From rforno at infowarrior.org Tue May 1 02:10:05 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 30 Apr 2007 22:10:05 -0400 Subject: [Infowarrior] - State Dept Report says terror attacks up sharply Message-ID: Report says terror attacks up sharply By MATTHEW LEE, Associated Press Writer1 hour, 14 minutes ago http://news.yahoo.com/s/ap/20070501/ap_on_go_ca_st_pe/us_terrorism&printer=1 ;_ylt=AtPpBQytYJXyXfo0AAuqP6SWwvIE Terrorist attacks worldwide shot up more than 25 percent last year, killing 40 percent more people than in 2005, particularly in Iraq where extremists used chemical weapons and suicide bombers to target crowds, the State Department said Monday. Among countries, Iran remains the biggest supporter of terrorism, with elements of its government backing groups throughout the Middle East, notably in Iraq, giving material aid and guidance to Shiite insurgent groups that have attacked Sunnis, U.S. and Iraqi forces, it said. In its annual global survey of terrorism, the department said 14,338 attacks took place in 2006, mainly in Iraq and Afghanistan, 3,185 more than in 2005 representing a 28.5 percent increase. These strikes claimed a total of 20,498 lives, 13,340 of them in Iraq, 5,800 more, or a 40.2 percent increase, than last year, it said. Despite the grim figures, State Department officials pointed to some successes in the war on terror, including improved counterterrorism cooperation with various nations and the thwarting of numerous plots, notably plans to down trans-Atlantic airliners. "Serious challenges do remain, there's no question about that," said acting counterterrorism coordinator Frank Urbancic. "This is not the kind of war where you can measure success with conventional numbers. We cannot aspire to a single decisive battle that will break the enemy's back, nor can we hope for a signed peace accord to mark victory." The report partly attributes the higher casualty figures to a 25 percent jump in the number of nonvehicular suicide bombings targeting large crowds. That overwhelmed a 12 percent dip in suicide attacks involving vehicles. In Iraq, the use of chemical weapons, seen for the first time in a Nov. 23, 2006, attack in Sadr City, also "signaled a dangerous strategic shift in tactics," it said. With the rise in fatalities, the number of injuries from terrorist attacks also rose, by 54 percent, between 2005 and 2006, and the number of wounded doubled in Iraq over the period, according to the department's Country Reports on Terrorism 2006. The numbers were compiled by the National Counterterrorism Center and refer to deaths and injuries sustained by "noncombatants," with significant increases in attacks targeting children, educators and journalists. "By far the largest number of reported terrorist incidents occurred in the Near East and South Asia," said the 335-page report, referring to the regions where Iraq and Afghanistan are located. "These two regions also were the locations for 90 percent of all the 290 high-casualty attacks that killed 10 or more people," it said. The report said 6,600, or 45 percent, of the attacks took place in Iraq, killing about 13,000 people, or 65 percent of the worldwide total of terrorist-related deaths in 2006. Kidnappings by terrorists soared 300 percent in Iraq over 2005. Afghanistan had 749 strikes in 2006, a 50 percent rise from 2005 when 491 attacks were tallied, according to the report. However, it also detailed a surge in Africa, where 65 percent more attacks, 420 compared to 253 in 2005, were counted last year, largely due to turmoil in or near Sudan, including Darfur, and Nigeria where oil facilities and workers have been targeted. As in previous years, the 2006 report identified Iran as the "most active state sponsor" of terror, accusing the Islamic republic of helping plan and foment attacks to destabilize Iraq and derail Israeli-Palestinian peace efforts. Iran's Revolutionary Guard has been "linked to armor-piercing explosives that resulted in the deaths of coalition forces" and has helped, along with Lebanon's radical Hezbollah movement, train Iraqi extremists to build bombs, the report said. Although the designation of Iran is not new, it appears in the report that is being released as Secretary of State Condoleezza Rice prepares to attend a conference of Iraq's neighbors, at which she has not ruled out a meeting with Iran's foreign minister. The report said that terrorists continue to rely mainly on conventional weapons in their attacks, but noted no let up in an alarming trend toward more sophisticated and better planned and coordinated strikes. For instance, while the number of bombings increased by 30 percent between 2005 and 2006, the death tolls from these incidents rose by 39 percent and the number of injuries rose by 45 percent, it said. The report attributed the higher casualty figures to a 25 percent jump in the number of non-vehicular suicide bombings targeting large crowds that more than made up for a slight 12 percent dip in suicide attacks involving vehicles. Of the 58,000 people killed or wounded in terrorist attacks around the world in 2006, more than 50 percent were Muslims, the report, says with government officials, police and security guards accounting for a large proportion, the report said. The number of child casualties from terrorist attacks soared by more than 80 percent between 2005 and 2006 to more than 1,800, while incidents involving educators were up more than 45 percent and those involving journalists up 20 percent, the report said. Twenty-eight U.S. citizens were killed and 27 wounded in terrorist incidents in 2006, most of them in Iraq, where eight of the 12 Americans kidnapped by terrorists last year were taken captive, it said. From rforno at infowarrior.org Tue May 1 03:04:59 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 30 Apr 2007 23:04:59 -0400 Subject: [Infowarrior] - Owners of E-Gold indicted for money laundering Message-ID: Owners of E-Gold indicted for money laundering Service allegedly popular among child pornographers and other low-lifes By Dan Goodin in San Francisco ? More by this author Published Tuesday 1st May 2007 01:44 GMT http://www.theregister.co.uk/2007/05/01/e-gold_indictment/ Three owners of online payment processor E-Gold and an affiliated company have been indicted for money laundering and related crimes for allegedly allowing sellers of child pornography, operators of investment scams and other types of criminals to send and receive payments related to their misdeeds. In addition to E-Gold, the four-count indictment names Gold & Silver Reserve and company owners Douglas L. Jackson of Satellite Beach, Florida; Reid A. Jackson of Melbourne, Florida; and Barry K. Downey of Woodbine, Maryland. They are charged with one count each of conspiracy to launder monetary instruments, conspiracy to operate an unlicensed money transmitting business, operating an unlicensed money transmitting business under federal law and money transmission without a license under the District of Columbia. Prior to the indictment, the defendants had already received a restraining order preventing them from dispersing assets. The US Department of Justice had also obtained 24 seizure warrants on more than 58 accounts believed to be property involved in money laundering and operation of unlicensed money operation. According to prosecutors, E-Gold's status as the preferred payment method from some of Earth's lowest life forms was for good reason. The online service was purportedly backed by stored physical gold, and all that was needed to open an account was a valid email address. No other contact information or background information was necessary. "Douglas Jackson and his associates operated a sophisticated and widespread international money remitting business, unsupervised and unregulated by any entity in the world, which allowed for anonymous transfers of value at a click of a mouse," said Jeffrey A. Taylor, US Attorney for the District of Columbia. Three of the four counts each carry a maximum sentence of five years in prison. The count for conspiracy to launder money carries a sentence of up to 20 years. The indictment is the result of a two-and-a-half year investigation by the US Secret Service, the Internal Revenue Service and the FBI. From rforno at infowarrior.org Tue May 1 03:42:57 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 30 Apr 2007 23:42:57 -0400 Subject: [Infowarrior] - If you didn't think newspapers were in trouble..... Message-ID: http://biz.yahoo.com/ap/070430/newspapers_circulation_list.html?.v=1 Monday April 30, 10:59 am ET By The Associated Press Average Weekday Circulation at the Top 20 U.S. Newspapers Average paid weekday circulation of the nation's 20 largest newspapers for the six-month period ending in March, as reported Monday by the Audit Bureau of Circulations. The percentage changes are from the comparable year-ago period. 1. USA Today, 2,278,022, up 0.2 percent 2. The Wall Street Journal, 2,062,312, up 0.6 percent 3. The New York Times, 1,120,420, down 1.9 percent 4. Los Angeles Times, 815,723, down 4.2 percent 5. New York Post, 724,748, up 7.6 percent 6. New York Daily News, 718,174, up 1.4 percent 7. The Washington Post, 699,130, down 3.5 percent 8. Chicago Tribune, 566,827, down 2.1 percent 9. Houston Chronicle, 503,114, down 2 percent 10. The Arizona Republic, 433,731, down 1.1 percent 11. Dallas Morning News, 411,919, down 14.3 percent 12. Newsday, Long Island, 398,231, down 6.9 percent 13. San Francisco Chronicle, 386,564, down 2.9 percent 14. The Boston Globe, 382,503, down 3.7 percent 15. The Star-Ledger of Newark, N.J., 372,629, down 6.1 percent 16. The Atlanta Journal-Constitution, 357,399, down 2.1 percent 17. The Philadelphia Inquirer, 352,593, up 0.6 percent 18. Star Tribune of Minneapolis-St. Paul, 345,252, down 4.9 percent 19. The Plain Dealer, Cleveland, 344,704, up 0.5 percent 20. Detroit Free Press, 329,989, down 4.7 percent The Dallas Morning News is reporting for the first time since being censured in 2004 for misstating circulation figures. The Chicago Sun-Times has not yet resumed reporting. Source: Audit Bureau of Circulations. From rforno at infowarrior.org Tue May 1 12:29:39 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 May 2007 08:29:39 -0400 Subject: [Infowarrior] - RIAA collecting money from non-RIAA members, w/Congressional support Message-ID: Webcasting Non-RIAA Music In Protest May Only Make The RIAA Wealthier http://techdirt.com/articles/20070430/013922.shtml Following the latest webcasting rates that will likely put many webcasters out of business, one suggestion was that webcasters should simply play non-RIAA music. In theory this would help in multiple ways -- giving those independent musicians more publicity while avoiding the draconian webcasting rates. In practice... however, that won't work. Slashdot points us to an article dissecting the fine print, where you'll discover that SoundExchange, which is the RIAA's collection body, actually gets to collect money for non-RIAA members as well. In other words, even for independent artists who don't want webcasters to have to pay, webcasters will still need to pay up. The story actually gets even worse. As we noted a few years ago, part of the deal is that SoundExchange and the RIAA get to keep any unclaimed money for themselves. Even better, SoundExchange can simply pretend not to be able to find the musicians (as they've done with a ton of big name musicians in the past). So, chances are, many independent artists have no idea that SoundExchange is hanging onto a bunch of money they didn't even want collected and there's almost no chance they'll claim it -- meaning that if you try to avoid the webcasting rates by playing non-RIAA music, there's a good chance you're actually enriching the RIAA even more. Just for fun, why don't we compare two situations? The RIAA tells people that simply listening to music without paying for it is a terrible crime that people should be punished for. Yet... the RIAA getting money for non-RIAA music and not paying the deserving artists that money is perfectly legal? Damn, the RIAA lobbyists are good. From rforno at infowarrior.org Tue May 1 12:31:38 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 May 2007 08:31:38 -0400 Subject: [Infowarrior] - DDR hits the high school gym class Message-ID: Dance Dance Revolution hits the high school gym class By John Timmer | Published: April 30, 2007 - 11:15PM CT http://arstechnica.com/news.ars/post/20070430-dance-dance-revolution-coming- to-a-gym-class-near-you.html Childhood obesity is an increasing problem in the developed world, fed by a one-two punch of poor dietary options and a sedentary lifestyle. Video games are sometimes blamed for the appeal of sedentary living, but an article in the New York Times takes a look at one game that may provide a solution: Dance Dance Revolution, which has appeared as part of regular gym classes in at least 10 states. Gym class would seem like an obvious place to intervene when attempting to combat childhood lethargy, but the challenge has been to get students, especially the obese, involved in gym in the first place. Many fitness activities simply aren't appealing to a wired generation, and others (such as basketball) require students have an existing athletic skill set before they can fully participate. DDR appears to bridge these gaps, as it uses a format?video gaming?that appeals to students, and doesn't require skills beyond basic coordination. The use of DDR is also backed up a growing body of scientific literature. One study suggested that, even at beginner's settings, a little over an hour of DDR would be sufficient to help children lose weight, and the activity fell within recommended guidelines for cardiac fitness. A second revealed that DDR raised the energy use of children more than forcing them to walk on a treadmill while watching TV. Putting DDR in high school PE class is being pioneered in West Virginia, which has some of the highest rates of obesity and related disorders in the nation. The state plans to install DDR equipment in every school in the state by sometime next year. The effort is being coordinated with West Virginia University's School of Physical Education, which has produced a study (as yet unpublished) examining the benefits of DDR at home. Although not all of the overweight children in that study lost weight, the majority did not gain weight and managed to increase aerobic capacity and general fitness. Surveys of the children suggested that time spent playing DDR also improved self-image and produced better attitudes towards exercise. Improved fitness does not seem to be DDR-specific: one of the studies mentioned above also tracked smaller but significant gains from a game which used a USB camera to insert players into the action. It's also worth noting that all of these studies have been performed prior to the appearance of active gaming's new 800-pound gorilla: the Nintendo Wii, which has many games that require its players to get physically involved. Last fall, a fitness center opened in Southern California that caters exclusively to teenagers. Called Overtime Fitness, the gym uses a number of video games to get kids exercising. But you don't need a gym membership to get in shape by playing video games. Last year, Ben managed to drop almost 20 pounds by following a fitness regimen that included heavy doses of gaming. Although games will probably never substitute for a full slate of physical activities, immersive games like DDR can act as an important bridge, catching students' interest and getting them up to a basic level of fitness that may enable them to take part in more challenging exercise. Given the results of these studies, the next logical step seems to be to get one of the college-level physical education programs involved in game design. One of these studies suggested DDR had room for improvement when it came to exercising the lung capacity of participants, a weakness that some careful work might address. From rforno at infowarrior.org Tue May 1 12:33:12 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 May 2007 08:33:12 -0400 Subject: [Infowarrior] - VeriSign to offer passwords on bank card Message-ID: http://news.yahoo.com/s/ap/20070501/ap_on_hi_te/verisign_disposable_password s VeriSign to offer passwords on bank card By ANICK JESDANUN, AP Internet Writer Tue May 1, 12:34 AM ET NEW YORK - A leading provider of digital-security services wants to make disposable passwords easier for consumers to accept by squeezing the technology into the corner of a regular credit or ATM card. Fran Rosch, vice president for authentication services at VeriSign Inc., said the one-time passwords haven't taken off in the United States partly because consumers need to carry a small device that generates passwords on the fly. That barrier is removed, he said, by having the technology built into cards consumers already carry. VeriSign was expected to announce a deal Tuesday with Innovative Card Technologies Inc. to outfit banks and e-commerce sites with cards that work with VeriSign's password system. With the card, consumers logging on to an online bank account, for instance, would type in their regular username and password, along with a six-digit code that appears on the card's display window. That code constantly changes, meaning the customer needs to have possession of the card to access the account. Security companies like VeriSign and EMC Corp.'s RSA Security Inc. have been promoting one-time passwords and other "two-factor" authentication systems to combat "phishing" and other scams aimed at tricking users into revealing sensitive data like passwords. By requiring a second code that is tied to a device or a card in the user's possession, an online account remains protected even if the regular password is compromised. If a customer loses the device or card, someone would still need to know the username and password to log on. Banks and merchants participating in VeriSign's password network can share codes, so consumers wouldn't have to carry multiple cards and devices or even one of each. VeriSign said it expects to announce a major bank using its cards in May, and those would be compatible with services currently using devices. The company already has agreements with eBay Inc, eBay's PayPal service, Yahoo Inc. (Nasdaq:YHOO - news) and Charles Schwab Corp. to issue password-generating devices that use Verisign's technology. From rforno at infowarrior.org Tue May 1 12:45:18 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 May 2007 08:45:18 -0400 Subject: [Infowarrior] - SCOTUS Puts Limits on Patents Message-ID: High Court Puts Limits on Patents http://www.nytimes.com/2007/05/01/business/01bizcourt.html By LINDA GREENHOUSE Published: May 1, 2007 WASHINGTON, April 30 ? The Supreme Court, in its most important patent ruling in years, on Monday raised the bar for obtaining patents on new products that combine elements of pre-existing inventions. If the combination results from nothing more than ?ordinary innovation? and ?does no more than yield predictable results,? the court said in a unanimous opinion, it is not entitled to the exclusive rights that patent protection conveys. ?Were it otherwise,? Justice Anthony M. Kennedy wrote in the opinion, ?patents might stifle, rather than promote, the progress of useful arts.? Because most inventions combine previously known elements, the court?s approach to deciding what sort of combination is so ?obvious? as to be ineligible for patent protection will have widespread application. The result will be to make patents harder to obtain and defend. ?Granting patent protection to advances that would occur in the ordinary course without real innovation retards progress,? Justice Kennedy said. He added that such patents were also undesirable because they might deprive earlier innovations of ?their value or utility.? Patent law experts said the ruling created a common sense standard that could have a broad impact. ?Nearly every patent that contains a combination of prior ideas is at risk because the court has dramatically broadened the standard of obviousness,? said Cynthia Kernick, an intellectual property lawyer at Reed Smith in Pittsburgh. Judges will have more leeway to dismiss patent infringement lawsuits without requiring a jury trial, and patent examiners, who generally grant patent applications unless they find prior references to the same invention, will now feel freer to deny claims, said Matthew Kreeger, an intellectual property lawyer at Morrison and Foerster in San Francisco. ?And we could see thousands of cases asking the Patent Office to re-examine patents it has already granted,? said Mr. Kreeger, who was one of the lawyers who had prepared a brief filed by the Biotechnology Industry Organization in support of the patent. ?It doesn?t take a lot of resources to ask for a re-examination.? To be eligible for a patent, an invention must be novel, useful and not ?obvious? to a person of ?ordinary skill? in the field. The Supreme Court case concerned a fairly typical dispute over whether a combination of old elements in a new way was new or simply ?obvious? to any expert. At issue was an adjustable gas pedal for use on cars and trucks equipped with electronic engine controls. How could the vehicle?s computer tell the pedal?s position? A Canadian company, KSR International, under contract to General Motors, solved the problem by mounting an electronic sensor at the pedal?s fixed pivot point in order to communicate the necessary information. A rival, Teleflex Inc., demanded royalties, claiming the device infringed its patent on an adjustable gas pedal equipped with an electronic sensor. KSR refused to pay on the ground that Teleflex had combined existing elements in an obvious manner and that its patent was therefore invalid. KSR won in Federal District Court in Detroit, but that decision was overturned in 2005 by the United States Court of Appeals for the Federal Circuit. That court, in Washington, has exclusive jurisdiction over patent appeals. After years of permitting its judgments to stand unreviewed, the Supreme Court has begun to take an active interest in the Federal Circuit?s cases and has overturned several, including a second case the justices decided on Monday in favor of Microsoft in a dispute with AT&T. In granting judgment for KSR on Monday, in KSR International Co. v. Teleflex Inc., No. 04-1350, the Supreme Court listed several specific errors and ?fundamental misunderstandings? in how the Federal Circuit had analyzed the case. In looking at the Teleflex patent, Justice Kennedy said, the appeals court made the mistake of considering what ?a pedal designer writing on a blank slate? would have done to solve the problem of the pedal and the sensor. But the slate was not blank, he continued, and the Teleflex patent was essentially an upgrade of existing technology. Justice Kennedy said the problem was not necessarily the Federal Circuit?s overall approach, but rather its rigid way of applying a commonly used legal test. The test requires a person challenging a patent as obvious to identify a reason that would have prompted someone to combine two or more previous inventions, such as published articles suggesting such a combination. This has made it difficult to attack a patent as obvious, and has often precluded summary judgment, instead requiring an expensive jury trial. Justice Kennedy said that this test, in the Federal Circuit?s hands, had led to a ?constricted analysis? that paid too much attention to an inventor?s motivation and too little to a simpler inquiry: whether ?there existed at the time of invention a known problem for which there was an obvious solution.? The Teleflex patent fit that description, he said. The federal government, which had sided with KSR, argued that the Federal Circuit?s approach had led to the granting of too many patents to obvious inventions. Pharmaceutical and biotechnology industry groups, entering the case for Teleflex, argued that innovation would suffer if patents became too hard to defend. In a sense, the case presented a moving target. While the KSR appeal was pending, the Federal Circuit issued several decisions reflecting openness to challenges to patents as unworthy because of obviousness. ?Those decisions, of course, are not before us now,? Justice Kennedy said. Court Sides With Microsoft WASHINGTON, April 30 (AP) ? The Supreme Court sided with the Microsoft Corporation on Monday, finding that patent law does not apply to software sent to foreign countries. In a 7-1 decision, the court rejected AT&T?s position that it was entitled to damages for every Windows-based computer made outside the United States using technology that compresses speech into computer code. AT&T had said computers running the Windows operating system infringed on its technology for a digital speech coder system. The decision could affect other lawsuits against Microsoft and save it billions because of the global scope of its operations. The Supreme Court said software should be treated like exported blueprints and schematics. Barnaby Feder contributed reporting. From rforno at infowarrior.org Tue May 1 14:51:29 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 May 2007 10:51:29 -0400 Subject: [Infowarrior] - Spread this number Message-ID: Spread this number 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0. Wanna know what?s so important about it? The movie industry is threatening Spooky Action at a Distance for publishing that number, specifically with copyright infringement. I had no idea a number could be copyrighted. Anyhow, what is it? < - > http://rudd-o.com/archives/2007/04/30/spread-this-number/ From rforno at infowarrior.org Tue May 1 16:23:30 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 May 2007 12:23:30 -0400 Subject: [Infowarrior] - 43 Groups Announce National REAL ID Public Campaign In-Reply-To: <0070D9AE590A4146B75677FD735A049A5298BD@moonraker.campus.ncl.ac.uk> Message-ID: FOR IMMEDIATE RELEASE May 1, 2007 Contact: Melissa Ngo Director, EPIC Identification and Surveillance Project (202) 483-1140 ext. 123 ngo AT epic.org FORTY-THREE GROUPS ANNOUNCE NATIONAL REAL ID PUBLIC CAMPAIGN WASHINGTON, DC - Today, 43 organizations representing transpartisan, nonpartisan, privacy, consumer, civil liberty, civil rights, and immigrant organizations have joined to launch a national campaign to solicit public comments to stop the nation's first national ID system: REAL ID. The groups joining in the anti-REAL ID campaign are concerned about the increased threat of counterfeiting and identity theft, lack of security to protect against unauthorized access to the document's machine readable content, increased cost to taxpayers, diverting of state funds intended for homeland security, increased costs for obtaining a license or state issued ID card, and because the REAL ID would create a false belief that it is secure and unforgeable. This effort builds on the momentum that is signaling broad opposition to the REAL ID in the states. Montana has become the fifth state, following Maine, Idaho, Arkansas, and Washington, to prohibit cooperation with the Department of Homeland Security in implementing the REAL ID national identification system. Under the Act, states and federal government would share access to a vast national database that could include images of birth certificates, marriage licenses, divorce papers, court ordered separations, medical records, and detailed information on the name, date of birth, race, religion, ethnicity, gender, address, telephone, e-mail address, Social Security Number for more than 240 million with no requirements or controls on how this database might be used. Many may not have the documents required to obtain a REAL ID, or they may face added requirements base on arbitrary and capricious decisions made by DMV employees. EPIC joins this group of 43 organizations in a fight against the national identification system created by the Department of Homeland Security. "Make no mistake, this is a national