 12:31:33 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 27 Jul 2007 08:31:33 -0400 Subject: [Infowarrior] - EULA: Ninth Circuit Says Company Can't Change Contract Terms Without Notice Message-ID: Ninth Circuit Says Company Can't Change Contract Terms Without Notice http://pubcit.typepad.com/clpblog/2007/07/courts-says-aol.html It may seem obvious to any first-year law student that one party to a contract can't change the terms of that contract without notifying the other. But the Ninth Circuit in Douglas v. US District Court ex rel Talk America, No. 06-75424 (9th Cir. July 18, 2007), had to remind the district court of this basic principle. In Douglas, Talk America had posted revised contract terms on its website, which included a mandatory arbitration clause for its customers. When Douglas, a Talk America customer, filed a class action lawsuit against the company, the company moved to compel arbitration based on the revised contract, and the district court granted the motion. Douglas petitioned the Ninth Circuit for mandamus. In granting the petition, the Ninth Circuit held that "[p]arties to a contract have no obligation to check the terms on a periodic basis to learn whether they have been changed by the other side." The district court's decision, according to the Ninth Circuit, "reflect[ed] fundamental misapplications of contract law." An unfortunately large number of companies try to get around this principle of contract law by requiring their customers to agree in advance that they will periodically review their contracts on the company's website for possible changes. One example is the service agreement that Network Solutions requires customers to agree to before signing up for its domain-registration and web-hosting services. When pasted into Microsoft Word, the agreement is 102 pages of single-spaced legalese. On page 8 is this provision: Except as otherwise provided in this Agreement, you agree, during the term of this Agreement, that we may: (1) revise the terms and conditions of this Agreement; and/or (2) change part of the services provided under this Agreement at any time. Any such revision or change will be binding and effective 30 days after posting of the revised Agreement or change to the service(s) on Network Solutions Web sites, or upon notification to you by e-mail or United States mail. You agree to periodically review our Web sites, including the current version of this Agreement available on our Web sites, to be aware of any such revisions. . . . By continuing to use Network Solutions services after any revision to this Agreement or change in service(s), you agree to abide by and be bound by any such revisions or changes. The Ninth Circuit's decision does not seem to resolve the question whether parties can agree in advance to bind themselves to unilateral changes to the contract without notice, as Network Solutions requires. But in a contract of adhesion like this, it is difficult to believe that a court would enforce this term. The Ninth Circuit in Douglas noted how cumbersome such a requirement would be, forcing customers to "check the contract every day for possible changes" and "compare every word of the posted contract with [the] existing contract in order to detect whether it had changed." With a 102-page contract, that could be tricky. More analysis of the Douglas decision by Eric Goldman on his Technology & Marketing Law Blog is here. From rforno at infowarrior.org Fri Jul 27 12:34:21 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 27 Jul 2007 08:34:21 -0400 Subject: [Infowarrior] - Security conferences versus practical knowledge Message-ID: Security conferences versus practical knowledge Don Parker, 2007-07-18 http://www.securityfocus.com/columnists/449?ref=rss Since computers became mainstream in the early to mid-nineties a whole ecosystem has developed around them, in order to maintain that humble computer. The various parts of that ecosystem range from the companies who make computers to the software companies who program for them. Click here for Core!! In between those two linchpins though are many other components which have now become a fixture on the landscape that we now know as the Internet. For example you have the computer certification industry, a myriad of computer magazines, a vast array of websites, and computer conferences to name but a few parts of this very large pie. One of the biggest parts of the computer industry as a whole is that of training. This training comes in many forms from a large variety of vendors. That training then in turn pretty much spawned the certification industry. Not long after that came along the computer conference, be it a sys-admin oriented one, or that of the computer security themed one. While the training industry as a whole has evolved rather well to suit the needs of their clients, the computer conference - specifically the computer security conference - has declined in relevance to the everyday sys-admin and network security practitioners. Many would beg to differ with me on that last statement I am sure; let me expand upon this before you render judgment. We go to training vendors who offer courseware on Cisco and Microsoft technologies for example. By and large the course offerings are quite good, and just as importantly, relevant to the task at hand ie: maintaining your computer networks. Today's computer security conferences no longer offer relevant, or practical knowledge to the attendee. Be honest now, when was the last computer security conference that you went to where you came away from with several ideas to implement immediately onto your networks? I would wager none. The same can not be said of the training tracks now offered at most of these conferences. This training is offered by experts in the field, and is quite good. Furthermore, it is one of the few places to find advanced courseware on such subjects as reverse engineering to name but one. There is an important point to be made before I go on further. I am in no way impugning the talent or skill of the people who present at today's computer security conferences. I myself have submitted talks only to not make