identification system that will affect your everyday life," said Melissa Ngo, Director of EPIC's Identification and Surveillance Project. "Critics of the REAL ID scheme are called anti-security, but it is not anti-security to reject a national identification system that will harm our national security and make it easier for criminals to pretend to be law-abiding Americans." The draft regulations to implement the REAL ID Act are open for comment until 5 p.m. EST on May 8, 2007. To take action and submit comments against the fundamentally flawed national identification scheme, under Docket No. 2006-0030-0001. Online: Through the public submission portal at: http://www.regulations.gov Or use one of the more user-friendly sites found at the following web addresses: EFF: https://secure.eff.org/site/Advocacy?JServSessionIdr007=jursz5zko3. app13b&cmd=display&page=UserAction&id=287 Privacy Activism: http://stoprealid.privacyactivism.org/wiki/index.php?title= Instructions_for_filing_comments To Fax Comments to the Department of Homeland Security: Electronic Frontier Foundation: http://action.eff.org/site/Advocacy?id=287 Privacy Coalition: http://www.privacycoalition.org/stoprealid/ sampletext.html Or send a letter to the agency. Fax: 1-866-466-5370. Postal mail: Department of Homeland Security Attn: NAC 1-12037 Washington, DC 20528 All comments must be received by until 5:00 PM EST on May 8, 2007. Visit the Stop REAL ID Campaign site: http://www.privacycoalition.org/stoprealid Visit EPIC's National ID Cards and REAL ID Act page: http://www.epic.org/privacy/id_ cards/ List of all of the Groups Supporting this Campaign: American Federation of Labor-Congress of Industrial Organizations American Library Association American Policy Center American-Arab Anti-Discrimination Committee Association of American Physicians & Surgeons Bill of Rights Defense Committee Center for Digital Democracy Center for Financial Privacy and Human Rights Citizen Outreach Project. Citizens Against Government Waste Common Cause Computing Professionals for Social Responsibility Consumer Action DownsizeDC.org Electronic Frontier Foundation Electronic Privacy Information Center Fairfax County Privacy Council Give Me Back My Rights Coalition Government Accountability Project Gun Owners of America Immigrant Workers Union Leadership Conference on Civil Rights Liberty Coalition National Center for Transgender Equality National Council of Jewish Women National Council of La Raza National Gay and Lesbian Task Force National Immigration Law Center OpenCarry.org Parents, Families and Friends of Lesbians and Gays Patient Privacy Rights Foundation People for the American Way Privacy Activism Privacy Rights Clearinghouse Privacy Times Republican Liberty Caucus Rutherford Institute, The The Arc of the United States United Cerebral Palsy The Multiracial Activist US Bill of Rights Foundation Virginia Citizens Defense League Virginia Gun Owners Coalition World Privacy Forum From rforno at infowarrior.org Wed May 2 03:24:55 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 May 2007 23:24:55 -0400 Subject: [Infowarrior] - Administration Pulls Back on Surveillance Agreement Message-ID: Administration Pulls Back on Surveillance Agreement By JAMES RISEN Published: May 2, 2007 http://www.nytimes.com/2007/05/02/washington/02intel.html WASHINGTON, May 1 ? Senior Bush administration officials told Congress on Tuesday that they could not pledge that the administration would continue to seek warrants from a secret court for a domestic wiretapping program, as it agreed to do in January. Rather, they argued that the president had the constitutional authority to decide for himself whether to conduct surveillance without warrants. As a result of the January agreement, the administration said that the National Security Agency?s domestic spying program has been brought under the legal structure laid out in the Foreign Intelligence Surveillance Act, which requires court-approved warrants for the wiretapping of American citizens and others inside the United States. But on Tuesday, the senior officials, including Michael McConnell, the new director of national intelligence, said they believed that the president still had the authority under Article II of the Constitution to once again order the N.S.A. to conduct surveillance inside the country without warrants. During a hearing Tuesday of the Senate Intelligence Committee, Mr. McConnell was asked by Senator Russ Feingold, Democrat of Wisconsin, whether he could promise that the administration would no longer sidestep the court when seeking warrants. ?Sir, the president?s authority under Article II is in the Constitution,? Mr. McConnell said. ?So if the president chose to exercise Article II authority, that would be the president?s call.? The administration had earlier argued that both the president?s inherent executive powers under Article II of the Constitution, as well as the September 2001 Congressional authorization to use military force against Al Qaeda, provided him with the power to conduct surveillance without warrants. Mr. McConnell emphasized that all domestic electronic surveillance was now being conducted with court-approved warrants, and said that there were no plans ?that we are formulating or thinking about currently? to resume domestic wiretapping without warrants. ?But I?d just highlight,? he said, ?Article II is Article II, so in a different circumstance, I can?t speak for the president what he might decide.? The exchange came as the administration is seeking new legislation to update the surveillance act to expand the government?s surveillance powers, in part to deal with vast changes in communications technology since 1978, when the measure was enacted. The White House says that the outmoded rules embedded in the law mean that the government cannot eavesdrop on some telephone calls, e-mail and other communications that do not involve Americans or impinge on the privacy rights of people inside the United States. While administration officials, citing national security concerns, have declined to discuss publicly what communications gaps they wish to plug, their proposed legislation seems designed to single out so-called ?transit traffic,? purely international telephone calls and e-mail that go from one foreign country to another, but happen to be digitally routed through the United States telecommunications system. The administration?s proposal would also provide legal immunity for telecommunications companies that cooperated with the National Security Agency?s surveillance program without warrants before it was brought under the surveillance act in January. It would also provide legal protections for government workers who took part in the N.S.A. program. Several Democratic lawmakers expressed frustration on Tuesday that the administration had not provided documents related to the National Security Agency program, which the White House called the Terrorist Surveillance Program. They suggested that they would be reluctant to agree to a change in the surveillance law without more information from the White House. ?To this day, we have never been provided the presidential authorization that cleared that program to go or the attorney general-Department of Justice opinions that declared it to be lawful,? said Senator Sheldon Whitehouse, Democrat of Rhode Island. ?Where?s the transparency as to the presidential authorizations for this closed program? That?s a pretty big ?we?re not going to tell you? in this new atmosphere of trust we?re trying to build.? From rforno at infowarrior.org Wed May 2 03:26:02 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 May 2007 23:26:02 -0400 Subject: [Infowarrior] - 2,176 Secret FISA Warrants Issued in 2006 Message-ID: 2,176 Secret Warrants Issued in 2006 http://www.guardian.co.uk/worldlatest/story/0,,-6601669,00.html Wednesday May 2, 2007 3:46 AM By LARA JAKES JORDAN Associated Press Writer WASHINGTON (AP) - A secret court approved all but one of the government's requests last year to search or eavesdrop on suspected terrorists and spies, according to Justice Department data released Tuesday. In all, the Foreign Intelligence Surveillance Court signed off on 2,176 warrants targeting people in the United States believed to be linked to international terror organizations or spies. The record number is more than twice as many as were issued in 2000, the last full year before the terrorist attacks of Sept. 11, 2001. One application was denied in part, and 73 required changes before being approved. The disclosure was mandated as part of the renewal of the Patriot Act, the administration's sweeping anti-terror law. It was released as a Senate intelligence panel examined changes to the 1978 Foreign Intelligence Surveillance Act that could let the government more easily monitor homegrown terrorists. But in its three-page public report, sent to Senate and House leaders, the Justice Department said it could not yet provide data on how many times the FBI secretly sought telephone, Internet and banking records about U.S. citizens and residents without court approval. The department is still compiling those numbers amid an internal investigation of the FBI's improper - and in some cases illegal - use of so-called national security letters. The letters are administrative subpoenas that do not require a judge's approval. A March audit by Justice Department Inspector General Glenn A. Fine concluded that some FBI agents had demanded personal data without official authorization, and improperly obtained telephone records in non-emergency circumstances. It also found that the FBI for three years underreported to Congress how often it used national security letters to ask businesses to turn over customer data. Assistant Attorney General Richard Hertling said the FBI would give Congress updated numbers for 2007, and corrected data for last year, when it finishes ``taking steps to correct the identified deficiencies in its tracking of NSLs.'' In 2005, the FBI reported issuing national security letters on 3,501 citizens and legal residents. The FISA court also approved 43 warrants to let investigators examine business records of suspected terrorists and spies. It changed four of the applications before approving them, but did not deny any, according to the Justice report. From rforno at infowarrior.org Wed May 2 11:41:18 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 02 May 2007 07:41:18 -0400 Subject: [Infowarrior] - Digg Riot Over Pulled HD-DVD Key Story Message-ID: (interesting this link was found on, of all places, the Drudge Report!! ---rf) Breaking: Digg Riot in Full Effect Over Pulled HD-DVD Key Story http://gizmodo.com/gadgets/geeks-will-not-be-silenced/breaking-digg-riot-in- full-effect-over-pulled-hd+dvd-key-story-256982.php The power of Web 2.0 is in full effect over at Digg, where users are revolting over Digg's decision to pull a story (that netted over 15,000 diggs) and reportedly boot a user for posting the HD-DVD AACS Processing Key number, which would allow someone to crack the copy protection on an HD-DVD. The front page (along with two and three) of Digg consists entirely of stories flaunting the number or criticizing Digg for its actions. Update: Fresh screencap, gallery of first four pages and thoughts after the jump. While it might not have proven to be the best course of action in hindsight, we seriously doubt that Kevin Rose's decision to pull the story revealing the HD-DVD key was selling out or intentionally betraying the community. A number of people have pointed out that HD-DVD is a Digg sponsor, and have used that fact to level such charges at Kevin. We have sponsors too, but that doesn't ever mean we'd sell out our readers or alter our content because of those sponsors. Kevin has equally shown nothing but commitment to the Digg's users, community, and site's integrity. People should hear out his explanation for this move before wholesale trashing Digg's founder. That said, tonight's been a watermark in social media, even just looking at the ingenious (and often hilarious) variations users have come up with to cram the key into headlines, comments and users invites. Personal favorite so far: "Digg deleted my hard drive for posting the HD-DVD KEY! Now my hard drive refuses to write in binary. I get Error Code: 09-F9-11-02-9D-74-E3-5B-D8-41-56-C5-63-56-88-C0 . Oh noz." From rforno at infowarrior.org Wed May 2 11:42:46 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 02 May 2007 07:42:46 -0400 Subject: [Infowarrior] - Felten: AACS Plays Whack-a-Mole with Extracted Key Message-ID: AACS Plays Whack-a-Mole with Extracted Key Tuesday May 1, 2007 by Ed Felten http://www.freedom-to-tinker.com/?p=1152 The people who control AACS, the copy protection technology used on HD-DVD and Blu-ray discs, are apparently trying to shut down websites that publish a certain 128-bit integer. The number is apparently a ?processing key? used in AACS. Together with a suitable computer program, the key allows the decryption of video content on most existing HD-DVD and Blu-ray discs. I won?t publish the key here but you can spot it all over the Web. It?s a long string starting with ?09 F9?. The key has been published on a few websites for months, but in recent days the AACS ?Licensing Authority? (AACS LA) has taken to sending out demand letters to websites that publish the key, claiming that the key is a circumvention technology under the DMCA. News of these demand letters, and the subsequent disappearance of content and whole sites from the Net, has triggered an entirely predictable backlash, with thousands of people reposting the key to their own sites. The key will inevitably remain available, and AACSLA are just making themselves look silly by trying to suppress it. We?ve seen this script before. The key will show up on T-shirts and in song lyrics. It will be chalked on the sidewalk outside the AACS LA office. And so on. It?s hard to see the logic in AACS LA?s strategy here. Their end goal is (or should be) to stop unauthorized online distribution of high-def video files ripped from HD-DVD or Blu-ray discs. The files in question are enormous and cumbersome to store and distribute, containing more than a gigabyte of content. If you can?t stop distribution of these huge files, surely there?s no hope of stopping distribution of a little sixteen-byte key, or even of decryption software containing the key. Whatever tactics can stop distribution of the key should be even more effective against distribution of movies. My guess is that AACS LA miscalculated, thinking that a few demand letters would succeed in suppressing the key. As the key spread, it seemed natural to continue sending letters ? to do otherwise would be an admission of defeat. Now the key is spread so widely that there?s no point in sending any more letters. The next question is whether AACS LA will try to sue somebody who defied a demand letter. There?s no real strategic point to such a suit, but even big organizations act out of spite sometimes. From rforno at infowarrior.org Wed May 2 11:44:02 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 02 May 2007 07:44:02 -0400 Subject: [Infowarrior] - Geist: 'Ignore the US copyright bullies' Message-ID: 'Ignore the US copyright bullies' Internet law professor Michael Geist says countries should resist US bullying tactics over copyright and intellectual property. http://news.bbc.co.uk/2/hi/technology/6592133.stm This week the Office of the United States Trade Representative (USTR), the U.S. government department responsible for international trade, will release its annual report card on intellectual property protection around the world. The Special 301 report typically identifies about 50 countries that the US has targeted for legal reform. The report may at times be reminiscent of the classic movie Casablanca - the USTR rounds up the usual suspects and is shocked to find that their legal rules do not match those adopted in the US - yet it has historically had a significant impact in many countries who fear potential trade sanctions. Indeed, the recent U.S. piracy complaint against China at the World Trade Organization sent a strong message that intellectual property issues are now a major trade issue. US dissatisfaction with intellectual property protection typically bears little relation to whether the country actually meets international standards. 'Virtual certainty' For example, this year it is a virtual certainty that Canada will receive special attention, with the U.S. claiming that the country has neglected to address critical issues and suggesting that it is rapidly emerging as a piracy haven. Prof Michael Geist (Michael Geist) Not only are the policies suspect, but the USTR report should be seen for what it is - a biased analysis of foreign law supported by a well-orchestrated lobby effort Michael Geist While the report will generate media headlines and cries for immediate action, the reality is that Canada meets all of its international copyright obligations. Moreover, differences between the US and Canadian economies - the US is a major exporter of cultural products and has therefore unsurprisingly made stronger copyright protection a core element of its trade strategy while Canada is a net importer of cultural products with a billion dollar annual culture deficit - means that US-backed reforms may do more harm than good. Consider three issues likely to generate criticism in the Special 301 report - ratification of the World Intellectual Property Organization's Internet treaties, extension of the term of copyright from life of the author plus 50 years to life plus 70 years, and the introduction of anti-camcording legislation designed to stem movie piracy. Notwithstanding the pressure on many countries to act on these issues, even one-time U.S. supporters are beginning to admit that these policies are open to doubt. Marybeth Peters, the U.S. Registrar of Copyrights has noted that the US extension of copyright was a "big mistake," and the President of the US National Theater Owners Association has advised his members that notwithstanding the introduction of anti-camcording laws, unauthorised camcording in the US is on the rise. Not only are the policies suspect, but the USTR report should be seen for what it is - a biased analysis of foreign law supported by a well-orchestrated lobby effort. Trade agreements Since the mid-1990s, the USTR has placed intellectual property protection at the very top of its priority list. As a result, dozens of countries have entered into trade agreements with the US in which they undertake to implement US-style intellectual property protections. Pirated software and DVDs The US is trying to protect exports Over the past decade, it has concluded trade agreements with countries in every corner of the globe, including Australia, Singapore, Morocco, Chile, Jordan, and a handful of Central American countries. The latest example is this month's free trade agreement between the US and South Korea. As part of that deal, the US demanded that South Korea extend the term of copyright, ratify the WIPO Internet treaties, decrease Korean content requirements, and open Korean broadcast and telecommunications companies to total US ownership. 'Intense lobbying' Even those countries with trade agreements in place - the North American Free Trade Agreement pre-dates the shift in USTR priorities - have not been spared intense US lobbying. For example, in recent months US Ambassador to Canada, David Wilkins, has publicly called on Canada to introduce copyright reform, characterising the country's laws as the weakest in the G7. He conveniently overlooks the fact that the G7 no longer exists and that references to the G8, which includes Russia, would not be accurate), while US Senators Dianne Feinstein and John Cornyn have written a public letter to Prime Minister Stephen Harper demanding anti-camcording legislation. Canadian government documents obtained under the Access to Information Act reveal that lobbying pressure is even more intense behind closed doors. While the USTR report and its supporters seek to paint many countries as laggards on copyright, this rhetoric ignores the fact that many of those same countries are compliant with their international obligations. In fact, of the three highlighted issues (WIPO ratification, copyright extension, and camcording), only three of 192 United Nations members - the US, Singapore, and the Czech Republic - have completed all three so-called reforms. No country should be in a rush to become the fourth country on that list. The USTR may dole out many failing grades, however, the real failure lies with countries that cave into such bullying by enacting laws that are not in their national interest. Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can be reached at mgeist at uottawa.ca or online at www.michaelgeist.ca. From rforno at infowarrior.org Wed May 2 12:30:02 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 02 May 2007 08:30:02 -0400 Subject: [Infowarrior] - New Army regulations on blogs and emails Message-ID: Army Squeezes Soldier Blogs, Maybe to Death Noah Shachtman Email 05.02.07 | 2:00 AM http://www.wired.com/print/politics/onlinerights/news/2007/05/army_bloggers The U.S. Army has ordered soldiers to stop posting to blogs or sending personal e-mail messages, without first clearing the content with a superior officer, Wired News has learned. The directive, issued April 19, is the sharpest restriction on troops' online activities since the start of the Iraq war. And it could mean the end of military blogs, observers say. Military officials have been wrestling for years with how to handle troops who publish blogs. Officers have weighed the need for wartime discretion against the opportunities for the public to personally connect with some of the most effective advocates for the operations in Afghanistan and Iraq -- the troops themselves. The secret-keepers have generally won the argument, and the once-permissive atmosphere has slowly grown more tightly regulated. Soldier-bloggers have dropped offline as a result. The new rules (.pdf) obtained by Wired News require a commander be consulted before every blog update. "This is the final nail in the coffin for combat blogging," said retired paratrooper Matthew Burden, editor of The Blog of War anthology. "No more military bloggers writing about their experiences in the combat zone. This is the best PR the military has -- it's most honest voice out of the war zone. And it's being silenced." Army Regulation 530--1: Operations Security (OPSEC) (.pdf) restricts more than just blogs, however. Previous editions of the rules asked Army personnel to "consult with their immediate supervisor" before posting a document "that might contain sensitive and/or critical information in a public forum." The new version, in contrast, requires "an OPSEC review prior to publishing" anything -- from "web log (blog) postings" to comments on internet message boards, from resumes to letters home. Failure to do so, the document adds, could result in a court-martial, or "administrative, disciplinary, contractual, or criminal action." Despite the absolutist language, the guidelines' author, Major Ray Ceralde, said there is some leeway in enforcement of the rules. "It is not practical to check all communication, especially private communication," he noted in an e-mail. "Some units may require that soldiers register their blog with the unit for identification purposes with occasional spot checks after an initial review. Other units may require a review before every posting." But with the regulations drawn so tightly, "many commanders will feel like they have no choice but to forbid their soldiers from blogging -- or even using e-mail," said Jeff Nuding, who won the bronze star for his service in Iraq. "If I'm a commander, and think that any slip-up gets me screwed, I'm making it easy: No blogs," added Nuding, writer of the "pro-victory" Dadmanly site. "I think this means the end of my blogging." Active-duty troops aren't the only ones affected by the new guidelines. Civilians working for the military, Army contractors -- even soldiers' families -- are all subject to the directive as well. But, while the regulations may apply to a broad swath of people, not everybody affected can actually read them. In a Kafka-esque turn, the guidelines are kept on the military's restricted Army Knowledge Online intranet. Many Army contractors -- and many family members -- don't have access to the site. Even those able to get in are finding their access is blocked to that particular file. "Even though it is supposedly rewritten to include rules for contractors (i.e., me) I am not allowed to download it," e-mails Perry Jeffries, an Iraq war veteran now working as a contractor to the Armed Services Blood Program. The U.S. military -- all militaries -- have long been concerned about their personnel inadvertently letting sensitive information out. Troops' mail was read and censored throughout World War II; back home, government posters warned citizens "careless talk kills." Military blogs, or milblogs, as they're known in service-member circles, only make the potential for mischief worse. On a website, anyone, including foreign intelligence agents, can stop by and look for information. "All that stuff we used to get around a bar and say to each other -- well, now because we're publishing it in open forums, now it's intel," said milblogger and retired Army officer John Donovan. Passing on classified data -- real secrets -- is already a serious military crime. The new regulations (and their author) take an unusually expansive view of what kind of unclassified information a foe might find useful. In an article published by the official Army News Service, Maj. Ceralde "described how the Pentagon parking lot had more parked cars than usual on the evening of Jan. 16, 1991, and how pizza parlors noticed a significant increase of pizza to the Pentagon.... These observations are indicators, unclassified information available to all ? that Operation Desert Storm (was about to) beg(i)n." Steven Aftergood, head of the Federation of American Scientists' Project on Government Secrecy, called Ceralde's example "outrageous." "It's true that from an OPSEC (operational security) perspective, almost anything -- pizza orders, office lights lit at odd hours, full or empty parking lots -- can potentially tip off an observer that something unusual is afoot," he added. "But real OPSEC is highly discriminating. It does not mean cutting off the flow of information across the board. If on one day in 1991 an unusual number of pizza orders coincided with the start of Desert Storm, it doesn't mean that information about pizza orders should now be restricted. That's not OPSEC, that's just stupidity." During the early days of the Iraq war, milblogs flew under the radar of the Defense Department's information security establishment. But after soldiers like Specialist Colby Buzzell began offering detailed descriptions of firefights that were scantily covered in the press, blogs began to be viewed by some in the military as a threat -- an almost endless chorus of unregulated voices that could say just about anything. Buzzell, for one, was banned from patrols and confined to base after such an incident. Military officials asked other bloggers to make changes to their sites. One soldier took down pictures of how well armor stood up to improvised bombs; a military spouse erased personal information from her site -- including "dates of deployment, photos of the family, the date their next child is expected, the date of the baby shower and where the family lives," said Army spokesman Gordon Van Fleet. But such cases have been rare, Major Elizabeth Robbins noted in a paper (.pdf) for the Army's Combined Arms Center. "The potential for an OPSEC violation has thus far outstripped the reality experienced by commanders in the field," she wrote. And in some military circles, bloggers have gained forceful advocates. The Office of the Secretary of Defense, for example, now regularly arranges exclusive phone conferences between bloggers and senior commanders in Afghanistan and Iraq. Major Robbins, for one, has argued strongly for easing the restrictions on the soldier-journalists. "The reputation of the Army is maintained on many fronts, and no one fights harder on its behalf than our young soldiers. We must allow them access to the fight," Robbins wrote. "To silence the most credible voices -- those at the spear's edge -- and to disallow them this function is to handicap ourselves on a vital, very real battlefield." Nevertheless, commanders have become increasingly worried about the potential for leaks. In April 2005, military leaders in Iraq told milbloggers to "register" (.pdf) their sites with superior officers. In September, the Army made the first revision of its OPSEC regulations since the mid-'90s, ordering GIs to talk to their commanders before posting potentially-problematic information. Soldiers began to drop their websites, in response. More bloggers followed suit, when an alert came down from highest levels of the Pentagon that "effective immediately, no information may be placed on websites ? unless it has been reviewed for security concerns," and the Army announced it was activating a team, the Army Web Risk Assessment Cell, to scan blogs for information breaches. An official Army dispatch told milbloggers, "Big Brother is not watching you, but 10 members of a Virginia National Guard unit might be." That unit continues to look for security violations, new regulations in hand. See the Wired blog Danger Room for additional information on the Army's blogger ban. From rforno at infowarrior.org Wed May 2 12:30:32 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 02 May 2007 08:30:32 -0400 Subject: [Infowarrior] - Army blogging: Army's Info-Cop Speaks Message-ID: Army's Info-Cop Speaks http://blog.wired.com/defense/ The Army has issued stringent new regulations about how information is supposed to be handled. Everything from blog posts to e-mail to resumes must now get prior approval from a supervisor. And everyone from soldiers to civilians to contractors to family members is covered. I asked the Major Ray Ceralde, author of Army Regulation 530?1: Operations Security (OPSEC), a few questions about the new policies by e-mail. Here's what he told me. Q: Why did you decide that the new regs were needed? What's in them that isn't in the 2005 edition? The 2005 regulation, created from minor revisions made to the 1995 regulation, made brief additions to the regulation, specifically to address new technology such as e-mail, Web sites, and blogs, but carried over most of the regulations from 1995. The 2007 regulation is a major revision and provides significant updates in the areas of responsibilities, policy and procedures, and training requirements. It updates and clarifies individual as well as unit/organizational responsibilities. It emphasizes that in addition to Soldiers, Department of the Army Civilians, contractors, and U.S. Army Families must be included in practicing operational security. The 2007 regulation also provides updated guidance how to establish OPSEC programs for units and organizations as well as updated training requirements. Q: The Army News Service story about the regulations indicates that "Families and friends," as well as Army civilians and contractors, are now covered under the new regs. But, if I'm not mistaken, the new regs themselves are marked FOUO [For Official Use Only], and kept behind the AKO [Army Knowledge Online] firewall. So how can these people learn about the guidelines which apply to them? Contractors and U.S. Army Family Members can obtain AKO accounts with sponsorship from authorized Army personnel. With their AKO accounts, they can access the U.S. Army OPSEC regulation. However, commanders and leaders are more likely to inform contractors, and especially U.S. Army Families about OPSEC. While commanders cannot issue orders and directives to Family Members, they can inform them, especially during Family Readiness Group meetings, how poor OPSEC can put their Soldiers as well as themselves in danger and how practicing OPSEC protects all of them. From rforno at infowarrior.org Wed May 2 12:31:21 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 02 May 2007 08:31:21 -0400 Subject: [Infowarrior] - Link to April 2007 Army OPSEC regulation Message-ID: Army Regulation 530?1: Operations Security (OPSEC) http://blog.wired.com/defense/files/army_reg_530_1_updated.pdf From rforno at infowarrior.org Thu May 3 00:54:03 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 02 May 2007 20:54:03 -0400 Subject: [Infowarrior] - EFF's analysis of AACS issue and DMCA claims Message-ID: May 02, 2007 http://www.eff.org/deeplinks/archives/005229.php As was reported back in February, an enterprising hacker unearthed and posted one of the decryption keys used by AACS to decode HD-DVD movies (other keys and exploits have been made available in the weeks since). Now the AACS-LA (the entity that licenses AACS to makers of HD-DVD players) has set its lawyers on the futile mission of trying to get every instance of at least one key (hint: it begins with 09 f9) removed from the Internet. Predictably, this legal effort has backfired, resulting in eternal Internet fame for the key in question. In addition to having been posted on hundreds of thousands of web sites (and resulting in the temporary shutdown of Digg.com), the key has already spawned a song, a quiz, a domain name, and numerous T-shirts. So now might be a good time to review a few of the basic legal issues raised by the posting of the keys. (This is an overview of the legal landscape, not legal advice, and I am not expressing any view about how a case might come out if AACS-LA sued anyone.) What is the AACS-LA's argument? In its takedown letters, the AACS-LA claims that hosting the key violates the DMCA's ban on trafficking in circumvention devices. The DMCA provides that: No person shall ... offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof that that - (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title; (B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or (C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title. The AACS-LA presumably would argue that the key is a "component" or "part" of a "technology" that circumvents AACS. Moreover, AACS-LA would likely argue that the key was "primarily ... produced" to circumvent AACS, that is has no other commercially significant purpose, and that it is being "marketed" for use in a circumvention technology. The takedown letters seem to take the position that both the poster and the hosting provider are engaged in "trafficking." The AACS-LA will also doubtless point to the DMCA cases brought against 2600 magazine for posting the DeCSS code back in 2000 (EFF was counsel to the defendant). In that case, both the district court and court of appeals concluded that posting DeCSS to a website violated the DMCA. Who can sue over the posting of the key? The DMCA entitles "anyone injured by a violation" to bring a civil lawsuit seeking damages (including statutory damages ranging between $200 and $2500 for each "offer"). In addition, if a person violates the DMCA "willfully and for purposes of commercial gain," a federal prosecutor could bring criminal charges (with the famous exception of the Sklyarov case, however, criminal prosecutions have generally been limited to situations where the DMCA violation was also accompanied by evidence of commercial piracy). What about just linking to a place where the key is posted? The courts in the DeCSS case wrestled with the proper test to apply when someone links to a location where a circumvention tool can be found. Ultimately, the district court held that an injunction against linking could be issued after a final judgment if a the plaintiff could show, by clear and convincing evidence, "that those responsible for the link (a) know at the relevant time that the offending material is on the linked-to site, (b) know that it is circumvention technology that may not lawfully be offered, and (c) create or maintain the link for the purpose of disseminating that technology." The court of appeals upheld that ruling, while admitting that the issue presented a difficult First Amendment question. What about the DMCA safe harbors? While no court has ruled on the issue, AACS-LA will almost certainly argue that the DMCA safe harbors do not protect online service providers who host or link to the key (the AACS-LA takedown letters do not invoke the DMCA "notice-and-takedown" provisions, nor do they include the required elements for such a takedown, thereby signaling the AACS-LA position on this). The DMCA safe harbors apply to liabilities arising from "infringement of copyright." Several courts have suggested that trafficking in circumvention tools is not "copyright infringement," but a separate violation of a "para-copyright" provision. It's difficult to say how a court would rule on this question, but it does create a specter of monetary liability for hosting providers, even if they otherwise comply with the "notice-and-takedown" procedures required by the DMCA safe harbors. Is the key copyrightable? It doesn't matter. The AACS-LA takedown letter is not claiming that the key is copyrightable, but rather that it is (or is a component of) a circumvention technology. The DMCA does not require that a circumvention technology be, itself, copyrightable to enjoy protection. For more information about the continuing melt-down of AACS generally, as well as details regarding the various keys and how they interact, be sure to read the coverage on Doom9's forums, Freedom to Tinker, and Engadget, which have been doing the best job reporting on developments. From rforno at infowarrior.org Thu May 3 02:04:09 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 02 May 2007 22:04:09 -0400 Subject: [Infowarrior] - Homeless man disrupts Internet2 service Message-ID: http://www.networkworld.com/news/2007/050207-internet2-fire.html Homeless man disrupts Internet2 service By Adam Gaffin, Network World, 05/02/07 A fire started by a homeless man knocked out service between Boston and New York on the experimental Internet2 network Tuesday night. Chris Robb, an engineer at Indiana University's Global Network Operations Center who works on Internet2, says Level 3 Communications cables used by the network went up in flames. The cables were on the Longfellow Bridge, which connects Boston and Cambridge across the Charles River. Robb, who co-authors the Internet2 Network Upgrade blog, writes that Level 3 engineers estimate it could take one to two days to restore the circuit. Engineers are looking at rerouting a Chicago-to-New York OC-192 circuit that normally goes through Boston to Washington until service is restored. Robb writes: "Question: When can a cigarette take down your network? Answer: When you throw it at a bridge and light it on fire." Authorities say the fire, which also disrputed service on the Red Line subway, started around 8:20 p.m. when a homeless man tossed a lit cigarette. The cigarette landed on a mattress, which ignited and led to a two-alarm fire. ? Copyright 2007 Network World Inc. From rforno at infowarrior.org Thu May 3 02:07:26 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 02 May 2007 22:07:26 -0400 Subject: [Infowarrior] - How a Number Became the Latest Web Celebrity Message-ID: May 3, 2007 How a Number Became the Latest Web Celebrity By BRAD STONE http://www.nytimes.com/2007/05/03/technology/03code.html?_r=1&hp=&oref=slogi n&pagewanted=print SAN FRANCISCO, May 2 ? There is open revolt on the Web. Sophisticated Internet users have banded together over the last two days to publish and widely distribute a secret code used by the technology and movie industries to prevent piracy of high-definition movies. The broader distribution of the code may not pose a serious threat to the studios, because it requires some technical expertise and specialized software to use it to defeat the copy protection on Blu-ray and HD DVD discs. But its relentless spread has already become a lesson in mob power on the Internet and the futility of censorship in the digital world. An online uproar came in response to a series of cease-and-desist letters from lawyers for a group of companies that use the copy protection system, demanding that the code be removed from several Web sites. Rather than wiping out the code ? a string of 32 digits and letters in the specialized counting system ? the legal notices sparked its proliferation on Web sites, in chat rooms, inside cleverly doctored digital photographs and on user-submitted news sites like Digg.com. ?It?s a perfect example of how a lawyer?s involvement can turn a little story into a huge story,? said Fred von Lohmann, a staff lawyer at the Electronic Frontier Foundation, a digital rights group. ?Now that they started sending threatening letters, the Internet has turned the number into the latest celebrity. It is now guaranteed eternal fame.? The number is being enshrined in some creative ways. Keith Burgon, a 24-year-old musician in Goldens Bridge, N.Y., grabbed his acoustic guitar on Tuesday and improvised a melody while soulfully singing the code. He posted the song to YouTube, where it was played more than 45,000 times. ?I thought it was a source of comedy that they were trying so futilely to quell the spread of this number,? Mr. Burgon said. ?The ironic thing is, because they tried to quiet it down it?s the most famous number on the Internet.? During his work break on Tuesday, James Bertelson, an engineer in Vancouver, Wash., joined the movement and created a Web page featuring nothing but the number, obscured in an encrypted format that only insiders could appreciate. He then submitted his page to Digg, a news site where users vote on what is important. Despite its sparse offerings, his submission received nearly 5,000 votes and was propelled onto Digg?s main page. ?For most people this is about freedom of speech, and an industry that thinks that just because it has high-priced lawyers it has the final say,? Mr. Bertelson said. Messages left for those lawyers and the trade organization they represent, the Advanced Access Content System Licensing Administrator, which controls the encryption system known as A.A.C.S., were not answered. In an e-mail message, a representative for the group said only that it ?is looking into the matter and has no further comment at this time.? The organization is backed by technology companies like I.B.M., Intel, Microsoft and Sony and movie studios like Disney and Warner Brothers, which is owned by Time Warner. The secret code actually stopped being a secret in February, when a hacker ferreted it out of his movie-playing software and posted it on a Web bulletin board. From there it spread through the network of technology news sites and blogs. Last month, lawyers for the trade group began sending out cease-and-desist letters, claiming that Web pages carrying the code violated its intellectual property rights under the 1998 Digital Millennium Copyright Act. Letters were sent to Google, which runs a blog network at blogspot.com, and the online encyclopedia Wikipedia. The campaign to remove the number from circulation went largely unnoticed until news of the letters hit Digg. The 25-employee company in San Francisco, acting on the advice of its lawyers, removed posting submissions about the secret number from its database earlier this week, then explained the move to its readers on Tuesday afternoon. The removals were seen by many Digg users as a capitulation to corporate interests and an assault on their right of free speech. Some also said that the trade group that promotes the HD-DVD format, which uses A.A.C.S. protection, had advertised on a weekly Digg-related video podcast. On Tuesday afternoon and into the evening, stories about or including the code swamped Digg?s main page, which the company says gets 16 million readers each month. At 9 p.m. West Coast time, the company surrendered to mob sentiment. ?You?d rather see Digg go down fighting than bow down to a bigger company,? wrote Kevin Rose, Digg?s founder, in a blog post. ?We hear you, and effective immediately we won?t delete stories or comments containing the code and will deal with whatever the consequences might be.? If Digg loses, he wrote, ?at least we died trying.? Jay Adelson, Digg?s chief executive, said in an interview that the site was disregarding the advice of its lawyers. ?We just decided that it is more important to stand by our users,? he said. Regarding the company?s exposure to lawsuits he said, ?we are just going to prepare and do our best.? The conflict spilled over to Wikipedia, where administrators had to restrict editing on some entries to keep contributors from repeatedly posting the code. The episode recalls earlier acts of online rebellion against the encryption that protects media files from piracy. Some people believe that such systems unfairly limit their freedom to listen to music and watch movies on whatever devices they choose. In 1999, hackers created a program called DeCSS that broke the software protecting standard DVDs and posted it on the hacker site 2600.com. The Motion Picture Association of America sued, and New York District Court Judge Lewis A. Kaplan, citing the digital copyright act, sided with the movie industry. The DVD code disappeared from the 2600 site, but nevertheless resurfaced in playful haiku, on T-shirts and even in a movie in which the code scrolled across the screen like the introductory crawl in ?Star Wars.? In both cases, the users who joined the revolt and published the codes may be exposing themselves to legal risk. Chris Sprigman, an associate professor at the University of Virginia School of Law, said that under the digital copyright act, propagating even parts of techniques intended to circumvent copyright was illegal. However, with thousands of Internet users now impudently breaking the law, Mr. Sprigman said that the entertainment and technology industries would have no realistic way to pursue a legal remedy. ?It?s a gigantic can of worms they?ve opened, and now it will be awfully hard to do anything with lawsuits,? he said. From rforno at infowarrior.org Thu May 3 12:06:14 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 May 2007 08:06:14 -0400 Subject: [Infowarrior] - PC World editor resigns over apparent ad pressure Message-ID: PC World editor resigns over apparent ad pressure By Tom Krazit http://news.com.com/PC+World+editor+resigns+over+apparent+ad+pressure/2100-1 030_3-6181075.html Story last modified Wed May 02 22:32:58 PDT 2007 Award-winning Editor-in-Chief Harry McCracken of PC World resigned Tuesday over disagreements with the magazine's publisher regarding stories critical of advertisers, according to sources. McCracken, reached Wednesday evening, confirmed that he resigned after 12 years at the magazine and 16 years at publisher International Data Group, over disagreements with management. He declined to comment on the nature of those disagreements. But three sources, who spoke on the condition of anonymity, told CNET News.com that McCracken informed staffers in an afternoon meeting Wednesday that he decided to resign because Colin Crawford, senior vice president, online, at IDG Communications, was pressuring him to avoid stories that were critical of major advertisers. Wired News reported Wednesday evening that McCracken quit after Crawford killed a draft story titled "Ten Things We Hate About Apple." An IDG representative confirmed McCracken resigned, but said he was unable to comment on personnel matters. In an e-mail to News.com, Crawford denied that advertiser pressure played any part in McCracken's resignation. < - > http://news.com.com/2102-1030_3-6181075.html?tag=st.util.print From rforno at infowarrior.org Thu May 3 12:20:53 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 May 2007 08:20:53 -0400 Subject: [Infowarrior] - Forno/Schneier Op-Ed on REAL ID Message-ID: National ID card a disaster in the making By Richard Forno and Bruce Schneier http://news.com.com/National+ID+card+a+disaster+in+the+making/2010-7348_3-61 80835.html Story last modified Thu May 03 04:00:04 PDT 2007 Six years into the "new normal" of terror alerts, identification checks, electronic surveillance, and increasing levels of secrecy-based security, the prospect of a national identification card needs serious public debate. In March, the Department of Homeland Security released its long-awaited guidance document regarding national implementation of the Real ID program, as part of its post-9/11 national security initiatives. It is perhaps quite telling that despite bipartisan opposition, Real ID was buried in a 2005 "must-pass" military spending bill and enacted into law without public debate or congressional hearings. DHS has maintained that the Real ID concept is not a national identification database. While it's true that the system is not a single database per se, this is a semantic dodge; according to the DHS document, Real ID will be a collaborative data-interchange environment built from a series of interlinking systems operated and administered by the states. In other words, to the Department of Homeland Security, it's not a single database because it's not a single system. But the functionality of a single database remains intact under the guise of a federated data-interchange environment. < - > http://news.com.com/National+ID+card+a+disaster+in+the+making/2010-7348_3-61 80835.html From rforno at infowarrior.org Thu May 3 13:08:17 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 May 2007 09:08:17 -0400 Subject: [Infowarrior] - Schneier: Do We Really Need a Security Industry? Message-ID: (my take on this from 2006: http://infowarrior.org/articles/2006-01.html) Do We Really Need a Security Industry? 05.03.07 | 2:00 AM Bruce Schneier http://www.wired.com/politics/security/commentary/securitymatters/2007/05/se curitymatters_0503 Last week I attended the Infosecurity Europe conference in London. Like at the RSA Conference in February, the show floor was chockablock full of network, computer and information security companies. As I often do, I mused about what it means for the IT industry that there are thousands of dedicated security products on the market: some good, more lousy, many difficult even to describe. Why aren't IT products and services naturally secure, and what would it mean for the industry if they were? I mentioned this in an interview with Silicon.com, and the published article seems to have caused a bit of a stir. Rather than letting people wonder what I really meant, I thought I should explain. The primary reason the IT security industry exists is because IT products and services aren't naturally secure. If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure. Aftermarket security is actually a very inefficient way to spend our security dollars; it may compensate for insecure IT products, but doesn't help improve their security. Additionally, as long as IT security is a separate industry, there will be companies making money based on insecurity -- companies who will lose money if the internet becomes more secure. Fold security into the underlying products, and the companies marketing those products will have an incentive to invest in security upfront, to avoid having to spend more cash obviating the problems later. Their profits would rise in step with the overall level of security on the internet. Initially we'd still be spending a comparable amount of money per year on security -- on secure development practices, on embedded security and so on -- but some of that money would be going into improving the quality of the IT products we're buying, and would reduce the amount we spend on security in future years. I know this is a utopian vision that I probably won't see in my lifetime, but the IT services market is pushing us in this direction. As IT becomes more of a utility, users are going to buy a whole lot more services than products. And by nature, services are more about results than technologies. Service customers -- whether home users or multinational corporations -- care less and less about the specifics of security technologies, and increasingly expect their IT to be integrally secure. Eight years ago, I formed Counterpane Internet Security on the premise that end users (big corporate users, in this case) really don't want to have to deal with network security. They want to fly airplanes, produce pharmaceuticals or do whatever their core business is. They don't want to hire the expertise to monitor their network security, and will gladly farm it out to a company that can do it for them. We provided an array of services that took day-to-day security out of the hands of our customers: security monitoring, security-device management, incident response. Security was something our customers purchased, but they purchased results, not details. Last year BT bought Counterpane, further embedding network security services into the IT infrastructure. BT has customers that don't want to deal with network management at all; they just want it to work. They want the internet to be like the phone network, or the power grid, or the water system; they want it to be a utility. For these customers, security isn't even something they purchase: It's one small part of a larger IT services deal. It's the same reason IBM bought ISS: to be able to have a more integrated solution to sell to customers. This is where the IT industry is headed, and when it gets there, there'll be no point in user conferences like Infosec and RSA. They won't go away; they'll simply become industry conferences. If you want to measure progress, look at the demographics of these conferences. A shift toward infrastructure-geared attendees is a measure of success. Of course, security products won't disappear -- at least, not in my lifetime. There'll still be firewalls, antivirus software and everything else. There'll still be startup companies developing clever and innovative security technologies. But the end user won't care about them. They'll be embedded within the services sold by large IT outsourcing companies like BT, EDS and IBM, or ISPs like EarthLink and Comcast. Or they'll be a check-box item somewhere in the core switch. IT security is getting harder -- increasing complexity is largely to blame -- and the need for aftermarket security products isn't disappearing anytime soon. But there's no earthly reason why users need to know what an intrusion-detection system with stateful protocol analysis is, or why it's helpful in spotting SQL injection attacks. The whole IT security industry is an accident -- an artifact of how the computer industry developed. As IT fades into the background and becomes just another utility, users will simply expect it to work -- and the details of how it works won't matter. Comment on this story. - - - Bruce Schneier is the CTO of BT Counterpane and the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. From rforno at infowarrior.org Thu May 3 14:34:38 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 May 2007 10:34:38 -0400 Subject: [Infowarrior] - The E-Mail Addict Message-ID: The E-Mail Addict Stop using, start living. By Michael Agger Posted Wednesday, May 2, 2007, at 6:30 PM ET http://www.slate.com/id/2165452/nav/tap1/ The Virginia Tech shooting drowned out what was, for many, the week's more personally disruptive event: On Tuesday, April 17, BlackBerrys in the Western Hemisphere ceased to function for several hours. Over on the tech site Slashdot, someone cracked wise with a line from Star Wars, saying the failure was "as though a million voices cried out and were suddenly silenced." A funny comment, but also strangely apt. Consider what Obi-Wan told Luke about the Force in 1977: "The Force is what gives a Jedi his power. It's an energy field created by all living things. It surrounds us and penetrates us. It binds the galaxy together." Now consider