the cut. Truth is though, I don't feel too bad at losing out to the likes of those who ended up giving the talks. What my not making the cut sank home for me though was that there are precious little practical talks going on today at computer security conferences. Throughout my time spent as a freelance writer and courseware developer slash instructor is that there is a very real demand for practical knowledge. This is why SANS still reigns supreme when it comes to computer security courses. One could argue that some of their courseware is dated, however, it is very much practical knowledge that one can implement immediately. So why are the conferences still packed? Well with the arguments I have just made one would think that computer security conferences would be empty. Reality is that these conferences are pretty much always sold out or close to it. Why is that you ask? All IT managers have budgets, and that is no different for those IT managers in the employ of .gov .mil and other large government departments. What these managers must do is expend those dollars, and an excellent way of doing that is sending employees on a computer security conference. So what we now have then is a company funded junket. Nothing wrong with that at all. I enjoy having a beer with friends that I meet at these conferences, and picking up some knowledge as much as the next guy. Problem is that even though I think I have a fairly well balanced skillset a lot of the topics being offered are of no interest to me. This is due to the simple fact that they are not all that relevant to the network(s) that I work in. Does this then mean that it is a total waste of time to attend the cutting edge computer security conferences? Not at all. Just realize what it is that you are going to get out of it ahead of time. There are excellent speakers there with quite often what is cutting edge research. The question you need to ask yourself is whether or not you or your company will benefit from any of those talks. One of the best things to come out of these conferences are the training that is offered. That in and of itself is worth the attendance. It is not everyday that you can receive training by some of the best minds in the business today. Is there a solution? Well I have now laid out what I perceive to be as the shortcomings and strong points in today's cutting edge computer security conferences. What we need to find is a happy middle ground. A conference then that caters to the large mass of sys admins and network security types who while competent still have not mastered their craft. After all being the sys admin in a large Microsoft Windows network is no easy task. There are a myriad of practical skills that one needs to attain, and ideally master. How many people can say that they reached a comfort point in the application and maintenance of Group Policy Objects (GPO)? This and other like minded topics would make for some great conference talks or mini-workshops. That kind of practical knowledge is something that you can readily implement on your networks. The example of GPO's is but one small one. What it exemplifies though is that there is a definite gap in the market. Missing today on the network security conference front is that of practical knowledge. It is not everybody who can attend today's cutting edge security conferences and actually walk away having learned something. Was it me being asked by an employee to attend a conference today, I would have a few questions to ask. What is it that you are going to get out of it, and just how will it benefit our network? If the answers aren't there, you're not going. Practical knowledge is where it is at. Don Parker, GCIA GCIH, specializes in intrusion detection and incident handling. In addition to writing about network security he enjoys a role as guest speaker for various security conferences. From rforno at infowarrior.org Fri Jul 27 12:38:09 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 27 Jul 2007 08:38:09 -0400 Subject: [Infowarrior] - A pilot's view of airline/airport security (good read) Message-ID: http://hotair.com/archives/2007/07/16/a-pilot-on-airline-security/ From rforno at infowarrior.org Sat Jul 28 04:12:58 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 28 Jul 2007 00:12:58 -0400 Subject: [Infowarrior] - =?iso-8859-1?q?The_Dark_Side_of_Apple_=B9_s_iPhon?= =?iso-8859-1?q?e?= Message-ID: The Dark Side of Apple?s iPhone >From TV Technology, July 25, 2007 By Frank Beacham http://www.freepress.net/news/24948 If you?re like me, you?re probably sick of hearing about Apple?s iPhone. Yet, what?s missing from all the celebratory news coverage is the dark controversy brewing under the hood of the nation?s latest glamour phone. The controversy involves a very real threat to ?net neutrality.? It was spawned from a remarkable statement made by a top executive at AT&T, the telco that has exclusive network rights to the iPhone. The executive, James W. Cicconi, revealed that AT&T would become the first Internet provider to monitor its networks for perceived misuse of copyright-protected films, television, music and other media. This is a major policy shift, especially coming from the largest provider of both local and long distance services, wireless service, and DSL Internet access in the United States. Previously, network operators have remained neutral to the nature of the content delivered over their networks. This scenario is a bit like Ma Bell listening in and shutting down a phone call if one of the parties uses an obscenity, or God forbid, plays part of a commercial recording to a friend over the line. Make no mistake about it; this is brave new territory for a telco. Cicconi, a senior vice president at AT&T, told the Los Angeles Times that since his company is now moving into the pay-television business, its interests are now more closely aligned with those of Hollywood?s studios. What was left unsaid was any concern that Cicconi might have for the privacy of AT&T?s customers. To fully comprehend the implications of this development, a little history lesson is in order. FLASHBACK Remember late last year when AT&T, as a condition