our feelings about e-mail circa 2007. It gives the manager control of his "direct reports," it keeps the worker tuned to his desk, it's full of life-altering possibility: a job offer, a response from a cute co-worker, a winning eBay bid. On a micro level, the outage made people briefly confront their BlackBerry dependence. On a macro level, it spurred those questions consultants like to ask: Are we addicted to e-mail? Is it counterproductive? Near the center of this conversation lies Marsha Egan, a life coach and self-described "corporate escapee." In February, she sent out a press release asking, "Are you E-ddicted to your E-mail?" The release went on to describe Egan's 12-step program for curing your "e-mail e-ddiction." I e-mailed Egan to ask if we could discuss her program. She called me on the phone a few hours later. Because I prefer e-mail, I let the call go to voice mail. When I called her back, she explained that this was to be the 148th interview she had given on the subject. She had appeared on everything from Australian radio to the "German equivalent of Newsweek." So, lesson No. 1: The media are addicted to e-mail and to discussing e-mail addiction. I check my e-mail every seven minutes or so. Marsha Egan sets her e-mail program to check for new mail every 90 minutes. She calls e-mail "the silent corporate cancer," and that's just the start of her metaphoric arsenal: "It eats away at people's time, a minute at a time. I call it bleeding to death from a thousand pinpricks." Her calculation is as follows: "It's commonly believed and understood that it takes about 4 minutes to recover from any interruption. If the computer dings at you and you look 30 times, that's 120 minutes of recovery time. That's the crisis." The first step to health is admitting that you have a problem, and then turning off Microsoft Outlook's automatic send and receive. The second step is very steep: "You must commit to emptying your Inbox every time you go in there." Have you ever emptied your inbox? It's like hacking off a limb. With no e-mail to reply to, I feel a disorientating lightness. I am at loose ends and have no way to fill those little holes in the day. That's also part of the problem, according to Egan and her fellow productivity coaches. E-mail, which is innately reactive, has become the default method of "working." The idea behind emptying your inbox is to convert all those e-mails into actions. You're allowed to deal with any mail that will take less than two minutes to answer. Otherwise, you should file your outstanding messages into folders such as "Pending," "Reply To," "Archive," and "YouTube Links" and deal with them as a unit later, when you've mapped out your day and polished off those urgent TPS reports. Egan notes that people have a tendency to simply open their inboxes and scroll up and down for several minutes, knocking off two or three messages so they feel better. She calls this inefficient process "e-noodling." You get the e-idea yet? If you want the rest of the 12 steps, you will have to send Marsha Egan $36. When she gives her tele-seminars, people immediately pipe up that their companies would never let them ignore e-mail, even for an hour. She responds that some companies have a "toxic e-mail culture" and that change needs to come from the top. As you might expect, she's working on a new book, The E-Mail Pandemic, which addresses this very issue and its international consequences. The next question the attendees ask is more difficult: "How do I stop the e-mail from coming?" It never stops, unless you stop sending it. I've noticed that people who give up e-mail for good tend to have a wonderful device that aids them with all of their communication: a secretary. Timothy Ferriss, a young productivity guru who wrote a book called The 4-Hour Workweek, suggests that you send an auto-reply to every message telling correspondents when you check your e-mail. (He likes to check once a day, in the evenings.) There has also been a mini-thread of bloggers and heavy e-mail users who have declared e-mail bankruptcy. They send out a note to everyone in their address book asking them to send fresh e-mails, as they do not intend to reply to any old, unanswered messages. There's a ring of familiarity to all of this consternation about the "e-mail problem." As you've heard many times, new technology is greeted with anxiety. First, we negotiate how to use it. When the telegraph debuted, books were written about proper telegraphing etiquette. (Initially it was considered impolite to accept an invitation by telegram, but that later changed.) David Shipley and Will Schwalbe's new book Send: The Essential Guide to E-Mail for Office and Home is the successor of books such as John Hill's The Young Secretary's Guide (1687), which taught English clerks how to write acceptable letters at a time when postal service became widespread and affordable. Once we've mastered the form, what was once a convenient marvel proliferates and can become a painful burden. As professor Thomas Augst succinctly put it in his study of 19th-century American clerks: "To receive a letter is to incur an emotional debt." Today, scholars talk of the "communication enslavement" that occurs when someone sends e-mail to someone else. All of the guides for writing effective e-mail, the strategies for firewalling your attention, the scare stories about parents turning their children into BlackBerry orphans stop short of grasping the essential e-mail achievement. It has erased the boundary between work and life. That's why we don't want to give up our inboxes. Sure, we're miffed when we check e-mail on vacation and get dragged back into work mode, but we just wanted to see if our friend sent us the photos, or if our broker has any new listings to show us when we get back. Not checking e-mail doesn't simply mean checking out of work; it means checking out of your entire social network. Many people who are addicted to e-mail are more correctly described as addicted to work. Lots of e-mail makes you feel important. E-mail addicts (like me) fear the empty inbox and, strangely, the potential freedom that e-mail provides. A BlackBerry can make you feel accountable at night, but it also lets you say, play golf, while still monitoring any situation that might come up. When business is conducted through e-mail, it shifts the responsibility of actually working off of the physical setting of the office and back onto you. That lack of structure, or the need to provide your own structure, can be uncomfortable. Still, you often find confident people who are immune to e-mail addiction. They just don't understand what the fuss is about. They check e-mail when they need to; they turn it off when they've got stuff to do. It's a tool that serves them. They use the Force. Michael Agger is a Slate associate editor. You can reach him at michael.agger at gmail.com From rforno at infowarrior.org Thu May 3 23:58:38 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 May 2007 19:58:38 -0400 Subject: [Infowarrior] - Speak Out Against REAL ID In-Reply-To: <463A5ECC.7080504@well.com> Message-ID: http://www.privacycoalition.org/stoprealid/ Stop REAL ID! Submit comments to the Dept. of Homeland Security by May 8th! * A broad coalition of organizations across the United States is urging the public to submit comments rejecting the illegal national identification system created under the Department of Homeland Security's REAL ID program. * Five states and several members of Congress have rejected the scheme, which creates a massive national ID system without adequate security or privacy safeguards, which makes it more difficult and costly for people to get licenses, and which makes it easier for identity thieves to access the personal data of 245 million license and cardholders nationwide. * To take action and submit comments against this fundamentally flawed national ID system, click here! Comments are due by 5pm EST on May 8, 2007. http://www.privacycoalition.org/stoprealid/ From rforno at infowarrior.org Fri May 4 00:00:30 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 May 2007 20:00:30 -0400 Subject: [Infowarrior] - Interview with Rain Forest Puppy Message-ID: Antonio `s4tan` Parata, software security researcher and member of the ush team interviews Rain Forest Puppy, famous bug hunter, specialized in web application assessment. It?s a pleasure for us to publish the full interview, in this case talk is not cheap.... http://www.ush.it/2007/05/01/interview-with-rain-forest-puppy/ From rforno at infowarrior.org Fri May 4 12:06:43 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 04 May 2007 08:06:43 -0400 Subject: [Infowarrior] - AACS vows to fight people who publish the key Message-ID: 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 AACS vows to fight people who publish the key 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 Michael Ayers, the chairman of the AACS-LA (the organization that sent hundreds of legal threats to websites that published the random 16-byte number that represented one of the keys for cracking the copy-prevention on HD-DVDs) has given an interview to the BBC in which he vows to use technical and legal means to shut down the 802,000+ websites that have reproduced the key. 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 Michael says that this doesn't impact free speech -- that it's possible to discuss the crack and DRM in general without reproducing the key. I think he's wrong. I just taught a class at USC where we talked about this crack as part of our coursework, and part of my lesson was talking about the ease with which this information can be retrieved and spread -- and how that makes anti-copying systems futile. For my students, seeing just how little information was needed to undo the AACS scheme was critical to understanding its fragility. Indeed, one of my students posted this key to the class blog to show his fellow students how trivial this was, prompting AACS to threaten me with legal action as well. < - > http://www.boingboing.net/2007/05/04/aacs_vows_to_fight_p.html 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 From rforno at infowarrior.org Fri May 4 19:49:42 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 04 May 2007 15:49:42 -0400 Subject: [Infowarrior] - Bush Wants Phone Firms Immune to Privacy Suits Message-ID: Bush Wants Phone Firms Immune to Privacy Suits By Ellen Nakashima Washington Post Staff Writer Friday, May 4, 2007; A14 http://www.washingtonpost.com/wp-dyn/content/article/2007/05/03/AR2007050302 323_pf.html The Bush administration is urging Congress to pass a law that would halt dozens of lawsuits charging phone companies with invading ordinary citizens' privacy through a post-Sept. 11 warrantless surveillance program. The measure is part of a legislative package drafted by the Justice Department to relax provisions in the 1978 Foreign Intelligence Surveillance Act (FISA) that restrict the administration's ability to intercept electronic communications in the United States. If passed, the proposed changes would forestall efforts to compel disclosure of the program's details through Congress or the court system. The proposal states that "no action shall lie . . . in any court, and no penalty . . . shall be imposed . . . against any person" for giving the government information, including customer records, in connection with alleged intelligence activity the attorney general certifies "is, was, would be or would have been" intended to protect the United States from terrorist attack. The measure, which has not yet been filed, is contained in a proposed amendment to the fiscal 2008 intelligence authorization bill. The immunity measure has stoked controversy following public uproar over news reports of warrantless access to both telephone conversations and records as part of the administration's post-Sept. 11 counterterrorism policies. It is part of a larger debate about the proper balance between guarding national security and civil liberties and the extent to which private companies have acted as an arm of the federal government. In March, the Justice Department inspector general found that the FBI had secret contracts with three telephone companies to obtain Americans' phone records, claiming "exigent circumstances," when, in many instances, none existed. Civil liberties advocates opposed the immunity measure. They said the government had yet to disclose to Congress the attorney general's legal opinion supporting the surveillance program and what role the phone companies played in it. The government asserts that the blanket immunity is necessary to protect sensitive national security information. "If companies are alleged to have cooperated with the government to protect our nation against another attack, they should not be held liable for any assistance they are alleged to have provided," Justice Department spokesman Dean Boyd said. The immunity would be limited to assistance from Sept. 11, 2001, to the date the measure becomes law. Though laws exist that could immunize companies against civil and criminal liability in surveillance cases, invoking them would acknowledge that the firm cooperated with the government. Such knowledge could allow a terrorist to adjust tactics, the government argues. Government lawyers crafted the immunity bill using terms deliberately vague in referring to activity that "would be or would have been" aimed at protecting the country from attack to avoid indicating whether a company cooperated. But civil libertarians charged that blanket immunity would amount to a legislative pardon to telecommunications companies and others that have aided the government's warrantless surveillance, without explaining the pardon's basis. "To let them off the hook now sets a dangerous precedent by encouraging them to continue to engage in illegal collaborations with the government in the future," said Kevin Bankston, staff attorney for the Electronic Frontier Foundation, which last year filed a class-action lawsuit against AT&T, charging that the company allowed the government to unlawfully monitor U.S. residents. The measure would gut Congress's efforts to conduct inquiries into the administration's surveillance program because a subpoenaed company or government official could invoke immunity, said Tim Sparapani, legislative counsel for the American Civil Liberties Union, which has sued the government to force a halt to its wiretapping program. "The end result is not only will the Bush administration continue to stonewall Congress in its request for information on warrantless wiretapping, but no one who participated will have any threat above their head," Sparapani said. "You could just face a congressional subpoena and say, 'I'm sorry, I'm immunized.' " Ron Wyden (D-Ore.), a member of the Senate Select Committee on Intelligence, said to gain his support, the measure needs to state explicitly that a person who intentionally violates the law should not be granted immunity. "If somebody intentionally breaks the law . . . that's not something you should just ignore," he said. From rforno at infowarrior.org Sat May 5 02:20:27 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 04 May 2007 22:20:27 -0400 Subject: [Infowarrior] - NASA scientists: REAL ID plan threatens privacy Message-ID: NASA scientists: ID plan threatens privacy http://www.upi.com/Security_Terrorism/Briefing/2007/05/04/nasa_scientists_id _plan_threatens_privacy/ Published: May 4, 2007 at 1:55 PM WASHINGTON, May 4 (UPI) -- NASA scientists joined a growing list of groups opposed to a Bush administration plan to standardize federally issued IDs. Four National Aeronautics and Space Administration scientists from the Jet Propulsion Laboratory sent a letter to Congress asking for a bipartisan effort to oppose the plans currently pursued by the Department of Homeland Security. Following the Sept. 11, 2001, attacks on New York and Washington, the Bush administration passed a number of directives to standardize federally issued identification. The scientists are just one group that has voiced concerns about the standardization procedures. The NASA Jet Propulsion Lab scientists highlighted Homeland Security Presidential Directive No. 12, which calls for a mandatory, government-wide standard for identification used to gain access to secure government facilities. The directive is intended to eliminate variations that could make a facility vulnerable to terrorism. The NASA employees found that although the ID standardization appears to have a "fairly innocuous tone," the procedure for collecting information about government employees infringes on civil liberties. Based on their experiences with implementing the new directive, the scientists wrote that they were asked to submit personal information that included fingerprints, racial, ethnic, financial and medical information. They were also concerned that the information was submitted to FBI databases that contains personal information relevant to criminal investigations. However, their primary concern was that these strict procedures may have repercussions on NASA recruiting efforts. "Many highly talented individuals ... attach great value to their personal liberties. ... "In the face of such intrusions talented researchers are inclined to take positions elsewhere, where the employers have a modicum of respect for the Constitution," they wrote. The American Civil Liberties Union has also expressed strong opposition to the concept of federal ID standardization. Among its numerous criticisms, the ACLU finds that a national database comprising personal information about all Americans would violate the right to privacy. From rforno at infowarrior.org Sat May 5 02:27:51 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 04 May 2007 22:27:51 -0400 Subject: [Infowarrior] - Judge says NY surveillance data can be made public Message-ID: Judge says NY surveillance data can be made public Fri May 4, 2007 5:23 PM ET By Daniel Trotta http://today.reuters.com/news/articlenews.aspx?type=domesticNews&storyid=200 7-05-04T212336Z_01_N04458232_RTRUKOC_0_US-NEWYORK-CONVENTION.xml&src=rss&rpc =22 NEW YORK (Reuters) - Six hundred pages of documents relating to intelligence that New York City gathered before the 2004 Republican National Convention should be made public, a federal judge ruled on Friday. Judge James Francis of U.S. District Court in Manhattan struck down the city's attempt to keep the documents confidential, but agreed to keep them sealed pending a possible city appeal. The New York Civil Liberties Union and The New York Times had petitioned the judge to make the documents public. The city had argued their publication could influence potential jurors in a larger case, yet to go trial, in which about 90 protesters who were arrested at the convention are suing the city alleging their rights were violated through mass arrests, prolonged detentions and blanket fingerprinting. More than 1,800 demonstrators were arrested over eight days in August and September of 2004 as the Republican Party met in New York to nominate President George W. Bush as its candidate in the presidential election. "Notably, the city does not contend that these documents must be kept confidential because of security concerns or because public disclosures would jeopardize legitimate law enforcement interests," the judge wrote in 14-page ruling. Lawyers for the city and the plaintiffs -- the New York Civil Liberties Union -- agreed not to release the documents at least until the city decides whether to appeal. The New York Times reported the records showed that undercover New York police officers posed as sympathizers at meetings of political groups and identified those who had expressed interest in violent action. The Times also said undercover police spied on people planning protests at the convention, both in the United States and in Europe. Police say all of their surveillance was legal and approved in advance by a special three-member panel made up of two senior police officers and a representative of the mayor. The surveillance was carried out by an intelligence branch created after the September 11 attacks to gather information on threats to public safety and reduce the city's reliance on the federal government. From rforno at infowarrior.org Sat May 5 12:46:28 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 05 May 2007 08:46:28 -0400 Subject: [Infowarrior] - TSA Loses Hard Drive With 100K Personal Info Message-ID: TSA Loses Hard Drive With Personal Info http://apnews.myway.com/article/20070505/D8OTUCJ80.html May 4, 10:03 PM (ET) By MATT APUZZO WASHINGTON (AP) - The Transportation Security Administration has lost a computer hard drive containing Social Security numbers, bank data and payroll information for about 100,000 employees. Authorities realized Thursday the hard drive was missing from a controlled area at TSA headquarters. TSA Administrator Kip Hawley sent a letter to employees Friday apologizing for the lost data and promising to pay for one year of credit monitoring services. "TSA has no evidence that an unauthorized individual is using your personal information, but we bring this incident to your attention so that you can be alert to signs of any possible misuse of your identity," Hawley wrote in the letter, which was obtained by The Associated Press. "We profoundly apologize for any inconvenience and concern that this incident has caused you." The agency said it did not know whether the device is still within headquarters or was stolen. TSA said it has asked the FBI and Secret Service to investigate and said it would fire anyone discovered to have violated the agency's data-protection policies. In a statement released Friday night, the agency said the external - or portable - hard drive contained information on employees who worked for the Homeland Security agency from January 2002 until August 2005. TSA, a division of the Homeland Security Department, employs about 50,000 people and is responsible for security of the nation's transportation systems, including airports and train stations. "It's seems like there's a problem with security inside Homeland Security and that makes no sense," said James Slade, a TSA screener and the executive vice president of the National Treasury Employees Union chapter at John F. Kennedy International Airport. "That's scary. That's my identity. And now who has a hold of it? So many things go on in your mind." The agency added a section to its Web site Friday night addressing the data security breach and directing people to information about identity theft. Rep. Sheila Jackson Lee, D-Texas, whose Homeland Security subcommittee oversees the TSA, promised to hold hearings on the security breach. She said Homeland Security buildings are part of the critical infrastructure the agency is charged with protecting. "We should expect it to be secure," she said. House Homeland Security Committee Chairman Bennie G. Thompson, D-Miss., called the security breach "a terrible and unfortunate blow" for an agency he said already suffered from low morale. It's the latest mishap for the government involving computer data. Last year, a laptop with information for more than 26.5 million military personnel, was stolen from a Veterans Affairs Department employee's home. Law enforcement officials recovered the laptop, and the FBI said Social Security numbers and other personal data had not been copied. --- Associated Press writer Ted Bridis contributed to this report. From rforno at infowarrior.org Sun May 6 19:01:47 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 06 May 2007 15:01:47 -0400 Subject: [Infowarrior] - The Rise of Low-Tech Terrorism In-Reply-To: <020901c78f99$5405c120$6501a8c0@yourpcd41p5ssv> Message-ID: The Rise of Low-Tech Terrorism By Daniel L. Byman Sunday, May 6, 2007; Page B03 http://www.washingtonpost.com/wp-dyn/content/article/2007/05/04/AR2007050402 550.html The movies were an affront to God, encouraging vice and Western-style decadence. So in August 1978, four Shiite revolutionaries locked the doors of the Cinema Rex in the Iranian city of Abadan and set the theater on fire. The firefighters were late, and nearby hydrants did not work. The victims' shrieks could be heard while firefighters and police stood outside, watching helplessly. At least 377 people -- perhaps many more -- were burned alive. Never heard of the Cinema Rex fire? You're not alone. But the tragedy is more than an obscure, grisly memory from the run-up to the 1979 Iranian Revolution. It's also the second-deadliest terrorist attack in modern history -- deadlier even than airline bombings such as Pan Am Flight 103 -- and one that offers many lessons about the changing threat of terrorism today. Since Sept. 11, 2001, most Americans have worried about what terrorism experts call "spectaculars": massive, ingenious and above all theatrical extravaganzas such as al-Qaeda's attack on the twin towers, its simultaneous 1998 bombings of the U.S. embassies in Kenya and Tanzania, and its brazen 2000 suicide-boat assault on the USS Cole in Yemen. But perhaps we should be more worried about the Cinema Rex attack. Although Osama bin Laden and his lieutenants still dream of spectaculars, a quick glance at the terrorist acts committed since 9/11 suggests that perpetrators are going low-tech, too. As the survivors of attacks in London, Madrid and the Russian town of Beslan will confirm, such tried-and-true terrorism methods as low-tech bombs, hostage-taking and arson have tremendous appeal to jihadists. Indeed, the State Department's annual survey on terrorism, released last week, notes that "in 2006 most attacks were perpetrated by terrorists applying conventional fighting methods that included using bombs and weapons, such as small arms." While the United States and other countries have devoted lots of attention to bracing themselves for the big one, we've spent far too little time considering what we can learn from more mundane -- and more repeatable -- terrorist attacks that can inflict mass casualties. A look at the various suspects arrested in recent years for crimes linked to radical Islamic terrorism in the United States suggests that the immediate threat we face is angry amateurs, not poised, professional killers such as Mohamed Atta, the leader of al-Qaeda's 9/11 team. Most of those arrested do appear to have meant Americans harm, whether by conducting attacks on their own or by raising money for other would-be killers. But these plots were rarely well-developed, and the operators were at best enthusiastic novices. Consider the case of one of the few Americans actually convicted of terrorism since 9/11: Iyman Faris, an Ohio truck driver and naturalized U.S. citizen born in Kashmir who pleaded guilty in 2003, plotted to destroy the Brooklyn Bridge by severing its cables with blowtorches. Scary, sure -- but a completely absurd way to destroy the bridge, whose many cables are more than a foot in diameter. These homegrown terrorists don't necessarily share the zeal and anonymity of a seasoned professional such as Atta. Many of those arrested on terrorism charges have a prison record and thus are known to law enforcement officials. One of the most advanced post-9/11 plots, against the Israeli consulate in Los Angeles and U.S. military facilities in the area, involved four former inmates who began their plotting while behind bars. Former prisoners rarely make ideal comrades; many would sell their own mother for a small reward. But it's a mistake to write off the angry amateurs. They're not terribly skilled, but it doesn't take that much skill to kill dozens of people -- as the shootings at Virginia Tech so tragically demonstrate. Attacks such as the Cinema Rex fire are easily repeated, and they don't take the years of onerous training and planning that spectaculars demand. So how can we stop low-tech terrorism? Unfortunately, better defenses can solve only part of the problem. We should defend the White House, nuclear plants and other high-profile targets that would tempt terrorists to stage a spectacular. But we can't defend every movie theater, synagogue, local government building or shopping mall without spending hundreds of billions of dollars and turning the United States into an armed camp. That leaves offense -- at home as well as abroad. The FBI has tried to penetrate cells of would-be terrorists, often opening itself to criticism for spending enormous resources on disrupting what seems to be a bunch of bungling blowhards. The bureau should keep at it. Of course, sometimes a ballyhooed terrorism arrest will look foolish when the media reveal the plotters' amateurish plans and backgrounds. But aggressive law enforcement can help prevent these amateurs from becoming something more deadly. Perhaps the best way to fight low-tech terrorists is through community support. For instance, the FBI began to focus on the "Lackawanna Six," who pleaded guilty in 2003 to providing material support to al-Qaeda, after receiving an anonymous letter from a member of the Yemeni community in Lackawanna, N.Y., near Buffalo. But to get these sorts of tips, Arab Americans and Muslim Americans need to see the police as protectors, not persecutors. In this respect, Europe provides a cautionary tale. Governments there, particularly France's, have spent more time trying to shake down their Muslim communities for intelligence than they've spent reassuring and integrating them. The result? An angry, unassimilated Muslim minority whose fringes produce terrorists while its mainstream often resists police efforts to find them. The U.S. government has a fine line to walk here, too. But when in doubt, we should jettison intrusive measures in favor of those likely to win sustained support from Muslim Americans. Finally, the government needs to talk coolly and calmly to the American people. Complete protection against arson, shootings and low-level bombings is impossible. Americans will have to accept a certain amount of risk in their daily lives, recognizing that effective government policies can reduce the threat but not eliminate it. Public opinion is the fulcrum of counterterrorism. Terrorists -- high-tech and low-tech alike -- rely on overreaction from a rattled public and government to do their dirty work. We shouldn't indulge them. From rforno at infowarrior.org Sun May 6 22:24:27 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 06 May 2007 18:24:27 -0400 Subject: [Infowarrior] - UPI/Zogby Poll: Negative Ratings on Keeping U.S. Safe from Terrorism Message-ID: UPI/Zogby Poll: Majority give Bush Negative Ratings on Keeping U.S. Safe from Terrorism http://www.zogby.com/news/ReadNews.dbm?ID=1290 But half of Americans believe Bush Administration has allowed security measures to trump personal freedoms More than half of Americans give President Bush 55% negative ratings on his performance in keeping the United States safe from terrorism and give the Department of Homeland Security a similar negative rating (56%) on its efforts. Nearly half of Americans (49%) believe the Bush administration has tipped the balance between personal security and personal freedom too far towards security, depriving the American people of too many freedoms, a new UPI/Zogby Interactive poll shows. Slightly more than half (53%) said they are against the government having the ability to temporarily suspend federal privacy laws to enable agencies to better share counter-terrorism information, including the personal data of American citizens. Americans are divided over the Terrorism Surveillance Program. Half said they have a favorable view of the TSP under which the National Security Agency can monitor the international telephone and email communications of American citizens without a warrant if the communication includes and individual suspected of having ties to a terrorist organization like al-Qaeda. But nearly as many (45%) said they have a unfavorable view of the program. More than half (55%) said the TSP is a necessary and legal tool to protect Americans against terrorist activity, while 42% disagree. The interactive survey of 5,932 adults nationwide was conducted from April 13-16, 2007 and carries a margin of error of +/- 1.3 percentage points. The majority of Americans (70%) said they support the REAL ID program, which requires each state to change its drivers license systems to meet national standards and ensure that their databases are compatible with other states, although one in four (24%) said they oppose the program. However, half (52%) said they are opposed to a federal law requiring all persons living in the United States to carry a National ID card that contains biometric information, such as fingerprint identification. More than half (56%) said they have an unfavorable opinion of the Transportation Security Administration, which oversees airport screening and security. The majority (59%) said they believe airline security screeners use racial or ethnic profiling when screening airline passengers, and 65% believe screeners should use racial profiling. Nearly half (49%) believe the Terror Watch List or ?No Fly List? is an effective means of screening airline passengers, while slightly fewer (42%) don?t believe it is effective. But most (57%) believe the ban on bringing certain amounts of liquids on airplanes is too excessive a security measure. Nearly half (49%) believe the creation of the Department of Homeland Security has added another level of government bureaucracy and made domestic security operations less ? not more ? efficient, while 34% believe the new agency has helped make domestic security operations more efficient by pooling talent and knowledge. More Americans said they feel less safe (42%) than safer (35%) from terrorism now compared to before the start of the Iraq war four years ago. Half (51%) said they feel less safe with George W. Bush as president, while 43% said they feel safer with the current president leading the country. These latest interactive findings show a shift to more people feeling less safe with Bush as president compared with past Zogby International telephone polling ? a telephone poll in February 2006 showed 39% felt less safe and in September 2005 42% said they felt less safe with Bush as president. In both polls 51% said they felt safer with Bush as president. In addition to feeling less safe, half of Americans (52%) believe it is likely there will be another terrorist attack within U.S. borders in the next 12 months resulting in the loss of American lives and even more (79%) think such an attack is likely to take place within the next five years. This is a stark change from a Zogby International telephone survey conducted in June 2002 which found 90% believed a terrorist attack was likely in the U.S. in the near future. Nearly one in four (23%) said public areas are the potential targets most vulnerable to terrorism, while 20% were most concerned about mass transit systems, and 16% views ports, harbors and shipyards as the greatest potential target. Border security and immigration was cited as the number one issue facing the United States in terms of domestic security by 36%, while 23% say the rise in anti-Americanism is the top issue and 15% cite Islamic radicalization. Americans are divided on whether domestic or foreign terrorists post the greater threat to domestic security, though slightly more 45% are most concerned about foreign terrorists, while 42% believe terrorists originating and training the United States pose the greatest threat. The majority (59%) believe the more effective way to deal with the potential treat to national security posed by millions of illegal immigrants living within the United States is to crack down on illegal immigration by toughening the enforcement of existing laws, deporting illegal immigrants and prosecuting the employers who illegally employ workers. But nearly a third (32%) favor creating a path to citizenship for illegal immigrants so that they no longer have to live in the shadows of society and can live without fear of prosecution. More than half (56%) said they don?t believe the construction of a wall between the U.S. and Mexico will make the U.S. safer from terrorist threats, but 41% believe a wall could increase safety. While 40% believe immigration reform, including the creation of a guest worker program, will make the U.S. safer from terrorist threats, even more (50%) don?t think it will help. Nearly a third (32%) believe the security of the Southern border with Mexico is the immigration issue that presents the greatest threat to U.S. security, while 18% are most concerned about the visa waiver program which allows citizens from allied national to visit the U.S. without applying for a visa in advance and 13% say the Student Exchange program with Middle Eastern nations poses the biggest threat. (4/22/2007) From rforno at infowarrior.org Mon May 7 00:55:56 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 06 May 2007 20:55:56 -0400 Subject: [Infowarrior] - Survey Shatters Technology Assumptions Message-ID: Survey Shatters Technology Assumptions Sunday May 6, 7:44 pm ET By Anick Jesdanun, AP Internet Writer http://biz.yahoo.com/ap/070506/internet_study.html?.v=5 NEW YORK (AP) -- A broad survey about the technology people have, how they use it, and what they think about it shatters assumptions and reveals where companies might be able to expand their audiences. The Pew Internet and American Life Project found that adult Americans are broadly divided into three groups: 31 percent are elite technology users, 20 percent are moderate users and the remainder have little or no usage of the Internet or cell phones. But Americans are divided within each group, according to a Pew analysis of 2006 data released Sunday. The high-tech elites, for instance, are almost evenly split into: -- "Omnivores," who fully embrace technology and express themselves creatively through blogs and personal Web pages. -- "Connectors," who see the Internet and cell phones as communications tools. -- "Productivity enhancers," who consider technology as largely ways to better keep up with their jobs and daily lives. -- "Lackluster veterans," those who use technology frequently but aren't thrilled by it. John Horrigan, Pew's associate director, said he started the survey believing that the more gadgets people have, the more they are likely to embrace technology and use so-called Web 2.0 applications for generating and sharing content with the world. "Once we got done, we were surprised to find the tensions within groups of users with information technology," Horrigan said. Many longtime Internet users, the lackluster veterans, remain stuck in the decade-old technologies they started with, Horrigan said. That a quarter of high-tech elites fall into this category, he said, shows untapped potential for companies that can design next-generation applications to pique this group's interest. The moderate users were also evenly divided into "mobile centrics," those who primarily use the cell phone for voice, text messaging and even games, and "connected but hassled," those who have used technology but find it burdensome. Mobile companies, he said, can target the mobile centrics with premium services, especially once faster wireless networks become available. The Pew study found 15 percent of all Americans have neither a cell phone nor an Internet connection. Another 15 percent use some technology and are satisfied with what it currently does for them, while 11 percent use it intermittently and find connectivity annoying. Eight percent -- mostly women in the early 50s -- occasionally use technology and might use more given more experience. They tend to still be on dial-up access and represent potential high-speed customers "with the right constellation of services offered," Horrigan said. The telephone study of 4,001 U.S. adults, including 2,822 Internet users, was conducted Feb. 15 to April 6, 2006, and has a margin of sampling error of plus or minus 2 percentage points. Find out which category you fall under: http://www.pewinternet.org/quiz From rforno at infowarrior.org Mon May 7 01:07:32 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 06 May 2007 21:07:32 -0400 Subject: [Infowarrior] - Management shortcomings seen at NSA In-Reply-To: <463E7B7E.5090404@packetnexus.com> Message-ID: ------ Forwarded Message From: Jason L WASHINGTON // In a sharp rebuke to the National Security Agency's leadership, an internal task force has concluded that the country's largest intelligence agency lacks vision and is unable to set objectives and meet them. NSA employees also do not trust one another, which has left the agency fragmented and in search of a "unity of purpose," according to a task force report released to employees late last month. Advertisement "What we need is fundamental change in the way we manage NSA and what we expect of management and ourselves," concluded the study, which was led by George "Dennis" Bartko, the NSA's deputy chief of cryptanalysis. The Sun obtained unclassified portions of the report and eight related documents. Management problems have been blamed for repeated setbacks as the agency tries to upgrade its ability to analyze the millions of snippets of conversations and other communications collected worldwide every day. In recent years, several major programs have been hampered by delays, technology breakdowns or cost overruns. Yet the report's blunt conclusions are strikingly similar to those in a pair of 1999 NSA studies, raising questions about how much progress the Maryland-based agency has made since then. < - > http://www.baltimoresun.com/news/nationworld/bal-te.nsa06may06,0,885480.stor y?page=1&coll=bal-home-headlines From rforno at infowarrior.org Mon May 7 13:41:37 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 07 May 2007 09:41:37 -0400 Subject: [Infowarrior] - GAO Study Contradicts Counterfeit Claims Message-ID: GAO Study Contradicts Counterfeit Claims http://www.michaelgeist.ca/content/view/1922/125/ Thursday May 03, 2007 I appeared before the Standing Committee on Industry, Science and Technology on Wednesday to discuss counterfeiting (following on my appearance last week before the Standing Committee on Public Safety and National Security). My opening remarks are posted below - they focused primarily on the need to obtain more accurate data (I cited the inconsistent data associated with camcording) and to separate the counterfeiting issue from copyright reform (I argued that the inclusion of issues such as ratification of the WIPO Internet treaties is hampering progress on the serious counterfeiting problems). Interestingly, just after the hearing I was alerted to a new U.S. study [PDF] from the Government Accountability Office on U.S. border enforcement activities against counterfeiting. The report is a must-read for people focused on this issue as it highlights two very important things. First, notwithstanding the claims that Canada must dramatically reform the powers afforded to our border services to address counterfeiting, the GAO study demonstrates that even countries like the U.S. are struggling with this issue as it points to a lack of data and coordination within the U.S. Second, the data contained in the GAO report suggests that the claims associated with counterfeiting are massively overstated. The Industry Committee previously heard from witnesses who noted that there have claims that 5 to 7 percent of world trade involves counterfeit products (some even argue that is growing). The GAO study points to the U.S. Compliance Measure Program, a statistical sampling program, that randomly selects shipments to check for their compliance with the law, including IP laws. Of 287,000 inspected shipments from 2000 - 2005, IP violations were only found in 0.06 percent of shipments - less than one tenth of one percent. This large random sample suggests that counterfeit products are actually only found in a tiny percentage of shipments. Moreover, the GAO notes that despite increases in IP seizures, the value of those seizures in 2005 represented only 0.02 percent of the total value of imports of goods in product categories that are likely to involve IP protection. In other words, the evidence from an independent, U.S. government sponsored agency points to a far different reality from that presented to the two parliamentary committees investigating counterfeiting. < - > http://www.michaelgeist.ca/content/view/1922/125/ From rforno at infowarrior.org Mon May 7 19:41:33 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 07 May 2007 15:41:33 -0400 Subject: [Infowarrior] - Army peeved at FAS for posting OPSEC document Message-ID: Anyone else amused at the irony here? It's been how many years and the government still doesn't understand how the Internet works? Talk about slow learners! -rf > SECRECY NEWS > from the FAS Project on Government Secrecy Volume 2007, Issue No. 48 May > 7, 2007 > > Secrecy News Blog: http://www.fas.org/blog/secrecy/ > > Support Secrecy News: > http://www.fas.org/static/contrib_sec.jsp > > ARMY DOCUMENTS POSTED "ILLEGALLY," ARMY SAYS > > A U.S. Army official told the Federation of American Scientists that > Army documents on the FAS web site had been published by FAS "illegally" > and must be removed. > > "There are only 5 Official Army Publications Sites," wrote Cheryl Clark > of the U.S. Army Publications Directorate in a May > 4 email message. "You are not one of them." > > "You can link to our publications, but you cannot host them," > she wrote. > > Furthermore, she indicated, a recent Army Regulation on "Operations > Security" (first published by Wired News and mirrored on the FAS site) > was "not intended for Public release." > > "Please remove this publication immediately or further action will be > taken," Ms. Clark warned. > > http://www.fas.org/sgp/news/2007/05/sa050707.html#req > > "I have considered your request that we remove Army publications from > the Federation of American Scientists web site," I responded today. "I > have decided not to comply." > > By law the Army cannot copyright its publications, the response > explained. Nor is FAS, a non-governmental organization, subject to > internal Army regulations on information policy. > > "Accordingly, our publications are not illegal nor in violation of any > applicable regulation." > > http://www.fas.org/sgp/news/2007/05/sa050707.html > > To eliminate potential confusion, we added a disclaimer to our Army > doctrine web page indicating that the FAS collection of Army records is > not an official Army source, and directing readers to several such > official sites. > > > THE EVOLUTION OF ARMY OPSEC > > The recent evolution of Army operations security (OPSEC) policy can be > traced from the 1995 regulation on the subject-- > > http://www.fas.org/irp/doddir/army/ar530-1-1995.pdf > > to the 2005 revision-- > > http://www.fas.org/irp/doddir/army/ar530-1-2005.pdf > > to the latest iteration of April 2007-- > > http://www.fas.org/irp/doddir/army/ar530-1.pdf > > In response to reporting by Noah Shachtman of Wired News and the Danger > Room blog, the Army issued a Fact Sheet on May 2 asserting that Army > OPSEC policy on military blogging was > unchanged: > > http://www.fas.org/irp/agency/army/blog050207.pdf > > From rforno at infowarrior.org Mon May 7 19:56:11 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 07 May 2007 15:56:11 -0400 Subject: [Infowarrior] - Tues 1000: Senate Hearing on REAL ID Message-ID: http://judiciary.senate.gov/hearing.cfm?id=2746 "Will REAL ID Actually Make Us Safer? An Examination of Privacy and Civil Liberties Concerns " Senate Judiciary Committee Full Committee DATE: May 8, 2007 TIME: 10:00 AM ROOM: Dirksen-226 Hearing before the Senate Judiciary Committee on ?Will REAL ID Actually Make Us Safer? An Examination of Privacy and Civil Liberties Concerns? Witness List: Allen Gilbert Executive Director The American Civil Liberties Union of Vermont Montpelier, VT Jim Harper Director Information Policy Studies CATO Institute Washington, DC Dr. James Carafano Assistant Director, Kathryn and Shelby Cullom Davis Institute for International Studies Senior Research Fellow, Douglas and Sarah Allison Center for Foreign Policy Studies Heritage Foundation Washington, DC Bruce Schneier Founder and Chief Technology Officer BT Counterpane Minneapolis, MN Janice Kephart President 9/11 Security Solutions, LLC Alexandria, VA From rforno at infowarrior.org Tue May 8 11:45:39 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 May 2007 07:45:39 -0400 Subject: [Infowarrior] - =?iso-8859-1?q?AACS_redux=3A__You_Can_Own_an_Inte?= =?iso-8859-1?q?ger_Too_=8B_Get_Yours_Here?= Message-ID: You Can Own an Integer Too ? Get Yours Here Monday May 7, 2007 by Ed Felten Remember last week?s kerfuffle over whether the movie industry could own random 128-bit numbers? (If not, here?s some background: 1, 2, 3) Now, thanks to our newly developed VirtualLandGrab technology, you can own a 128-bit integer of your very own. Here?s how we do it. First, we generate a fresh pseudorandom integer, just for you. Then we use your integer to encrypt a copyrighted haiku, thereby transforming your integer into a circumvention device capable of decrypting the haiku without your permission. We then give you all of our rights to decrypt the haiku using your integer. The DMCA does the rest. < - > http://www.freedom-to-tinker.com/?p=1155 From rforno at infowarrior.org Tue May 8 11:46:50 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 May 2007 07:46:50 -0400 Subject: [Infowarrior] - BBC Trustees agree to let BBC infect Britain with DRM Message-ID: BBC Trustees agree to let BBC infect Britain with DRM http://www.boingboing.net/2007/05/07/bbc_trustees_agree_t.html The BBC Trust -- the organisation that oversees the BBC's operations -- has driven another nail into the BBC's relevancy for the 21st century today by giving the broadcaster permission to use DRM on its online offerings. The BBC has turned its back on its promise to deliver a remixable, DRM-free archive of its video materials to the British public, citing lame excuses like, "It will cost a lot to negotiate rights," and "It might make us less effective at selling DVDs to Americans." Instead, it has opted for the "iPlayer," a crippling technology that infects PCs and makes them incapable of saving and using some of the files on their hard-drives. At the core of this is a Microsoft technology, the WMV file-format. It's illegal for British entrepreneurs to build devices that play WMV without permission and a license from Microsoft, and Microsoft specifies what features WMV players must and must not have. The upshot is that British TV -- when recorded over the air -- can be stored forever, shared, re-used, and recorded using anyone's tools. British entrepreneurs can make recorders for it. British people can save it and use it as they see fit within the law. But British TV -- when delivered over the Internet -- infects your computer. It deletes itself after a set period. It can't be used for any purpose other than watching it. And no one is allowed to make a player for it without Microsoft's permission. The Trustees heard that 90 percent of the respondents didn't want DRM and especially didn't want Microsoft DRM. But rather than giving the BBC orders to deliver its free-to-air video in free-to-net formats, they gave it permission to sell out the license-fee payers who are required by law to support the BBC. Look: the BBC radiates its TV offerings in all directions at the speed of light from its broadcast towers. DRM doesn't stop copying (and it never has, and it never will). But even if it did -- if I can record my BBC TV over the air and make it available, the presence of DRM on the iPlayer just discriminates against the least technically literate Brits, who don't know about UKNova, which is filled with every BBC show aired, without DRM. It also turns license players who watch TV on their computers without restrictions into criminals. It criminalises the act of watching the TV that, by law, you are required to pay for. They also instructed the BBC to stop making MP3s of public-domain classical music available, because the classical music industry is "precarious." That's smart -- we'll improve the health of the classical music industry by making sure that no one under 35 with an iPod can listen to it. Nice one, Trustees. Indeed, if the goal of this report was to ensure that the BBC has no relevance to the 21st century, then mission accomplished. Who needs a "public service broadcaster" that criminalises its viewers, privileges monopolistic foreign software giants, and takes every measure to stop its audience watching telly in the way they see fit? From rforno at infowarrior.org Tue May 8 11:48:59 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 May 2007 07:48:59 -0400 Subject: [Infowarrior] - Two US States Restrict Used CD Sales Message-ID: Record shops: Used CDs? Ihre papieren, bitte! http://arstechnica.com/news.ars/post/20070507-record-shops-used-cds-ihre-pap ieren-bitte.html By Ken Fisher | Published: May 07, 2007 - 01:23PM CT There are a few things lawmakers have decided really ought to be handled with the "care and oversight" that only the government can provide: e.g., tax collection, radioactive materials, biohazards, guns, and CDs. CDs? No, I'm not talking about financial Certificates of Deposit, though that might make more sense. I'm talking about Compact Discs. New "pawn shop" laws are springing up across the United States that will make selling your used CDs at the local record shop something akin to getting arrested. No, you won't spend any time in jail, but you'll certainly feel like a criminal once the local record shop makes copies of all of your identifying information and even collects your fingerprints. Such is the state of affairs in Florida, which now has the dubious distinction of being so anal about the sale of used music CDs that record shops there are starting to get out of the business of dealing with used content because they don't want to pay a $10,000 bond for the "right" to treat their customers like criminals. The legislation is supposed to stop the sale of counterfeit and/or stolen music CDs, despite the fact that there has been no proof that this is a particularly pressing problem for record shops in general. Yet John Mitchell, outside counsel for the National Association of Recording Merchandisers, told Billboard that this is part of "some sort of a new trend among states to support second-hand-goods legislation." And he expects it to grow. In Florida, Utah, and soon in Rhode Island and Wisconsin, selling your used CDs to the local record joint will be more scrutinized than then getting a driver's license in those states. For retailers in Florida, for instance, there's a "waiting period" statue that prohibits them from selling used CDs that they've acquired until 30 days have passed. Furthermore, the Florida law disallows stores from providing anything but store credit for used CDs. It looks like college students will need to stick to blood plasma donations for beer money. Why this trend, and why now? It's difficult to say, but to be sure, there is no love lost between retailers who sell used CDs and the music industry. The Federal Trade Commission has scrutinized the music industry for putting unfair pressures on retailers who sell used CDs, following a long battle between the music industry and retailers in the mid 90s. The music industry dislikes used CD sales because they don't get a cut of subsequent sales after the first. Now, via the specter of piracy, new legislation is cropping up that will make it even less desirable to sell second-hand goods. Can laws targeting used DVDs be far behind? The music industry has never been a big fan of the Doctrine of First Sale, and the rise of digital music sales will only exacerbate the tension between consumers who believe that they "own" what they pay for, and the music industry. As more and more content-oriented goods transition to digital formats that are distributed free of physical formats, this issue is going to get tricky because it will be harder to spot the counterfeits from the authentic products, and consumers will still expect to exercise robust rights with the content that they've paid for with their hard-earned cash. From rforno at infowarrior.org Tue May 8 11:51:16 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 May 2007 07:51:16 -0400 Subject: [Infowarrior] - Disney-Cox Deal: Ondemand TV, no ad skipping Message-ID: Way to go, guys.....keep torking off your customers.........that's like me saying you can't have access to this message unless you're dressed in a blue shirt and barefoot......and only on a semi-cloudy day.....idiots.....rf ABC, ESPN in Cox deal for on-demand shows: WSJ http://news.yahoo.com/s/nm/20070508/media_nm/abc_cox_dc Tue May 8, 1:51 AM ET NEW YORK (Reuters) - Walt Disney Co.'s ABC and ESPN have struck a deal with Cox Communications Inc. to offer shows on demand, with the condition that Cox disables a feature that allows viewers to skip ads, the Wall Street Journal reported on its Web site on Tuesday. The agreement, which is expected to be announced on Tuesday at the National Cable Television Association's annual convention in Las Vegas, only applies to programs available on Cox's video-on-demand menu, the Journal said. Walt Disney and Cox could not immediately be reached for comment. From rforno at infowarrior.org Tue May 8 13:11:04 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 May 2007 09:11:04 -0400 Subject: [Infowarrior] - DHS' Own Privacy Panel Declines to Endorse License Rules Message-ID: Homeland Security's Own Privacy Panel Declines to Endorse License Rules http://blog.wired.com/27bstroke6/2007/05/homeland_securi.html The Department of Homeland Security's outside privacy advisors explicitly refused to bless proposed federal rules to standardize states' driver's licenses Monday, saying the Department's proposed rules for standardized driver's licenses -- known as Real IDs -- do not adequately address concerns about privacy, price, information security, redress, "mission creep", and national security protections. "Given that these issues have not received adequate consideration, the Committee feels it is important that the following comments do not constitute an endorsement of REAL ID or the regulations as workable or appropriate," the committee wrote in the introduction to their comments (.pdf) for the rulemaking record. "The issues pose serious risks to an individual?s privacy and, without amelioration, could undermine the stated goals of the REAL ID Act." The 18-member Data Privacy and Integrity Advisory Committee began looking at the proposed rules at the request of Hugo Teufel IIl, DHS's chief privacy officer. According to Teufel's instructions, the group was asked to provide very specific comment on how to implement the rules, which civil liberties groups and libertarian-leaning states want repealed, not reformed. While the committee's 12 final recommendations are mostly predictable (such as restricting what the ID can be used for and making sure that the machine-readable portion of any Real ID should not be easily readable by unauthorized persons), the importance of Homeland Security's own advisory board explicitly saying it won't endorse Real ID as workable or appropriate shouldn't be underestimated. Comments are due on the proposed rules by 5 p.m. EST Tuesday. From rforno at infowarrior.org Tue May 8 13:15:50 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 May 2007 09:15:50 -0400 Subject: [Infowarrior] - Final Reminder: REAL ID Comments Due by COB today! Message-ID: http://www.privacycoalition.org/stoprealid/ To take action and make your voice heard, submit comments against the fundamentally flawed national identification scheme. The draft regulations to implement the REAL ID Act are open for comment until 5:00 PM EST on May 8, 2007. The comments can be submitted in one of three ways: 1. E-mail: Sent to oscomments at dhs.gov. 2. Online through the Federal Rulemaking Portal: http://www.regulations.gov (search for "DHS-2006-0030-0001" and follow the instructions for submitting comments); 3. Fax to 1-866-466-5370. Your fax must state that you are submitting comments in response to Notice of Proposed Rulemaking DHS-2006-0030. 