of allowing its $86 billion merger with BellSouth, promised the FCC that it would abide by ?net neutrality? principles for a period of two years? Network neutrality is the principle that all Internet users should be able to access any Web content they choose and use any applications they choose, without restrictions or limitations imposed by their network service provider. That means the operator of the network should have no preferred business relationships that favors certain Web sites. My, oh my, how time flies?and along with it good intentions. AT&T?s move, under the guise of copyright protection, could serve to bypass net neutrality altogether. How? By blocking access through filters to Internet destinations throughout the world where AT&T and its partners deem the content to be illegal. Harold Feld, senior vice president of the Media Access Project told Josh Silver, a writer for the Huffington Post and executive director of Free Press, a national, nonpartisan organization, that AT&T is creating a charade to mask its real intentions. ?This has no more to do with ?stopping piracy? than the NSA surveillance program under which AT&T spied on Americans was about ?national security,?? Feld said. ?This is about entrenched interests using the rhetoric of law enforcement to erode essential freedoms.? Using filtering to block specific Web sites has a history of harming innocent victims. In 2003, the Center for Democracy and Tech-nology successfully overturned a Pennsylvania law that required ISPs to block overseas child pornography sites, partly on the grounds that the filtering included many third-party Web sites as collateral damage. Feld noted that copyright holders already have numerous mechanisms available to them under the Digital Millennium Copyright Act. ?If they feel their rights are infringed by carriers, they can sue?as Viacom has sued YouTube,? he said. However, as Silver also pointed out, AT&T?s plan to monitor its networks is not about piracy, but about controlling video programming and discriminating against content on the Web. ?Remember how the big phone companies tried to dismiss net neutrality as a ?solution in search of a problem?? Well, here?s the problem,? he wrote. So, exactly what does AT&T propose to do? That?s another part of the mystery since they are not saying. Cicconi said only that the telco had started working with studios and record companies to develop anti-piracy technology that would target the most frequent offenders. The Electronic Frontier Foundation, a digital media rights group, called AT&T?s technology ?pure vaporware,? noting that on the surface that the telco?s action might look reasonable ?but problems arise once you start to ask hard questions about exactly what AT&T is up to.? Whatever technology AT&T deploys, said the EFF, it is bound to be some type of filtering that haphazardly restricts legitimate, lawful traffic. ?The AT&T Internet traffic cop appears poised to shoot first, and ask questions about the impact on your civil liberties and ability to access lawful content and applications later,? the EFF said in a statement. A SECRET ROOM As to Feld?s comment about the NSA, here?s a bit more history. Last year, the EFF filed a class-action suit against AT&T accusing the telecom giant of illegally helping the National Security Agency spy on millions of Americans. The government has argued the case could expose state secrets. However, as the case progresses, documents have been released describing a secret, secure room in AT&T?s facilities that gave the NSA direct access to customers? e-mails and other Internet communications. ?This is critical evidence supporting our claim that AT&T is cooperating with the NSA in the illegal dragnet surveillance of millions of ordinary Americans,? said Cindy Cohn, the EFF?s legal director. ?This surveillance is under debate in Congress and across the nation, as well as in the courts.? If all this sounds a bit like a spy thriller, add one more ingredient to the mix. James W. Cicconi, the AT&T executive who told the LA Times of AT&T?s plans, has a most interesting background. Again, we?ll quote directly from the Huffington Post: ??consider that Cicconi is the same guy who was the assistant to James Baker in the Reagan Administration and staff secretary for Bush Sr. (and he sits on the board of his presidential library). While at SBC (former name of AT&T), he served on Dubya?s White House transition team?before handing thousands of Americans? private phone records over to the Pentagon. And under his leadership, SBC/AT&T broke more communications laws and rules?and paid more FCC fines?than just about anybody.? OK, what do we know and not know? That?s the problem with this picture?a big lack of information and clarity. Unfortunately, the situation is much too important to ignore when one takes into account the future of media. All electronic media is migrating to the Internet. As these broadband networks expand capacity to embrace video delivery, it is a huge issue as to whether or not their owners are allowed to interfere with a subscriber?s use of or access to content on the network. PANDORA?S BOX In my opinion, network owner/operators should not be allowed to control or limit content access in any way. If a company owns or controls a network, that company should have no financial interest whatsoever in the content delivered on that network. Period. Allowing corporations to own or sell content on their own network opens a Pandora?s box of public policy issues. Unfortunately, the cat is already out of the bag. Where are the unbiased, unbought government regulators to set the rules? Mr. Cicconi?s old boss, Ronald Reagan, used to say of the Soviets: ?Trust, but verify.? Unfortunately, in today?s corporate war to control new media, trust is long ago out the window. We?ll be extremely lucky if we can get objective oversight to ?verify? that the media conglomerates are playing by the rules. From rforno at infowarrior.org Sat Jul 28 04:24:06 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 28 Jul 2007 00:24:06 -0400 Subject: [Infowarrior] - DJ computers suffer 11-min delay during Thurs selloff Message-ID: (the second MAJOR hiccup on the DJ computers this year, both happening during massive selloffs....interesting this is the only MSM coverage I've seen of this disturbing phenomenon.....makes you wonder how they can say this is 'typical' and also underscores the need for humans on the rapidly-digitizing trading floors! ---rf) Dow suffered 11 min. delay amid Thursday sell-off Fri Jul 27, 2007 4:56PM EDT http://www.reuters.com/article/marketsNews/idUKN2722050220070727?rpc=44 NEW YORK, July 27 (Reuters) - During Thursday's sharp stock sell-off, with volume soaring to a record, the system that calculates the value of the Dow Jones industrial average (.DJI: Quote, Profile, Research) suffered an 11 minute delay. "We experienced a slight system latency between 2:57 and 3:08 p.m," Sybille Reitz, a spokeswoman for Dow Jones Indexes, said on Friday. During that time, the published values of the Dow differed by 17 to 25 points from the prices of the 30 underlying securities, she said. The delay happened on a day when the Dow industrials tumbled as much as 400 points, and trading volume for New York Stock Exchange-listed shares traded in all markets hit an unofficial record, reaching 5.9 billion. Giri Cherukuri, head trader at OakBrook Investments LLC in Lisle, Illinois, said, "It happens now and then when you have very heavy volume like you did yesterday, and it makes you stop sometimes to make sure you are getting accurate information." The lag was much shorter than the 70 minute delay seen on Feb. 27 --when a computer malfunction contributed to an abrupt 200 point slide in the blue-chip index. From rforno at infowarrior.org Sun Jul 29 02:16:10 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 28 Jul 2007 22:16:10 -0400 Subject: [Infowarrior] - Internet censorship spreading: OSCE study Message-ID: Internet censorship spreading: OSCE study Fri Jul 27, 2007 11:14AM EDT http://www.reuters.com/article/technologyNews/idUSL2774335120070727?feedType =RSS&rpc=22&sp=true VIENNA (Reuters) - State restrictions on use of the Internet have spread to more than 20 countries that use catch-all and contradictory rules to help keep people off line and stifle feared political opposition, a new report says. In "Governing the Internet", the Organisation for Security and Cooperation in Europe (OSCE) presented case studies of Web censorship in Kazakhstan and Georgia and referred to similar findings in nations from China to Iran, Sudan and Belarus. "Recent moves against free speech on the Internet in a number of countries have provided a bitter reminder of the ease with which some regimes, democracies and dictatorships alike, seek to suppress speech that they disapprove of, dislike, or simply fear," the report by the 56-nation OSCE said. "Speaking out has never been easier than on the Web. Yet at the same time, we are witnessing the spread of Internet censorship," the 212-page report said. In a new case not covered by the report, a senior Malaysian minister vowed this week to apply law prescribing jail terms for Web writers of comments said to disparage Islam or the king. Malaysian police grilled one on-line author over postings the ruling party described as an attack on the country's state religion and a bid to stir racial tension. In Kazakhstan, rules on Internet use are so vague and politicized that they "allow for any interpretation ..., easily triggering Soviet-style 'spy mania'" where any dissident individual or organisation could be branded a threat to national well-being and silenced, according to the OSCE report. It cited a prominent incident in 2005 when Kazakhstan seized all .kz Internet domains and closed one deemed offensive and run by British satirist Sacha Baron Cohen, who had made the acclaimed spoof film "Borat: Cultural Learnings of America for Make Benefit Glorious Nation of Kazakhstan". In a speech to the OSCE parliament on Thursday, Kazakh Information Minister Yermukhamet Yertysbayev insisted Kazakhstan was determined to build democracy and create an "e-government" expanding Internet service and making "our media more free, contemporary and independent". The OSCE report said Kazakhstan's state monopoly on Internet providers tended to deter use by making prices for all but very slow and limited dial-up service far higher than those for West Europeans even though Kazakh incomes are much lower. Georgian law contained "contradictory and ill-defined" provisions which might "give leverage for illegitimate limitation" of free expression on the Internet, the report said. ? Reuters 2007. All rights reserved. From rforno at infowarrior.org Sun Jul 29 23:35:35 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 29 Jul 2007 19:35:35 -0400 Subject: [Infowarrior] - Blackhat '07 speaker denied entry to US Message-ID: I've been denied entry to the US essentially for carrying my trainings material. Wow. It appears I can't attend Blackhat this year. I was denied entry to the US for carrying trainings materials for the Blackhat trainings, and intending to hold these trainings as a private citizen instead of as a company. After a 9-hour flight and a 4 1/2 hour interview I was put onto the next 9-hour flight back to Germany. Future trips to the US will be significantly more complicated as I can no longer go to the US on the visa waiver program. A little background: For the last 7 years, I have attended / presented at the 'Blackhat Briefings', a security conference in the US. Prior to the conference itself, Blackhat conducts a trainings session, and for the past 6 years, I have given two days of trainings at these events. The largest part of the attendees of the trainings are US-Government related folks, mostly working on US National Security in some form. I have trained people from the DoD, DoE, DHS and most other agencies that come to mind. Each time I came to the US, I told immigration that I was coming to the US to present at a conference and hold a trainings class. I was never stopped before. This time, I had printed the materials for the trainings class in Germany and put them into my suitcase. Upon arrival in the US, I passed immigration, but was stopped in customs. My suitcase was searched, and I