4. Postal Mail sent to Department of Homeland Security; Attn: NAC 1-12037; Washington, D.C. 20538. Your letter must state that you are submitting comments in response to Notice of Proposed Rulemaking DHS-2006-0030. From rforno at infowarrior.org Tue May 8 17:22:36 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 May 2007 13:22:36 -0400 Subject: [Infowarrior] - Terror Hoaxes: Congress Backs Official Idiocy Message-ID: Congress Backs Official Idiocy Here?s Congress siding with Boston?s idiotic public officials. The Terrorist Hoax Improvements Act of 2007 would allow government officials to sue people who fail to promptly clear things up when those officials mistakenly think that they have stumbled over a terrorist plot. There?s nothing in the bill allowing individuals or corporations to sue government officials when hare-brained overreactions interfere with their lives and business or destroy their property. < - > http://www.cato-at-liberty.org/2007/05/05/congress-backs-official-idiocy/ And from Washington Watch: Terrorist Hoax Improvements Act of 2007 - Amends the federal criminal code to: (1) extend the prohibition against conveying false information and hoaxes to any federal crime of terrorism; (2) increase maximum prison terms for hoaxes involving a member of the Armed Forces during war; (3) allow a civil remedy for damages resulting from hoaxes perpetrated by an individual who later fails to provide accurate information to investigating authorities about the actual nature of the incident; and (4) extend the prohibition against mailing threatening communications to include corporations or governmental entities (as well as individuals). http://www.washingtonwatch.com/bills/show/110_SN_735.html From rforno at infowarrior.org Tue May 8 18:51:26 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 May 2007 14:51:26 -0400 Subject: [Infowarrior] - Sen Leahy Statement: REAL ID hearing Message-ID: http://judiciary.senate.gov/member_statement.cfm?id=2746&wit_id=2629 Statement of Senator Patrick Leahy, Chairman, Senate Judiciary Committee ?Will REAL ID Actually Make Us Safer? An Examination of Privacy and Civil Liberties Concerns? Tuesday, May 8, 2007 Today the Committee turns its attention to an issue of great concern to many States, and to Americans who value their privacy in the face of the Federal government?s expanding role in their daily lives. I thank our witnesses for being here today. I am especially pleased to welcome Allen Gilbert from Vermont. I look forward to gaining a better understanding of the impact of the so-called REAL ID Act ? an assessment that Congress should have done before this bill was passed. As we approach the second anniversary of its enactment, it is time for the Congress to come to grips with this significant policy. The REAL ID Act was legislation forced through by the Republican Congress as an add-on to the emergency supplemental bill passed in May 2005. I do not recall hearing objection to this sweeping substantive legislation being jammed into an emergency supplemental from those who this year were so critical of the important aspects of the U.S. Troop Readiness, Veterans' Care, Katrina Recovery, and Iraq Accountability Appropriations Act. This bill would have provided for veterans care and Katrina relief and other needs in the emergency supplemental legislation that Congress passed but the President vetoed last week. The REAL ID Act was attached to a must-pass appropriations bill without Senate hearings or debate. Yet the implications of the Act are enormous. The Federal government will be dictating how the States go about the business of licensing residents to operate motor vehicle. State motor vehicle officials will be required to verify the legal status of applicants, adding to the responsibilities of already heavily burdened State offices. While the Federal government dictates responsibilities for what has traditionally been a State function ? and adding layers of bureaucracy and regulation to effectively create a national identification card ? there is no help in footing these hefty bills. Thus, in addition to privacy and civil liberties concerns, this Act is an unfunded mandate that could cost the States in excess of $23 billion. The REAL ID Act imposes costs and Federal responsibilities on State officers. Many States, including Vermont, have expressed their concern about the mandates of the REAL ID Act by enacting resolutions in opposition. Maine and Montana have gone so far as to indicate that they intend to refuse compliance with it. The National Conference of State Legislatures and the National Governors Association have expressed concerns about the costs imposed on the States. Opposition spans the political spectrum, from the right to the left. The Wall Street Journal noted in an editorial that ?Real Id was always more about harassing Mexican illegals than stopping Islamic terrorists? and continued to explain how ?in an effort to placate noisy anti-immigration conservatives amid the GOP?s poll-driven election panic,? the Republican House in the last Congress attached this REAL ID bill onto a ?must-pass military spending bill without hearings or much debate, and Mr. Bush made the mistake of signing it.? That is from the Wall Street Journal. Given my own concerns, I have joined with Senators Akaka, Sununu, and Tester to introduce a bill that would repeal the driver?s license provisions of the REAL ID Act, and replace those provisions with the negotiated rulemaking provisions of the Intelligence Reform Act of 2004. Senator Collins introduced a similar bill to direct the Secretary of Homeland Security to reconstitute the rulemaking committee established by the 9/11 Commission Implementation Act, a bill that she managed through Senate consideration when she chaired the Homeland Security Committee. In 2004, Congress passed the Intelligence Reform and Terrorism Prevention Act and set up a process of negotiated rulemaking between the States and the Federal government to create minimum standards to improve the security of State-issued driver?s licenses. This process provided for the States to play an active and equal role in developing greater security measures, and to ensure that privacy concerns were addressed. This process was underway at the time the REAL ID Act passed and halted progress. Those negotiations would likely have been completed and we would already have stronger requirements for identification documents by now had the REAL ID Act not been forced through. All Americans recognize the critical importance of national security. But for national security measures to be effective, they have to be smart as well as tough. Forcing our States to bend to the Federal will in this area may not be as effective a strategy as engaging in a cooperative process intended to serve a common goal. The reaction to the unfunded mandates of the REAL ID Act is a pretty good example of what happens when the Federal government imposes itself rather than working to create cooperation and partnership. There are also civil liberties concerns involving this hasty Act. Americans deeply value their privacy. Americans have traditionally recognized the danger of an overreaching government. When Americans put their trust in the Federal government to exercise the immense powers conferred by the PATRIOT Act, only to see that trust terribly abused, it shakes the confidence of all Americans in a government sworn to uphold the Constitution and the rule of law. I note, too, that today is the day that comments on the proposed REAL ID regulations are due to the Department of Homeland Security. In addition to the numerous stakeholders that I understand have made substantial comments, I hope that the DHS will pay close attention to the sentiments expressed by members of this Committee and by the Homeland Security and Government Affairs Committee, which held an oversight hearing on REAL ID in March. The days of Congress rubberstamping any and every idea cooked up by this Administration are over. We need to see real solutions with demonstrable results before we just throw away billions of dollars ? or more accurately push those costs onto the States ? in the name of some vague claims of enhanced security. I look forward to hearing from our witnesses so the Committee can better understand the implications for individual privacy rights and national security of this law. From rforno at infowarrior.org Wed May 9 12:36:51 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 May 2007 08:36:51 -0400 Subject: [Infowarrior] - Public Satellite Images May Need Censorship, Satellite Spy Chief Says Message-ID: Public Satellite Images May Need Censorship, Satellite Spy Chief Says National security make require pixelation censorship of commercial satellite imagery in the future, according to an interview with the head of the country's spy satellite agency. Vice Adm. Robert Murrett, director of the Pentagon's National Geospatial-Intelligence Agency, told the AP that he could "certainly foresee circumstances in which we would not want imagery to be openly disseminated of a sensitive site of any type, whether it is here or overseas." The little known group, which sports one of the largest budgets of the nation's spy agencies, has helped fund commercial imagery companies that services like Google Earth rely on, but impose limits on their resolution. The agency also used it's budgetary power to keep information off the net. During the 2001 invasion to overthrow Afghanistan's Taliban regime, the geospatial intelligence agency bought up all the imagery over that country for several months, creating a blackout for private groups at the height of the fighting. The agency was criticized for embarking on "checkbook shutter control" and hampering relief work and public understanding of the fight. Without sounding too much like a technology triumphalist, I'm doubtful the government can win this information war. Perhaps the Pentagon can buy itself a few years or a decade of continued overhead monopoly of omniscience but information wants to be free and the resolution wants to be high. http://blog.wired.com/27bstroke6/2007/05/public_satellit.html From rforno at infowarrior.org Wed May 9 12:38:58 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 May 2007 08:38:58 -0400 Subject: [Infowarrior] - =?iso-8859-1?q?DHS=3A_You_=B9_ll_take_a_national_?= =?iso-8859-1?q?ID_and_you_=B9_ll_like_it?= Message-ID: DHS: You?ll take a national ID and you?ll like it By Michael Hampton Posted: May 9, 2007 2:33 am http://www.homelandstupidity.us/2007/05/09/dhs-youll-take-a-national-id-and- youll-like-it/ The Department of Homeland Security will move forward with plans to implement the REAL ID Act despite widespread opposition from citizens and state legislatures. But DHS spokesman Russ Knocke said Tuesday that even the states which have already passed laws or resolutions against the act would eventually come around and implement the national identification standards, because the citizens who now oppose it would start demanding it. A recent poll found that most Americans support a national ID, but only if it doesn?t contain biometric data such as fingerprints or retinal scans. A broad coalition of groups from all across the political spectrum had come together to urge citizens to tell DHS to shove REAL ID, which they did in spades. The department said it had received over 12,000 comments during the 60-day comment period on its draft regulations which ended yesterday, and that the comments were mixed. Comments at a Senate Judiciary Committee hearing Tuesday were more negative. The chairman, Senator Patrick J. Leahy, Democrat of Vermont, complained that security rules were supposed to be ?smart as well as tough? and predicted that state motor vehicle departments would not be able to cope with the requirements, which include verifying all documents presented by applicants. Even renewals will require birth certificates or other proof of legal residence. And the change will impose billions of dollars in costs on states and localities, Mr. Leahy and others said. Mr. Leahy, who is a sponsor of a bipartisan bill to repeal the rules before they take effect, asserts that the department cannot even safeguard the personal information of its own employees. (Recently the department acknowledged that it had released the names and Social Security numbers of thousands of employees, including undercover sky marshals.) According to the National Conference of State Legislatures, which has a clock on its Web page counting down the time until the law?s requirements take effect (368 days as of Tuesday), Washington and Montana have enacted laws pledging not to comply. In Idaho, the Legislature passed, and the governor signed, a budget specifying that expenditures for carrying out the law next year would be zero. Resolutions opposing the new licenses have been passed by one or both houses of the legislature, and in some cases signed by the governor, in Arkansas, Arizona, Colorado, Hawaii, Michigan, North Dakota and Utah. ? New York Times States have until next May to begin to comply with the regulations, which of course haven?t been finalized yet, but they can file for an extension through December 31, 2009. Regardless, all driver licenses and ID cards must be compliant by May 10, 2013, according to the draft regulations. The unmitigated gall of this bureaucrat. Not only does he say that states will come around and implement REAL ID, well, just listen to this guy. ?Understandably it?s going to create some burden in terms of cost for states,? he said. ?But it?s righteous. And shame on us if we don?t take the steps now to address known vulnerabilities because the alternative is sitting back and hoping you get lucky.? ? Washington Post Righteous? The Third Reich was righteous, too. Or so said its leader. DHS has previously said that the new system would not amount to a national ID (it will) and would not be an invasion of people?s privacy, (it will also) assertions that are absurd on their face and insulting to all Americans. Of course, this isn?t really about terrorism at all, says the Wall Street Journal?s editors: ?Real ID was always more about harassing Mexican illegals than stopping Islamic terrorists. . . . For unexplained reasons, immigration restrictionists are convinced that preventing illegal aliens from obtaining drivers licenses will result in fewer illegal aliens, rather than merely more unlicensed and uninsured motorists.? That figures. ?Illegal immigrants? come here to work, and DHS is determined to put them on the welfare rolls instead. We need a national ID for this? From rforno at infowarrior.org Wed May 9 13:07:56 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 May 2007 09:07:56 -0400 Subject: [Infowarrior] - US Gov cyber insecurity incidents In-Reply-To: <6.2.1.2.1.20070507222415.02a14d60@mail.sigecom.net> Message-ID: (via dataloss and almac) Here's the report card (PDF) that The House Committee on Oversight and Government Reform issues each year on cyber security at various government agencies. http://republicans.oversight.house.gov/Media/PDFs/FY06FISMA.pdf In the wake of the VA incident, The House Committee on Oversight and Government Reform asked all federal agencies for details on any other incidents involving loss of personal sensitive information. They learned about 788 incidents Jan 2003-July 2006. By my math, that's more than one every other day on average. I saw an article about this & went hunting for original source (url below). Well looks like this data was gathered about a year ago, but then in some cases more info came out that showed the data was incomplete. Every federal angency has computer security breaches. They do not always know what data has been lost. The vast majority of the breaches are the loss of hardware, such as theft of laptops. Many of the breaches are by private contractors. Dept of Agriculture 8 incidents Dept of Commerce 297 incidents Dept of Defence 43 incidents Dept of Education 41 incidents Dept of Energy 7 incidents Dept of Health & Human Services 24 incidents Dept of Homeland Security 6 incidents but the committee continues to ask hard questions http://www.sans.org/newsletters/newsbites/newsbites.php?vol=9&issue=36&rss=Y #sID202 Dept of Housing and Urban Development 1 incident Dept of Interior 8 incidents Dept of Justice 2 incidents Dept of Labor 3 incidents Dept of State 1 incident but got grade F for cyber security from House Commitee on Oversight etc. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci12517 63,00.html Dept of Transportation 1 incident ... a subsequent FOIA inquiry found out a ton of other incidents Dept of Treasury 340 incidents Dept of Veteran Affairs ... hundreds of incidents Office of Personnel Management 3 incidents Social Security Administration 3 incidents example incidents are given on each agency http://209.85.165.104/search?q=cache:etHfNZnxgEUJ:oversight.house.gov/Docume nts/20061013145352-82231.pdf+Oversight+Reform+compromise+sensitive&hl=en&ct= clnk&cd=2&gl=us Systemic failure at the White House protecting classified information.. http://oversight.house.gov/story.asp?ID=1264 From rforno at infowarrior.org Thu May 10 15:12:22 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 10 May 2007 11:12:22 -0400 Subject: [Infowarrior] - Pentagon restricting testimony in Congress Message-ID: Pentagon restricting testimony in Congress Blocks staff of lower rank By Bryan Bender, Globe Staff | May 10, 2007 http://www.boston.com/news/nation/washington/articles/2007/05/10/pentagon_re stricting_testimony_in_congress?mode=PF WASHINGTON -- The Pentagon has placed unprecedented restrictions on who can testify before Congress, reserving the right to bar lower-ranking officers, enlisted soldiers, and career bureaucrats from appearing before oversight committees or having their remarks transcribed, according to Defense Department documents. Robert L. Wilkie , a former Bush administration national security official who left the White House to become assistant secretary of defense for legislative affairs last year, has outlined a half-dozen guidelines that prohibit most officers below the rank of colonel from appearing in hearings, restricting testimony to high-ranking officers and civilians appointed by President Bush. The guidelines, described in an April 19 memo to the staff director of the House Armed Services Committee, adds that all field-level officers and enlisted personnel must be "deemed appropriate" by the Department of Defense before they can participate in personal briefings for members of Congress or their staffs; in addition, according to the memo, the proceedings must not be recorded. Wilkie's memo also stipulated that any officers who are allowed to testify must be accompanied by an official from the administration, such as Secretary of Defense Robert Gates and his top-level aides. Both Democrats and Republicans in Congress see the move as a blatant attempt to bog down investigations of the war. But veterans of the legislative process -- who say they have never heard of such guidelines before -- maintain that the Pentagon has no authority to set such ground rules. The guidelines would not affect congressional subpoenas, which can compel anyone to appear before lawmakers. As a result, several lawmakers have pledged privately to use that power if the Pentagon's guidelines stymie their efforts to get information from specific sectors of the military. Wilkie declined to be interviewed for this story, but a Pentagon spokesman confirmed that the guidelines are new. "The memo was a way to establish guidelines on how junior officers and the enlisted be contacted on their participation in the aforementioned briefings," Army Lieutenant Colonel Brian Maka said in a statement yesterday. Even so, the guidelines, a copy of which was provided to the Globe by a Democratic aide, have already set off one highly unusual confrontation between Pentagon lawyers and the newly created House oversight and investigations subcommittee, according to several congressional officials who witnessed the exchange. At a closed-door hearing a few days after Wilkie's memo was distributed, Defense Department lawyers sought to apply the guidelines to the testimony of three Army officers -- a captain, a major, and a lieutenant colonel -- set to testify about their first-hand experience training Iraqi security forces. A few minutes into the proceedings, a representative from the Pentagon's Office of General Counsel tried to apply the new provisions. Speaking from the audience, he declared that the officers could not participate if the meeting was being recorded for a transcript -- a regular practice in congressional hearings. The panel's Democratic chairman, Representative Martin Meehan of Lowell, and ranking Republican W. Todd Aken of Missouri both insisted a transcript would be kept and the Pentagon entourage, including the officers, "theatrically stormed out of the room," said one attendant. Veterans of Capitol Hill scoffed at the Pentagon's restrictions on who can talk to lawmakers. "If I was the staff director I would say why the hell should I care who you want to appear before my committee," said Winslow Wheeler , who worked for three Republican senators and one Democrat in a 30-year career as a top congressional aide. He called Wilkie's memo "embarrassing." The memo has fueled complaints that the Bush administration is trying to restrict access to information about the war in Iraq. The special House oversight panel, according to aides, has written at least 10 letters to the Pentagon since February seeking information and has received only one official reply. Nor has the Pentagon fully complied with repeated requests for all the monthly assessments of Iraqi security forces, reports compiled by US military advisers embedded with Iraqi units. Some on Capitol Hill are focusing their frustrations on Wilkie. Before the Senate confirmed him last fall, Wilkie -- an aide to former GOP senator Jesse Helms of North Carolina -- was a senior director of the National Security Council in the White House from 2003 to 2005. Wilkie was also the "principal staffer and editor of the national security section of the 2000 Republican Party Presidential Platform," according to his official biography. Wilkie is currently responsible for providing "guidance for centralized direction, integration, and control of DoD legislative affairs and liaison activities with the US Congress," according to a September 2006 Pentagon job description. Several congressional officials accused him of attempting to muzzle the military's lower ranks, which are more likely to give Congress an unvarnished opinion compared with the top-level Pentagon brass, who typically seek to further the Bush administration's policies. Wilkie's guidelines stipulate, for example, that "junior officers" -- any officer at or below the rank of colonel, as well as noncommissioned officers -- "may provide support to briefers and witnesses, but shall not be asked or required to have their names entered into the record or speak on the record," according to the memo, which was sent to Erin Conaton , the armed services panel staff director. The guidelines claim the right to provide Congress only with witnesses who are Bush administration appointees -- as opposed to longtime senior government officials who do not owe their jobs to the current administration -- to provide sworn testimony. Sandra Stuart , who served as assistant secretary of defense for legislative affairs from 1994 to 1999, said that such specific guidelines are unprecedented. While there has always been "a back and forth and to and fro-ing" between the Pentagon and Congress over what witnesses and information to provide, she said, "I do not recall that there were policies of this sort with that sort of specificity," such as stipulating only colonels and generals could participate in legislative briefings or fact-finding hearings. David Golove , a New York University law professor who specializes in executive power issues, said there appears to be no legal basis for the Pentagon's limits on lower-level officers speaking directly to Congress -- and lawmakers' power on this issue supercedes the military's. "Congress has the power to subpoena anyone in the United States who has information relevant to their proceedings," Golove said. Charlie Savage of the Globe staff contributed to this report. Bryan Bender can be reached at bender at globe.com. From rforno at infowarrior.org Thu May 10 20:10:07 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 10 May 2007 16:10:07 -0400 Subject: [Infowarrior] - Airlines to be forced to fingerprint departing visitors Message-ID: Airlines to be forced to fingerprint departing visitors By Michael Hampton Posted: May 10, 2007 3:08 am http://www.homelandstupidity.us/2007/05/10/airlines-to-be-forced-to-fingerpr int-departing-visitors/ If you?re planning a visit to the U.S., you already have to give up your fingerprints and retinal scans to the Department of Homeland Security in order to enter the country. Now the department wants to require every visitor to go through the same procedure in order to leave the country. And they want to force the airlines to collect your biometric information, rather than do it themselves. ?They are apoplectic? about the proposal, Rep. John Mica (R-Fla.) said. DHS has been testing self-service exit kiosks where international travelers could fingerprint themselves and officially check out as they left the country, but found that almost no departing travelers actually used the kiosks when departing. Most foreign visitors already have to give up their fingerprints to obtain a visa or upon entry to the U.S. under the US-VISIT program. DHS officials said that an effective exit tracking system would allow them to determine who might be overstaying their visas. ?We are hopeful that they will provide us with enough information so that we can start considering a response,? [said Bob Davidson, the manager of facilitation services for the International Air Transport Association]. ?At present, the industry does not have a clear enough picture to enable us to begin thinking through the ramifications.? Angelo Amador, the director of Immigration policy for the U.S. Chamber of Commerce, told UPI that industry concerns centered on the issues of infrastructure ? the cost and practicalities of installing fingerprint readers connected to U.S.-VISIT databases at thousands of check-in desks ? and contingency plans in case of equipment failure. ?What will happen if there are technological problems?? he asked. ?Will they prevent people from boarding? Make them miss their flights?? ? United Press International Don?t forget cost. If you force the airlines to do government work and don?t pay them, then ticket prices will rise. Tourism and international business travel to the U.S. are already significantly down, primarily because of potential visitors? concerns about clearing Customs. Higher ticket prices and more complicated exit procedures will cut international travel even more. For most of human history, international travel was not much of a big deal. In the past few decades, the rise of computers and networks has enabled governments to track people more closely, and being governments, they have done exactly that. Whether that is a good thing or a bad thing depends largely on whether you have access to the government databases. But the U.S. has already used this capability to deny entry to people for political reasons entirely unconnected to any potential threat of terrorism. Maybe it makes us safer, but at what cost? The society which would result from this endless drive to make us safe from all potential threats, no matter how remote, resembles nothing more than a police state where every behavior is strictly regulated. Sure, we?d all be perfectly safe and wouldn?t have to deal with the government if we never left our rubber rooms. But that?s not a society worth living in. It?s certainly not a society worth working toward. From rforno at infowarrior.org Thu May 10 20:14:25 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 10 May 2007 16:14:25 -0400 Subject: [Infowarrior] - Spying in the Death Star: The AT&T Whistle-Blower Tells His Story Message-ID: Spying in the Death Star: The AT&T Whistle-Blower Tells His Story Ryan Singel Email 05.10.07 | 2:00 AM http://www.wired.com/politics/onlinerights/news/2007/05/kleininterview Mark Klein, a retired AT&T technician, sits quietly at the center of a high-profile legal storm hitting the nation's largest telecommunications companies for allegedly helping the government spy on American citizens' phone and internet communications without court approval. In 2006, Klein stepped forward and handed sensitive AT&T documents to the Electronic Frontier Foundation, a civil liberties group that was preparing a class-action lawsuit against the telecommunications giant. That case and more than 50 similar suits have been consolidated into five master complaints that are now proceeding in a federal court in San Francisco. This summer, the 9th U.S. Circuit Court of Appeals will hear AT&T's appeal of a key ruling that rejected the government's national security concerns and allowed the suit to continue. Those documents are under seal, but Wired News independently acquired and published a significant portion of them last year. They show that AT&T built a network-monitoring facility in a nondescript room at an internet switching hub in San Francisco, at 611 Folsom St. Diagrams in the document show that AT&T technicians split fiber-optic cables handling AT&T's WorldNet internet service -- as well as traffic to and from other major ISPs -- diverting copies of the traffic into the room, which was packed with internet-monitoring equipment. In this rare interview, Klein supplies details of how he first learned about the secret room even before being transferred to the Folsom Street office. He also lashes out at Congress for failing to hold hearings, and says he won't be satisfied until he can visit the AT&T building and see that the room has been dismantled. Wired News: How did you first find out about the special room at the Folsom Street building? Mark Klein: In 2002, we -- the union technicians -- were notified by support that the (National Security Agency) was coming to interview someone for a special project. That's when I got wind of something. I though it was odd that the NSA was coming to a phone company because I thought they weren't supposed to be spying domestically after the law was changed in the 1970s. They told us (it was) because the place was small and we had to know to let the person in. I happened to answer the door and I directed him to the guy he was interviewing for this special job. (Editor's note: This took place at the Geary Street central office in San Francisco, where Klein worked before he was transferred to the Folsom Street office.) In January 2003, as we gradually moved under a Folsom Street supervisor.... The Geary Street technicians had a tour of the Folsom building, and one of the technicians on the tour pointed at a door and said, "That's the new secret room and only one guy is allowed in there." In a small office word gets around. People called it So-and-So's secret room and So-and-So worked at my office. (Klein declined to identify the person who worked in the room.) WN: What did you think about the room at the time? Klein: I thought, this is not right. But we were in a tough situation at Geary Street and the company kept making cutbacks, and if I made things worse I might not have had a job. Four jobs were in jeopardy at Geary and I saved my job by getting into Folsom.... Who the hell am I? Who was going to listen to me? So I decided to stay quiet and just take notes. WN: How did you get the three documents? Klein: Two had been given to the techs when they did their cuts. (Editor's note: "Cuts" here refers to splitting optical fiber.) One guy whose job I was taking on was cleaning out his desk and was about to throw them out, and he said, "Hey, do you want these?" The third document was one a management technician left lying around on top of a router. WN: How many people worked in or on that room? Klein: Two people worked in the secret room, and they were management technicians. The first was downsized out of his job at the end of 2003, and was replaced by a second. A third management tech did not work in the secret room but knew what was going on. I knew all three of them. These guys would occasionally stop by the water cooler to chat with the union technicians in their office area on Folsom Street and they said things they probably shouldn't have. WN: How did you learn more about the room? Klein: Another guy -- he was bragging one day and he pulled out a batch of keys hanging on a chain from under his shirt. And he started saying "this one is for San Diego" and "this one is for Seattle." Later on, I was trying to troubleshoot the network. And I found that when I bypassed the splitter (into the secret room) the network would work. They were screwing up their own network. They were degrading their own network. I called the support line for help and told her what was happening with the cabinet and she said, "That's odd. They are having the same thing at the other offices." I said, "What other offices?" and she said, "San Diego, Seattle, San Jose." I got her information first, so that information matched with the key guy. And I realized this was bigger than I thought. WN: Wired News published some of the documents you provided to other sources. How much did we miss? (Editor's note: Parties in the AT&T case are forbidden from discussing or sharing the documents, but neither Wired News nor Klein is under a gag order.) Klein: I think you got the essence. WN: What information have people missed about the documents? Klein: J. Scott Marcus (who served as the FCC's senior adviser for internet technology from July 2001 until July 2005) actually knows more about AT&T at the high-level internet engineering level than I do. (Editor's note: Marcus filed an independent analysis on behalf of the Electronic Frontier Foundation.) In the redacted declaration (.pdf), at pages 10-11, Marcus says that the documents confirm this is not just for network security, and that it is for government spying. He argues that the unit installed has its own backbone. You wouldn't need a separate backbone for network security -- but for government surveillance they do. WN: What made you decide to go public? Klein: What got me back interested was The New York Times' story in December 2005. (Editor's note: The Times reported that the government had been secretly monitoring Americans' phone calls and e-mails that crossed the nation's border since shortly after 9/11 without getting approval from the Foreign Intelligence Surveillance Court, or FISA.) The president admitted the program existed, but only admitted that part which had been exposed -- and he avoided talking about the part that wasn't, which was the internet. The administration sent officials out to defend the program, including (Vice President) Dick Cheney, and they said they didn't think they had to obey FISA.... This was the defense of the indefensible. So I decided if they are going to perpetuate this fraud then I'm going to blow their cover. (Editor's note: Klein gave the documents to several civil rights groups, the New York Times and the Los Angeles Times. Former Los Angeles Times editor Dean Baquet killed reporter Joseph Menn's story on the documents and allegations after meeting with then-director of national intelligence John Negroponte and then-NSA chief Michael Hayden.) Baquet's argument for killing it was weak -- that they didn't understand the documents because they were too technical. That's what outside experts are for. That's what the New York Times did when they got the documents. They were basically afraid to touch it after the government suggested they shouldn't. WN: Has AT&T been in contact with you? Klein: They haven't done anything to me, which is confirmation to me that they are doing this. Qwest did the right thing. They asked for a legal document and when the government wouldn't give them one, they said no. The other companies volunteered -- that's my speculation. Maybe they did get some document, but I am skeptical. WN: What do you want to happen now? Klein: I want this program ended. I will be satisfied when I can get a tour of the Folsom Street building and I can see the equipment has been ripped out. I want to see the physical stuff ripped out. I will not be satisfied with assurances from the government that this program is stopped or being overseen by a court. They have embedded spying into the infrastructure of the internet. I'm not sure people are fully conscious of what is going on, and I want it exposed and stopped. WN: Have you tried to talk with members of Congress? Klein: I've called and sent letters to senators and Congress members. They haven't called back. I don't think they want to pursue it. They want to talk about this behind closed doors. These days I am angry at Congress for helping them keep it secret. They could hold hearings and subpoena people and give them immunity. Right now there are people who could come forward and say what they know, but they need immunity. That's the bottleneck. I don't see a resolution coming from this Congress. It's a conspiracy against the American people. WN: Were you scared when you decided to come forward? Klein: I was concerned about taking on the government by myself. When I heard the director of national intelligence was getting involved, that's when I decided to get a lawyer. (Editor's note: Klein is now represented by a team of four lawyers. All four formerly worked as federal prosecutors.) WN: Have you heard from former co-workers after you came forward? Klein: Some of the people I used to work with, I would exchange e-mails or see them when someone retired. But I've cut myself off. I haven't wanted to put them in jeopardy, especially the ones that still work there. I still consider them friends. But I'm not lonely. I have other friends. From rforno at infowarrior.org Thu May 10 20:16:03 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 10 May 2007 16:16:03 -0400 Subject: [Infowarrior] - PBS Frontline 5/15: Domestic Surveillance Message-ID: Spying on the Home Front coming May. 15, 2007 at 9pm (check local listings) (60 minutes) FRONTLINE addresses an issue of major consequence for all Americans: Is the Bush administration's domestic war on terrorism jeopardizing our civil liberties? Reporter Hedrick Smith presents new material on how the National Security Agency's domestic surveillance program works and examines clashing viewpoints on whether the president has violated the Foreign Intelligence Surveillance Act (FISA) and infringed on constitutional protections. In another dramatic story, the program shows how the FBI vacuumed up records on 250,000 ordinary Americans who chose Las Vegas as the destination for their Christmas-New Year's holiday, and the subsequent revelation that the FBI has misused National Security Letters to gather information. Probing such projects as Total Information Awareness, and its little known successors, Smith discloses that even former government intelligence officials now worry that the combination of new security threats, advances in communications technologies, and radical interpretations of presidential authority may be threatening the privacy of Americans. http://www.pbs.org/wgbh/pages/frontline/homefront/ From rforno at infowarrior.org Fri May 11 11:46:39 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 May 2007 07:46:39 -0400 Subject: [Infowarrior] - Bogus DMCA Threats As A Marketing Strategy Message-ID: Bogus DMCA Threats As A Marketing Strategy http://techdirt.com/articles/20070510/195141.shtml We've seen all sorts of misuses of the DMCA over the years, but this one probably wins the contest, hands down. It's a company (who I will not name for reasons I explain later) that makes DRM technology. Today, the company put out a press release saying that it had sent out cease-and-desist letters to Apple, Microsoft, Adobe and Real for violating the DMCA. And, just how do they claim that these four companies violate the DMCA? Well, in the twisted logic of the press release, "mere avoidance of an effective copyright protection solution is a violation of the act." This isn't actually true, but in a press release you can claim whatever you want. Therefore, the fact that the DRM used by these four companies isn't "effective" (by which the company means not using its own DRM solution) supposedly means that they're violating the DMCA. This is really sneaky for a few reasons, but we're not going to name the company involved because this is clearly a marketing stunt, rather than anything serious. They're abusing the DMCA to get press coverage. First of all, notice that they didn't actually file a DMCA takedown notice or file any actual lawsuit. They simply sent a cease-and-desist (and, of course, their own press release) -- which is effectively meaningless. Cease-and-desist letters can be (and often are) completely ignored. The recipient is under no requirement to follow. In normal circumstances, where a cease-and-desist actually has some weight behind it, it's because the sender of the cease-and-desist will file a lawsuit if the recipient doesn't comply. Of course, in this case, the company in question cannot file a DMCA lawsuit, because it has no standing. Even if it were true (and it's not) that having bad copy protection was a DMCA violation, you have to be the copyright holder to file the DMCA notice (otherwise you can get into trouble). This company is not the copyright holder... they're just some no name maker of DRM software that thinks a cheap publicity stunt abusing the DMCA will get them attention. From rforno at infowarrior.org Fri May 11 12:02:49 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 May 2007 08:02:49 -0400 Subject: [Infowarrior] - BB: Dumbest DMCA threat EVAR Message-ID: http://www.boingboing.net/2007/05/10/dumbest_dmca_threat_.html > Dumbest DMCA threat EVAR > > Media Rights Technology, a DRM crippleware vendor, has launched what may be > the dumbest DMCA legal threat ever. They are threatening Adobe and Real with > lawsuits for failing to buy their crummy technology. Forbes says that Media > Rights Technology advanced the theory that since the DMCA makes it illegal to > break DRM, companies with broken DRM have to buy someone else's DRM. > > Well, it's a theory. > > Media Rights Technologies (MRT) and BlueBeat.com have issued cease and > desist letters to both companies and to Adobe Systems Inc (nasdaq: ADBE - news > - people ) and Real Networks -- which produce the Adobe Flash Player and Real > Player respectively -- for actively avoiding their X1 SeCure Recording > Control, which they said is an effective copyright protection system. > > MRT and Bluebeat said the failure to use an available copyright protection > solution contravenes the Digital Millennium Copyright Act, which prohibits the > manufacture of any product or technology designed to circumvent a > technological measure that effectively controls access to a copyrighted work > or protects the rights of copyright owners. > > They said a failure to comply with the cease and desist order could result > in in a federal court injunction and/or the imposition of statutory damages of > 200-2,500 usd per product distributed or sold. From rforno at infowarrior.org Sat May 12 02:53:53 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 May 2007 22:53:53 -0400 Subject: [Infowarrior] - House passes bill banning illegal govt eavesdropping Message-ID: (though one wonders if it's illegal already why the need to ban it? -rf) Bill bans illegal govt eavesdropping http://pressesc.com/01178899253_bill_bans_eavedropping_NSA The US house of representatives today passed a bill outlawing illegal domestic wiretapping by the government. An amendment to the House Intelligence Reauthorization Bill by Representatives Adam Schiff (D-CA) and Jeff Flake (R-AZ) states that the Foreign Intelligence Surveillance Act of 1978 (FISA) shall be the exclusive means by which domestic electronic surveillance for the purpose of gathering foreign intelligence information may be conducted, and makes clear that this applies until specific statutory authorization for electronic surveillance, other than as an amendment to FISA, is enacted. "Congress has signaled that it will not allow the president to continue the National Security Agency?s illegal eavesdropping," said Caroline Fredrickson, Director of the ACLU?s Washington Legislative Office. "Passage of the Schiff/Flake amendment is Congress drawing a line in the sand. This amendment reaffirms that FISA is the law and it needs to be followed." Congress originally passed FISA to provide the exclusive authority for the wiretapping of people in the United States in foreign intelligence investigations to protect national security. As the Senate Report noted, FISA "was designed . . . to curb the practice by which the Executive Branch may conduct warrantless electronic surveillance on its own unilateral determination that national security justifies it." The Bill ends plans by the Bush Administration that would give the NSA the freedom to pry into the lives of ordinary Americans. The ACLU noted that, despite many recent hearings about "modernization" and "technology neutrality," the administration has not publicly provided Congress with a single example of how current FISA standards have either prevented the intelligence community from using new technologies, or proven unworkable for the agents tasked with following them. "We applaud Congressmen Schiff and Flake for their work to uphold the rule of law," said Michelle Richardson, ACLU Legislative Consultant. "Today is the first move towards Congress growing a backbone. We hope that the Senate will follow their lead and not be swayed by the administration and Department of Justice?s unconstitutional attempts to eviscerate FISA." From rforno at infowarrior.org Sat May 12 02:55:14 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 May 2007 22:55:14 -0400 Subject: [Infowarrior] - Censorship: The Streisand Effect (Forbes.Com) Message-ID: The Streisand Effect http://www.forbes.com/2007/05/10/streisand-digg-web-tech-cx_ag_0511streisand _print.html A Web user and his information are like a grizzly and her cub. Come between them, and you're likely to get mauled. That's what a group of heavyweight tech and entertainment companies learned last week when they tried to keep the lid on the code that could help break the electronic locks on HD-DVDs. On May 1, someone posted the code, which allows software developers to copy content from high-definition discs, to the social news portal Digg.com. A consortium of companies such as Disney, Microsoft and IBM, who have invested in the disc format, responded with a cease-and-desist letter, trying to strong-arm the site's owners into removing the code. Digg's administrators cooperated; its users didn't. Crying censorship, they staged a digital riot, covering Digg's pages with links to the banned digits, printing them on T-shirts and immortalizing them in a song that's been played on YouTube more than 200,000 times. In Pictures: The Streisand Effect Thanks to Digg's rebels, the HD-DVD encryption code has become another victim of the "Streisand effect," an increasingly common backlash that occurs when someone tries to muzzle information on the Web. When the Streisand effect takes hold, contraband doesn't disappear quietly. Instead, it infects the online community in a pandemic of free-speech-fueled defiance, gaining far more attention than it would have had the information's original owners simply kept quiet. The phenomenon takes its name from Barbra Streisand, who made her own ill-fated attempt at reining in the Web in 2003. That's when environmental activist Kenneth Adelman posted aerial photos of Streisand's Malibu beach house on his Web site as part of an environmental survey, and she responded by suing him for $50 million. Until the lawsuit, few people had spotted Streisand's house, Adelman says--but the lawsuit brought more than a million visitors to Adelman's Web site, he estimates. Streisand's case was dismissed, and Adelman's photo was picked up by the Associated Press and reprinted in newspapers around the world. The Internet has been mainstream for more than a decade. But what Streisand and others fail to realize, says Michael Masnick, the tech consultant and writer who named the Streisand effect in his blog, Techdirt, is that the rules of privacy and information control have changed. "Before, you took the hardest legal stance you could," says Masnick. "You sent out cease-and-desist letters with a lot of nasty language. But the Internet has turned that around and allowed people to fight back and get a lot more people outraged." Michael Fertik owns ReuptationDefender, a start-up company that helps individuals and companies manage their online reputation--essentially a Web-centric crisis PR firm. He says he would have taken a subtler approach to Streisand's situation. "You have to reason with people and approach them politely," he says. "People don't like that a large entity can beat up on a little entity, and the power of the Internet has been arrayed to support victims." Despite these new rules of publicity control, the Streisand effect has its limits. When the celebrity gossip blog Gawker published leaked photos of Brad Pitt and Angelina Jolie's newborn baby in June of last year, Time Inc. threatened them with a lawsuit for infringing its exclusive right to publish the star-child's pictures in the U.S. After a heated exchange between the two media outlets and threats of a lawsuit, Gawker gave in and removed the photos--at least until Time's People magazine had a chance to publish its own spread. But as the Digg revolt shows, damage control can be difficult even when Web sites respond to legal threats. Last September, Brazilian model and TV personality Daniela Cicarelli demanded that Google's YouTube remove a video clip of her indiscreet sexual behavior on a Spanish beach, which had been filmed by a paparazzo. YouTube obediently pulled the clip, but users continued to upload the file with different names, evading YouTube's filters. Eventually, a Brazilian judge ordered that the site be banned in Brazil until YouTube could effectively remove the video. But the ban only brought more attention to the clip outside of Brazil, as well as inspiring a boycott of her shows by angry Brazilian YouTube fans. Today, YouTube has been unblocked in Brazil, and though Cicarelli's sex clip seems to have disappeared from YouTube, a host of other video sites still feature the footage. The government of Thailand has run up against similar limits to its power to control the international Web. Last April, an anonymous YouTube user posted a 44-second video portraying Thailand's king, Bhumibol Adulyadej, as a monkey. The Thai government charged the site with "l?se majest?," insulting the monarch, and rather than ask for the offending video to be removed, banned the site altogether. YouTube users around the world responded by posting a series of Bhumibol-bashing clips, portraying the king as a clown, as various types of animals and as a pedophile. Each clip has been viewed tens of thousands of times, and this week Thailand responded by suing the video site. But Thailand's lawsuit is more likely to fuel the videos' distribution than to stop them. Attorney Kevin Bankston argues that unlike the laws of Thailand, U.S law ensures that sites like YouTube are free to act as a platform for defamatory materials posted by users. Bankston, a free-speech advocate for the Electronic Frontier Foundation, cites a provision in the Communications Decency Act stating that communication services