was asked about the trainings materials. < - > http://addxorrol.blogspot.com/2007/07/ive-been-denied-entry-to-us-essentiall y.html From rforno at infowarrior.org Mon Jul 30 11:39:41 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 30 Jul 2007 07:39:41 -0400 Subject: [Infowarrior] - FCC to Rule on Wireless Auction Message-ID: FCC to Rule on Wireless Auction Lobbying Intense As Google Seeks To Open Market By Kim Hart Washington Post Staff Writer Monday, July 30, 2007; A01 http://www.washingtonpost.com/wp-dyn/content/article/2007/07/29/AR2007072901 259_pf.html The Federal Communications Commission will set the rules tomorrow governing the auction of $15 billion of public airwaves, a decision with stakes so high that the major U.S. cellular carriers and Google have spent millions of dollars on a lobbying campaign in an attempt to influence the outcome. The decision could dramatically alter the nation's cellphone industry. Google, the giant Internet search company, wants to extend its popular tools, which include e-mail and video, to the rapidly expanding mobile phone market. To do so, it may spend billions to build a new, open network it says will loosen the grip telecom operators have over how consumers use their cellphones. Currently, the major U.S. wireless carriers, including AT&T and Verizon Wireless, largely decide which Web sites, music-download services and search engines their customers can access on their cellphones. This is accomplished by wireless companies determining which cellphones will receive their services: AT&T, for example, is the only carrier available to users of Apple's iPhone. Google wants to end that restriction and has urged the FCC to require the winner of the auction to build a network that will be open to all cellphones and services, so any consumer can have access to Google's array of offerings. AT&T and Verizon Wireless have been eyeing these airwaves for almost a decade, waiting for them to be abandoned by television broadcasters moving to digital programming. The airwaves, which are ideal for carrying wireless signals, are particularly valuable because they will be the last up for auction for decades. The auction is to take place in January. They are crucial to wireless carriers looking for more ways to put ever-more-elaborate video, music and Web-surfing tools in consumers' hands, especially as cellphones continue to replace telephone landlines and offer services heretofore available only on a computer. But the auction is also testing the political might of Google, which has to this point been somewhat of an outsider in Washington. Google, in its first serious foray into the Washington regulatory scene and, potentially, the wireless industry, has offered to spend at least $4.6 billion for the airwaves it would use to build the network it envisions if the FCC's rules work in its favor. The move reflects Google's growing ambitions to reach consumers in new ways while exerting its influence on policy it sees as critical to its future. But the company's efforts to recast the wireless landscape have met fierce opposition from AT&T and Verizon, which worry Google's open network would undermine their businesses. Google's 12-person Washington team, based in temporary quarters on Pennsylvania Avenue, has aggressively confronted the legions of lobbyists behind the two telecom behemoths. Its goal of creating an open-access network, first thought of as a long-shot proposal, has gained substantial political traction among FCC commissioners and Democratic lawmakers, who see the auction as the last opportunity to create a new competitor in the wireless industry. "Google sees network owners as potentially coming between it and its customers, so they realized how critical Washington was to their long-term game plan," said Paul Gallant, a telecom policy analyst with Stanford Group Co. "Google is still nowhere near the Bells and cable [television] when it comes to lobbying, but it does have a real cachet that can make up some of the gap." Google has not always been taken seriously in Washington. When co-founder Sergey Brin visited Capitol Hill two years ago, he had trouble persuading members of Congress to meet with him. The company didn't bother to open an office in the District until 2005, when it hired Alan B. Davidson, formerly of the Center for Democracy and Technology, to tackle Internet policy issues. A year later, Google hired Robert Boorstin, who held several positions in the Clinton administration. When the debate over the ability of Internet service providers to favor certain Web content for a fee, a concept known as network neutrality, heated up last summer, Google was late to the scene. It initially depended on public interest groups to lobby on its behalf. Since then, Google has expanded its Washington presence. Besides increasing its effort to sell its services to government agencies, Google has taken what it calls a "Googley" approach to politics by seeking the business of political campaign managers and starting a public policy blog. Last week, the online video site YouTube, which is owned by Google, sponsored a debate between the Democratic presidential candidates. The company recently hired Johanna Shelton, formerly on the staff of Rep. John Dingell (D-Mich.), an influential member of the House telecommunications subcommittee. Google also frequently invites prominent politicians to tour its Mountain View, Calif., headquarters. But its 2006 congressional lobbying budget of about $770,000, according to public disclosures, is dwarfed by the $21 million spent by AT&T and $14.4 million spent by Verizon the same year. Unlike many campaigns that use well-connected lobbyists to persuade members of Congress, Google and its opponents have fought this battle on paper, using their lawyers to make their arguments in filings to the FCC. Google's clout in the airwaves auction has grown slowly, marked by small victories along the way. In February, it hired Richard S. Whitt, once a lawyer for the now-defunct telephone company MCI, to lead its telecom policy agenda. And Google also harnessed the power of politically savvy public interest groups, consumer advocates and like-minded companies such as eBay and Yahoo to push its idea for an open network. In late April, FCC Chairman Kevin J. Martin endorsed the general idea. A week later, during a tour of the Googleplex in Silicon Valley, he asked Brin and the other Google co-founder, Larry Page, and chief executive Eric Schmidt to suggest rules for the auction that would increase the chances that a new wireless competitor would emerge. "I think that was a little victory for us that showed the chairman was willing to meet us in the middle," said Whitt, who has led Google's lobbying operation. Over the next two months, Google outlined its requirements for the auction with the FCC. Its "alternate access team," run by three wireless engineers, Chris Sacca, Larry Alder and Minnie Ingersoll, swooped into Washington for a series of visits with FCC commissioners. Google has also hired game theorists to strategize for the auction. In the meetings with the commissioners, Google's team urged them to require the highest bidder in the auction to build a network that would be open not only to devices but also to software and third-party companies. Those conditions would make the airwaves more accessible and, hence, more valuable to Google, but would conceivably damage the business of the wireless companies by no longer allowing them to differentiate their offerings from one another. Like the culture at many Silicon Valley technology companies, Google's clashed with Washington's. Some FCC staff members said the company's tech gurus came across as arrogant in meetings with commissioners. "They're used to getting what they want rather than having to make a case for what they want," said one staff member who spoke on the condition of anonymity. Martin subsequently said he favored requiring the auction winner to use a chunk of the airwaves to build a network open to all mobile devices but stopping short of meeting Google's other demands. AT&T and Verizon initially blanched at Martin's proposal, arguing it would tip the competitive scales in Google's favor. But in a series of hearings on Capitol Hill, several lawmakers voiced support for using these airwaves to give consumers more choices. Many cited complaints about the fact that Apple's iPhone, recently introduced to great fanfare, can be used only on AT&T's network. Others said they were concerned that regulating the airwaves would diminish the estimated $15 billion in revenue raised by the auction. AT&T questioned Google's intentions, telling the company to "put up or shut up" in filings with the FCC. To "put our money where our principals are," Whitt said, Google then committed to spending at least $4.6 billion to bid on the airwaves if its conditions were met. AT&T responded by shifting its position to support Martin's open-access proposal. Martin's plan for an open-access network "would enable the introduction of an alternate wireless business model without requiring changes in the business models of AT&T and others in what is a highly competitive wireless industry," said Jim Cicconi, AT&T's senior vice president of external and legislative affairs, in a recent filing with the FCC. "It was very surprising that they backed down. . . . Google was getting traction, and I think the major players wanted to be on the winning side of this battle," said Doug Bonner, who heads the communications practice at the law firm Sonnenschein Nath & Rosenthal. "Google's definitely putting their currency to work." From rforno at infowarrior.org Mon Jul 30 12:06:58 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 30 Jul 2007 08:06:58 -0400 Subject: [Infowarrior] - Surveillance Cameras Win Broad US Support Message-ID: Surveillance Cameras Win Broad Support Majority of Americans Favor Extra Safety Factor of Cameras ANALYSIS by MICHELLE LIRTZMAN http://abcnews.go.com/print?id=3422372 July 29, 2007 ? Crime-fighting beats privacy in public places: Americans, by nearly a 3-to-1 margin, support the increased use of surveillance cameras  a measure decried by some civil libertarians, but credited in London with helping to catch a variety of perpetrators since the early 1990s. Given the chief arguments, pro and con  a way to help solve crimes vs. too much of a government intrusion on privacy  it isn't close: 71 percent of Americans favor the increased use of surveillance cameras, while 25 percent oppose it. London's surveillance network, known as the "Ring of Steel," is said to have aided in the capture of suspects, including those accused of a pair of attempted car bombings in June. A similar system is coming to New York City, which plans 100 new surveillance cameras in downtown Manhattan by year's end and 3,000  public and private  by 2010. Chicago and Baltimore plan expanded surveillance systems as well. Critics, such as the American Civil Liberties Union, have opposed such systems, arguing that they invade privacy, and could be used to track innocent people. Nonetheless, majority support for surveillance cameras crosses political, ideological and population groups, albeit with differences in degree. Seniors are most apt to support the increased use of these cameras, with under-30s, least so; Republicans more than Democrats; women more than men; higher educated people more than the less educated; and whites more than African-Americans. Through a political lens, support for increased use of surveillance systems is lowest, 62 percent, among Democrats and Democratic-leaning independents who support Barack Obama for president  and highest of all, 86 percent, among Republicans who support Rudy Giuliani, who made his name as New York City's crime-fighting mayor. METHODOLOGY  This ABC News/Washington Post poll was conducted by telephone July 18-21, 2007, among a random national sample of 1,125 adults. Additional interviews were conducted with an oversample of randomly selected African-Americans for a total of 210 black respondents. The results have a three-point error margin. Sampling, data collection and tabulation by TNS of Horsham, Pa. From rforno at infowarrior.org Tue Jul 31 11:44:43 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 31 Jul 2007 07:44:43 -0400 Subject: [Infowarrior] - Citizen journalism website gets multi-million-dollar boost Message-ID: Citizen journalism website gets multi-million-dollar boost Jul 30 03:39 AM US/Eastern http://www.breitbart.com/article.php?id=070730073936.n84arl87&show_article=1 NowPublic announced Monday that the fast-growing citizen journalism website has scored 10.6 million dollars (US) in financing to fuel its drive to become the world's largest news agency. The Vancouver-based start-up says it is growing at a rate of 35 percent monthly and has nearly 120,000 contributing "reporters" in more than 140 countries. In part of a trend referred to as "citizen journalism," NowPublic lets anyone with digital cameras or a camera-enable mobile telephones upload images or news snippets for dissemination via the Internet. Time Magazine lists NowPublic among its top 50 websites of 2007. "I promise you, in 18 months NowPublic will be, by reach, the largest news agency in the world," start-up co-founder Len Brody told AFP. "The most exciting thing for us is this started as an experiment in a garage behind a house and we are breaking stories and changing the news business." The financing is led by Rho Ventures in the United States and Canada. Uses for the money will include ways to reward people that upload stories or images, and developing a system to "geo-locate" contributors so they can be found if they are in range of developments deemed newsworthy. "We are moving to geo-locating people so we can do some cool stuff," Brody said. "For example, if there is a bomb in a subway station in London or a virus breaks out in Google's cafeteria and media can't get their fast enough we can identify people on the scene already and get their content," Brody said. Contributors own stories they post on NowPublic, which does not pay for submissions. "This is really going to help us start compensating those folks," said Brody. NowPublic is "putting the pedal to the metal in partnerships" with newspapers, magazines, television networks and news wire services, according to Brody. NowPublic was posting pictures from a deadly cyclone strike in Oman in June by the time the region's Associated Press bureau chief was setting out from home to cover the story, Brody said. NowPublic contributors filed reports from inside London's Heathrow Airport during a 2006 terrorism lockdown and from the US Gulf Coast when it was pounded by Hurricane Katrina in 2005. "This isn't YouTube with video of guys doing pranks in their dorm rooms," said Brody. "This is real stuff; real news. More and more people are seeing more and more things, carrying mobile devices, and that creates a new army." Participatory journalism is expected to influence traditional news operations as reporters get tips or ideas from people online or respond to news broken by people in the right places at the right times. "We become the early warning system," Brody said. "Breaking news will be owned by organizations like NowPublic, while the analysis side will be owned by AFP and other organizations. That is the big change we are making." Content at the NowPublic website is completely user-provided, with about half of it being original and the rest links to other online news stories. Volunteer "deputy editors" filter inappropriate material and let contributors know when stories are incomplete, inaccurate, or unauthentic. NowPublic makes its money predominately through syndication of content and fees charged to connect established news organizations with citizen reporters. Copyright AFP 2007, AFP stories and photos shall not be published, broadcast, rewritten for broadcast or publication or redistributed directly or indirectly in any medium From rforno at infowarrior.org Tue Jul 31 11:59:00 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 31 Jul 2007 07:59:00 -0400 Subject: [Infowarrior] - "Attempted infringement" appears in new House intellectual property bill Message-ID: "Attempted infringement" appears in new House intellectual property bill By Nate Anderson | Published: July 30, 2007 - 01:11AM CT http://arstechnica.com/news.ars/post/20070730-attempted-infringment-appears- in-new-house-intellectual-property-bill.html Back in May, the Justice Department issued some proposed legislation to tighten US intellectual property laws and to criminalize some forms of "attempted infringement." Now, legislation based on the proposals has been introduced in Congress by Rep. Steve Chabot (R-OH), complete with stiffer jail terms for violators and the controversial "attempted infringement" clause. H.R. 3155, the Intellectual Property Enhanced Criminal Enforcement Act of 2007, aims widely. Everything gets a section: unauthorized recording of films in theaters, circumventing copy protection, trafficking in counterfeit goods. The bill even directs the Attorney General to send federal prosecutors to take up permanent residence in Hong Kong and Budapest and specifies the number and makeup of FBI investigative teams. In most cases, the bill appears to simply double existing penalties. Section 12 alone, for instance, makes a 10-year prison term into a 20-year term, three years into six, five into 10, and six into 12. Poof! More prison time! One of the bill's controversial features is the fact that people can be charged with criminal copyright infringement even if such infringement has not actually taken place. "Any person who attempts to commit an offense under paragraph (1) shall be subject to the same penalties as those prescribed for the offense, the commission of which was the object of the attempt," says the bill. While copyright infringement is sometimes believed to be solely a civil matter, that's not the case. US Code 17, section 506 (a) spells out the conditions for criminal infringement under which the government can actually do the prosecuting, and they are quite modest. The infringement must be willful, and the material in question must have a total retail value of over $1,000. This wouldn't be a difficult threshold for many P2P users to clear, except for the fact that this section also requires that the infringement be done "for purposes of commercial advantage or private financial gain." The attempted infringement clause actually falls under this criminal infringement statute, meaning that it won't apply to file-sharing unless the courts suddenly take a hugely expansive view of "commercial advantage or private financial gain," and it's unlikely the government has some new interest in such cases. The bill is full of the sort of things that groups like the EFF aren't going to like, and in fact the EFF has already issued a statement condemning the legislation. One of their concerns is that a small change to the law could have big effects on casual file-sharers for a different reason: P2P users could face greater penalties for infringement after statutory damages are expanded. The bill allows "a judge to dole out damages for each separate piece of a derivative work or compilation, rather than treating it as one work," wrote Derek Slater, "for example, copying an entire album could translate into damages for each individual track, even if the copyrights in those tracks aren't separately registered." From rforno at infowarrior.org Tue Jul 31 12:17:10 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 31 Jul 2007 08:17:10 -0400 Subject: [Infowarrior] - Schneier interviews TSA' Kip Hawley Message-ID: Rather sobering interview -- kudos to Bruce for asking the hard questions, and at (despite some of his answers) to Hawley for agreeing to sit for an interview conducted by someone knowledgable and critical. -rf Conversation with Kip Hawley, TSA Administrator (Part 1) http://www.schneier.com/blog/archives/2007/07/conversation_wi_4.html Conversation with Kip Hawley, TSA Administrator (Part 2) http://www.schneier.com/blog/archives/2007/07/conversation_wi.html From rforno at infowarrior.org Tue Jul 31 22:37:02 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 31 Jul 2007 18:37:02 -0400 Subject: [Infowarrior] - FCC sets airwaves sale rule Message-ID: FCC sets airwaves sale rule Tuesday July 31, 5:30 pm ET By Jeremy Pelofsky http://biz.yahoo.com/rb/070731/wireless_auction.html?.v=9 WASHINGTON (Reuters) - The Federal Communications Commission on Tuesday voted to shake up the wireless market by approving a set of ground-rules for a big airwaves auction that would require the winner to make them accessible to any cell phone, device or application. The sale will likely begin in December or January and the government expects it to raise at least $10 billion. The airwaves are being returned by television broadcasters as they move from analog to digital signals in early 2009. The access requirement would apply to 22 megahertz of the 62 MHz of spectrum to be sold. Two Republican FCC commissioners, who were skeptical of the idea, stressed it would not apply to existing airwaves held by carriers like AT&T Inc. (NYSE:T - News) and Verizon Wireless (NYSE:VZ - News; LSE:VOD.L - News). The agency stopped short of a broader requirement sought by potential bidder Google Inc. (NasdaqGS:GOOG - News) that would force the winner to resell access to its network on a wholesale basis. Currently, wireless carriers restrict the models of cell phones that can be used on their networks. They also limit the software that can be downloaded onto them, such as ring tones, music or Web browser software. Republican FCC Chairman Kevin Martin, who proposed the access concept, received support from the agency's two Democratic commissioners. He hoped the carriers would apply the policy to their existing airwaves. "I hope that will actually spur a more open platform on this new piece of spectrum but also make sure that some of the benefits of innovation are then able to flow to some of the other networks as well," he told reporters. The FCC suggested a $4.6 billion minimum price for the 22 MHz block of airwaves. If that price is not reached, the airwaves would be auctioned again, but without the access requirement, according to the agency. The spectrum being sold can travel long distances and penetrate thick walls, making it particularly valuable. The auction, to be done with anonymous bidding, is seen as a last chance for a major new player to enter the wireless market. Stifel Nicolaus analyst Chris King said that while the open access conditions would be disappointing for service providers, it should not hurt them in the near term. "Opening to any device is probably something the wireless carriers didn't want to see," he said. "I don't think you'll see another nationwide carrier develop out of thin air." NO WHOLESALE ACCESS The lack of a wholesale access provision drew criticism from the agency's two Democrats. "Several sophisticated companies and financial institutions have concluded that wholesale is indeed a viable economic model," said Democratic Commissioner Michael Copps. "Smaller entrepreneurs deserve an alternate path to wireless access." Commercial providers will be able to bid on the 22 MHz in large regional licenses, as well as additional airwaves broken into smaller individual market licenses. A 10 MHz swath of spectrum will be sold to a nonprofit entity for public safety officials to use but it could be shared with commercial operators. Supporters of the open-access approach, including Google and some U.S. consumer groups, say it will spur new competition and innovation in the market for wireless services. Google said it would have to review details of the order before deciding whether it would bid in the auction but praised the decision. "The FCC took some concrete steps on the road to bringing greater choice and competition to all Americans." No. 1 U.S. wireless provider, AT&T, supported Martin's proposal, which would allow consumers the ability to move their wireless handset from network to network. A Verizon Wireless spokesman declined to comment but an AT&T executive said the decision was a reasonable compromise. "If Google is serious about introducing a competing business model into the wireless industry, Chairman Martin's compromise plan allows them to bid in the auction, win the spectrum, and then implement every one of the conditions they seek," said Jim Cicconi, an AT&T senior executive vice president. (Additional reporting by Peter Kaplan in Washington and Sinead Carew in New York)