aren't responsible for the speech that they enable. That law may have some bearing on the Digg case as well, as the consortium that owns the HD-DVD encryption code considers how to prevent more users from seeing the digits posted on the site. As for Bankston, he was happy to see Digg's users rebel last week in what he calls "a great flowering of civil disobedience," and he says it should serve as a warning to future censors about the power of the Streisand effect. "The Web," Bankston says, "is like the mythical Hydra. Cut off one of its many heads, and two will grow back in its place." From rforno at infowarrior.org Sat May 12 02:58:41 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 May 2007 22:58:41 -0400 Subject: [Infowarrior] - FBI wary of relying on amateurs Message-ID: FBI wary of relying on amateurs The bureau acknowledges that fighting domestic terror threats requires the assistance of two unreliable allies: the public and informants. By Josh Meyer, Times Staff Writer 6:50 PM PDT, May 11, 2007 WASHINGTON -- Even as the FBI hails as a major success story its breakup of an alleged plot by "radical Islamists" to kill soldiers at Fort Dix, N.J., federal authorities acknowledge that the case has underscored a troubling vulnerability in the domestic war on terror. They say the FBI, despite an unprecedented expansion over the past 51?2 years, cannot possibly counter the growing threat posed by homegrown extremists without the help of two often unreliable allies. One is an American public that they lament is prone to averting its attention from suspicious behavior and often reluctant to get involved. The other is a small but growing army of informants, some of whom might be dodgy and in it for the wrong reasons -- such as money, political ax grinding or legal problems of their own. < - > http://www.latimes.com/news/nationworld/nation/la-na-terror12may12,0,3732513 ,full.story?coll=la-home-center From rforno at infowarrior.org Sat May 12 22:55:35 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 12 May 2007 18:55:35 -0400 Subject: [Infowarrior] - Reminder: Monday is Wiretap the Internet Day Message-ID: Reminder: Monday is Wiretap the Internet Day http://blog.wired.com/27bstroke6/2007/05/reminder_monday.html May 14th is the official deadline for cable modem companies, DSL providers, broadband over powerline, satellite internet companies and some universities to finish wiring up their networks with FBI-friendly surveillance gear, to comply with the FCC's expanded interpretation of the Communications Assistance for Law Enforcement Act. Congress passed CALEA in 1994 to help FBI eavesdroppers deal with digital telecom technology. The law required phone companies to make their networks easier to wiretap. The results: on mobile phone networks, where CALEA tech has 100% penetration, it's credited with boosting the number of court-approved wiretaps a carrier can handle simultaneously, and greatly shortening the time it takes to get a wiretap going. Cops can now start listening in less than a day. Now that speed and efficiency is coming to internet surveillance. While CALEA is all about phones, the Justice Department began lobbying the FCC in 2002 to reinterpret the law as applying to the internet as well. The commission obliged, and last June a divided federal appeals court upheld the expansion 2-1. (The dissenting judge called the FCC's position "gobbledygook." But he was outnumbered.) So, if you're a broadband provider (separately, some VOIP companies are covered too) ? Hurry! The deadline has already passed to file an FCC form 445 (.pdf), certifying that you're on schedule, or explaining why you're not. You can also find the 68-page official industry spec for internet surveillance here. It'll cost you $164.00 to download, but then you'll know exactly what format to use when delivering customer packets to federal or local law enforcement, including "e-mail, instant messaging records, web-browsing information and other information sent or received through a user's broadband connection, including on-line banking activity." There are also third party brokers who will handle all this for you for a fee. It's worth noting that the new requirements don't alter the legal standards for law enforcement to win court orders for internet wiretaps. Fans of CALEA expansion argue that it therefore won't increase the number of Americans under surveillance. That's wrong, of course. Making surveillance easier and faster gives law enforcement agencies of all stripes more reason to eschew old-fashioned police work in favor of spying. The telephone CALEA compliance deadline was in 2002, and since then the amount of court-ordered surveillance has nearly doubled from 2,586 applications granted that year, to 4,015 orders in 2006. From rforno at infowarrior.org Sun May 13 17:20:11 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 13 May 2007 13:20:11 -0400 Subject: [Infowarrior] - DOD blocking YouTube, Myspace Message-ID: (I suspect bandwidth-savings is only part of the reason here.......rf) DOD blocking YouTube, others To save bandwidth, officials say several sites to be off-limits at work By Leo Shane III, and T.D. Flack, Stars and Stripes Mideast edition, Sunday, May 13, 2007 http://www.estripes.com/article.asp?section=104&article=45834 Starting Monday, the Defense Department will block access to MySpace, YouTube and a host of other sites on official department computers worldwide, in an effort to boost its network efficiency. Troops and families living on U.S. bases will still be able to view the sites through private Internet networks, but the move leaves servicemembers in Iraq and Afghanistan who use the popular picture- and video-sharing sites with little or no access to them. Defense officials said the move is solely a reaction to the heavy drain the streaming video and audio can put on the defense computer network. ?We?re not passing any judgment on these sites, we?re just saying you shouldn?t be accessing them at work,? said Julie Ziegenhorn, spokeswoman for U.S. Strategic Command. ?This is a bandwidth and network management issue. We?ve got to have the networks open to do our mission. They have to be reliable, timely and secure.? In a message to troops from U.S. Forces Korea commander Gen. B.B. Bell on Friday, he acknowledged many of the sites being blocked are used by troops to keep in touch with family and friends. ?This recreational traffic impacts our official DOD network and bandwidth availability, while posting a significant operational security challenge,? he wrote. Ironically, the Defense Department this year had just begun expanding its own use of YouTube to reach a younger, broader audience and show clips of U.S. troops in action. Multi-National Force ? Iraq, U.S. Army Civil Affairs Command in Afghanistan, and the U.S. Army Corps of Engineers in the Gulf Region have all launched new channels on the Web site to highlight recent successes overseas. Ziegenhorn said that wasn?t taken into consideration when the Joint Task Force Global Network Operations began reviewing and flagging sites that posed problems to the network. ?This is all about what is a drain on the system,? she said. A review of the banned sites has been under way since February, she said. And the task force is still considering other problematic addresses to add to the list. ?This will be an ever-evolving discussion, because we need to constantly make sure those networks are available and secure,? she said. The official policy blocking the sites will be released Monday, the same day they go into effect. But Ziegenhorn said most network administrators are already aware of the change. The individual services have already blocked some sites for the same bandwidth issues. In addition, Defense Department policy prohibits troops or civilian workers from using government computers from accessing inappropriate sites because of inappropriate content, such as pornography. From rforno at infowarrior.org Sun May 13 17:21:47 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 13 May 2007 13:21:47 -0400 Subject: [Infowarrior] - Google plans to profile players Message-ID: Google plans to profile players http://www.theage.com.au/news/world/google-plans-to-profile-players/2007/05/ 12/1178899164199.html David Adam and Bobbie Johnson May 13, 2007 AdvertisementAdvertisement INTERNET giant Google has drawn up plans to compile psychological profiles of millions of web users by covertly monitoring the way they play online games. The company thinks it can glean information about an individual's preferences and personality type by tracking their online behaviour, which could then be sold to advertisers. Details such as whether a person is more likely to be aggressive, hostile or dishonest could be obtained and stored for future use, it says. The move is intended to customise ads shown to players of online video games by tailoring them to specific tastes and interests. But it has worried privacy campaigners, who said the implications of compiling and storing such detailed information were "alarming". Sue Charman of British online campaign Open Rights Group said: "I can understand why they are interested in this, but I would be deeply disturbed by a company holding a psychological profile. Whenever you have large amounts of information it becomes attractive to people ? we've already seen the American federal Government going to court over data from companies including Google." The plans are detailed in a patent filed by Google in Europe and the US last month. It says people playing online role-playing games would be particularly good to target, because they interact with other players and make decisions that probably reflect their behaviour in real life. The patent says user dialogue may be used to characterise the user as, for example, profane, blunt, polite, cautious, aggressive, non-confrontational, stealthy, honest, cooperative or uncooperative. The information could be used to make ads that appear inside the game more "relevant to the user", Google says. Players who spend a lot of time exploring "may be interested in vacations, so the system may show ads for vacations". And those who spend more time talking to other characters will see ads for mobile phones. The patent says Google could also monitor people playing on any game console that hooks up to the internet, including the Sony PlayStation, Nintendo Wii and Microsoft's Xbox. From rforno at infowarrior.org Mon May 14 20:48:12 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 14 May 2007 16:48:12 -0400 Subject: [Infowarrior] - We the people demand a Gadget Bill of Lights Message-ID: We the people demand a Gadget Bill of Lights Mike Elgan http://www.computerworld.com/action/article.do?command=viewArticleBasic&art icleId=9019163&source=rss_news10 May 11, 2007 (Computerworld) Sometimes I think the companies that make cell phones, gadgets and PCs never actually use their own products. In particular, one of my biggest complaints is how these vendors put annoying little lights on everything but fail to illuminate their products in ways that are actually useful. For example, I had a love-hate relationship with my Palm Treo (now replaced by a BlackBerry Pearl). Despite general design ingenuity, it seems that nobody at Palm ever considered the effect of that hideous green light on the Treo. When I would go to bed, the entire room would flash: GREEN! GREEN! GREEN! Turning the phone upside down reduced, but didn't stop, the annoying assault. I typically would have to bury the device under something or hide it in a drawer. Annoyingly, nobody knows what that green light is for, and even worse, you can't turn it off. My BlackBerry Pearl is better. The flashing red light is at least explicable -- it means I have unopened e-mail or a pending calendar item. However, I get e-mail every night. Even though I silence my phone, it's just a matter of time before the room starts blinking: RED! RED! RED! My PC and other computing equipment make my office look like a jet cockpit. I have two LCD monitors, each of which has two indicator lights that flash even when the PC is turned off. The attached sound control has a light on it. My keyboard has multiple lights. The power cord has lights, the printer has lights, and the power button is illuminated. My cable modem and Linksys router flash like crazy all the time. Together, these useless lights create a visual cacophony of blinking, multicolored lights that make me feel like I'm taking part in a NASA stress test for astronaut candidates. Worse, my PC, a Dell XPS system, features a decorative blue light in the front bright enough to actually read by. Dell's XPS gaming laptops cast the most hideous red lights through vents, which you can dim but not turn off. Clearly, the vendor thinks bright, decorative lights are cool. You know what would be cool? Hire a case designer with good taste. That would be cool. It's only a matter of time before Apple produces a TV ad showing the guy who says, "Hi, I'm a PC" covered in Christmas lights. My laptop is no better. It has lights telling me if it's plugged in, both on the power cord and the laptop itself. Other lights display equally vital information about the laptop's current state. All these lights on all these gadgets aren't just passive indicator lights. They aggressively cast an actual beam of light that, in the dark, lights up nearby walls or even whole rooms. While most devices have "nag" lights that actively annoy and fail to inform, many gadgets often fail to provide lights where I really need them. For example, most laptops don't have a light that illuminates the keyboard. So when I'm on an airplane with my laptop, I have to partly close the screen and use the display light to see the keys. Sometimes I use my desktop PC in a dimly light room, and when I do, I'd love to have a light on the keyboard so it's easier to use. People use all kinds of devices in the dark. For example, digital cameras have automated, intelligent features for taking better pictures in darkness. Yet there's often no way to activate those features without a separate flashlight. The list of light-related annoyances goes on and on. Enough! It's time we consumers demand that gadget designers and manufacturers do something about where, how and why they put lights all over the devices that we bring into our homes and that affect the aesthetic quality of our lives. If you agree -- if you're annoyed by the placement, intensity or lack of user-controllability of lights on your electronics -- send the following Gadget Bill of Lights directly to every manufacturer that tramples our right to own gadgets that don't annoy us: The Gadget Bill of Lights Gadget and PC makers: If you want happy users and more repeat business, heed our call and stop torturing us with bad decisions about the lights on your products. Here is our Gadget Bill of Lights: I. The right of the people to get a good night's sleep shall not be infringed. Gadget makers shall make no device that lights up any dark room with flashing nag lights. II. Excessive LED brightness, deemed cruel and unusual punishment, shall not be inflicted when dimmer lights will do. III. Gadget makers shall make no device that nags the people for unknown reasons. If a phone flashes at us, we have the right to know why. IV. No indicator light shall illuminate our houses or places of business without the consent of the owner. We seek the option to turn lights off. V. An aesthetically pleasing industrial design, being necessary for the placement of electronics in various locations in our homes, shall not include inextinguishable decorative lighting. (We're talking to YOU, Dell.) VI. In all scenarios in which products may be used in partial or total darkness, the people shall enjoy the right to optional lighting that enables users to locate various controls, keys and buttons. Mike Elgan is a technology writer and former editor of Windows Magazine. He can be reached at mike.elgan at elgan.com or his blog: http://therawfeed.com. From rforno at infowarrior.org Tue May 15 11:33:23 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 May 2007 07:33:23 -0400 Subject: [Infowarrior] - White House Edits to Privacy Board's Report Spur Resignation Message-ID: White House Edits to Privacy Board's Report Spur Resignation By John Solomon and Ellen Nakashima Washington Post Staff Writers Tuesday, May 15, 2007; A05 http://www.washingtonpost.com/wp-dyn/content/article/2007/05/14/AR2007051402 198.html The Bush administration made more than 200 revisions to the first report of a civilian board that oversees government protection of personal privacy, including the deletion of a passage on anti-terrorism programs that intelligence officials deemed "potentially problematic" intrusions on civil liberties, according to a draft of the report obtained by The Washington Post. One of the panel's five members, Democrat Lanny J. Davis, resigned in protest Monday over deletions ordered by White House lawyers and aides. The changes came after the congressionally created Privacy and Civil Liberties Oversight Board had unanimously approved the final draft of its first report to lawmakers, renewing an internal debate over the board's independence and investigative power. Some of the changes sought by the administration ultimately were reversed, and some members of the panel said they were not opposed to the others. But one section deleted by the administration would have divulged that the Office of the Director of National Intelligence's civil liberties protection officer had "conducted reviews of the potentially problematic programs and has established procedures" for intelligence officials to file complaints about possible civil liberties and privacy abuses. The passage would have been the first public disclosure of an internal review identifying such potentially intrusive intelligence programs. In its place, White House officials suggested more modest language, which ended up as a substitution in the final report. "I think that kind of involvement does a disservice to any notion of independence by the board and therefore subtracts greatly from the necessary independence that would give the board credibility," said Richard Ben-Veniste, a member of the Sept. 11 commission, which recommended the creation of the privacy board. The panel was created by Congress to address concerns about the government's growing anti-terrorism surveillance powers but placed under the supervision of the White House without investigative tools such as subpoenas. Some in Congress are pushing to make the board completely independent. White House spokeswoman Dana Perino called the editing "standard operating procedure," saying it was appropriate because the board remains legally under the supervision of the Executive Office of the President. "When you have a formal document going to Congress from any part of the Executive Office of the President, it stands to reason that it must be formally reviewed before it is released," Perino said Monday evening. The board's vice chairman, Republican Alan Raul, said Monday that he was not concerned about the revisions or the White House's dealings with the board. "I never considered it as though the board was yielding control over the document, but rather obtaining useful review and input," Raul said. But Davis's resignation letter cited "the extensive redlining of the board's report to Congress by administration officials and the majority of the board's willingness to accept most" of the changes. The 200-plus changes, most of them deletions, ranged from minor factual and grammatical corrections to revisions of whole passages. The board's report was made public in mid-April. One change that stirred significant controversy among panel members was the deletion by White House aides of a passage on concerns about federal prosecutors' ability to detain "material witnesses" indefinitely in terrorism cases. It was reversed after protests by panel members. Chairman Carol E. Dinkins told board members March 29 that the White House counsel's office had asked to delete the passage, fearing the revelation might inflame the ongoing political controversy over the administration's dismissal of nine U.S. attorneys, according to documents and interviews with board members. Administration aides, speaking on the condition of anonymity because White House deliberations with the board are considered private, confirmed that the deletion was requested because of concerns the passage might be construed as White House examination of U.S. attorneys' conduct while Congress was investigating presidential aides' role in the firings. The board was able to persuade White House counsel Fred F. Fielding to restore the material. Another significant revision was the deletion of a reference to the panel's plan to investigate how the Department of Homeland Security assigns "risk" ratings to people entering the United States under the Automated Targeting System. The controversial program's scope has expanded over the past decade from screening cargo to targeting allegedly dangerous travelers, foreign and American. Customs officials have said they store the risk assessments for up to 40 years. "The privacy board is right to want to investigate the program," said Marc Rotenberg, executive director of the Electronic Privacy Information Center. "It sounds like the White House is trying to bury the issue." Fielding is trying to arrange a meeting between remaining board members and President Bush in the hope of addressing lingering concerns about the revisions, officials said. Davis served as a special counsel to President Bill Clinton in the 1990s and has been friends with Bush since their college days at Yale. He was appointed to the board by the White House. Davis's resignation letter cited disagreements about whether the board should expand its scope to investigate civil liberties abuses of non-Americans. Davis wrote that he was "concerned that there may be current and developing anti-terrorist programs affecting civil liberties and privacy rights of which the board has neither complete knowledge nor ready access." In a May 8 letter to Dinkins, Thomas H. Kean and Lee H. Hamilton, co-chairmen of the Sept. 11 commission, also questioned the board's effectiveness. "There are wide-ranging concerns expressed by the American public with respect to privacy and civil liberties beyond those you raise in your report," including the treatment of detainees at Guantanamo Bay, Cuba. Dinkins, the chairwoman, said she did not share most of Davis's concerns but was disappointed he resigned. The White House and other board members believed they had resolved them when Davis signed on to the report's final version, she said. "We paid close to attention to Lanny," she said. The document obtained by The Post shows the length that White House officials went to make some changes. One deleted passage divulged that the board had sent a letter in late January asking Bush to issue an executive order to all federal agencies to fully cooperate with the privacy board. It was prompted by board members' concerns, including a lengthy delay in receiving a briefing on the National Security Agency's warrantless eavesdropping program and White House efforts to keep the media from attending a planned public board meeting scheduled just weeks before last November's election. From rforno at infowarrior.org Tue May 15 14:29:27 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 May 2007 10:29:27 -0400 Subject: [Infowarrior] - Gonzales proposes new crime: "Attempted" copyright infringement Message-ID: Gonzales proposes new crime: "Attempted" copyright infringement Posted by Declan McCullagh http://news.com.com/8301-10784_3-9719339-7.html Attorney General Alberto Gonzales is pressing the U.S. Congress to enact a sweeping intellectual property bill that would increase criminal penalties for copyright infringement, including "attempts" to commit piracy. "To meet the global challenges of IP crime, our criminal laws must be kept updated," Gonzales said during a speech before the U.S. Chamber of Commerce in Washington on Monday. The Bush administration is throwing its support behind a proposal called the Intellectual Property Protection Act of 2007, which is likely to receive the enthusiastic support of the movie and music industries and would represent the most dramatic rewrite of copyright law since a 2005 measure dealing with pre-release piracy. The IPPA would, for instance: * Criminalize "attempting" to infringe copyright. Federal law currently punishes not-for-profit copyright infringement with between 1 and 10 years in prison, but there has to be actual infringement that takes place. The IPPA would eliminate that requirement. (The Justice Department's summary of the legislation says: "It is a general tenet of the criminal law that those who attempt to commit a crime but do not complete it are as morally culpable as those who succeed in doing so.") * Create a new crime of life imprisonment for using pirated software. Anyone using counterfeit products who "recklessly causes or attempts to cause death" can be imprisoned for life. During a conference call, Justice Department officials gave the example of a hospital using pirated software instead of paying for it. * Permit more wiretaps for piracy investigations. Wiretaps would be authorized for investigations of Americans who are "attempting" to infringe copyrights. * Allow computers to be seized more readily. Specifically, property such as a PC "intended to be used in any manner" to commit a copyright crime would be subject to forfeiture, including civil asset forfeiture. Civil asset forfeiture has become popular among police agencies in drug cases as a way to gain additional revenue, and is problematic and controversial. * Increase penalties for violating the Digital Millennium Copyright Act's anti-circumvention regulations. Currently criminal violations are currently punished by jail times of up to 10 years and fines of up to $1 million. The IPPA would add forfeiture penalties too. * Add penalties for "intended" copyright crimes. Currently certain copyright crimes require someone to commit the "distribution, including by electronic means, during any 180-day period, of at least 10 copies" valued at over $2,500. The IPPA would insert a new prohibition: actions that were "intended to consist of" distribution. * Require Homeland Security to alert the Recording Industry Association of America. That would happen when compact discs with "unauthorized fixations of the sounds or sounds and images of a live musical performance" are attempted to be imported. Neither the Motion Picture Association of America nor the Business Software Alliance (nor any other copyright holder such as photographers, playwrights, or news organizations, for that matter) would qualify for this kind of special treatment. A representative of the Motion Picture Association of America told us: "We appreciate the department's commitment to intellectual property protection and look forward to working with both the department and Congress as the process moves ahead." What's still unclear is the kind of reception this legislation might encounter on Capitol Hill. Gonzales may not be terribly popular, but Democrats do tend to be more closely aligned with Hollywood and the recording industry than the GOP. (A few years ago, Republicans even savaged fellow conservatives for allying themselves too closely with copyright holders.) A spokeswoman for Rep. Howard Berman, the California Democrat who heads the House Judiciary subcommittee that focuses on intellectual property, said the congressman is reviewing proposals from the attorney general and from others. The aide said the Hollywood politician plans to introduce his own intellectual property enforcement bill later this year but said his office is not prepared to discuss any details yet. One key Republican was less guarded. "We are reviewing (the attorney general's) proposal. Any plan to stop IP theft will benefit the economy and the American worker," said Rep. Lamar Smith of Texas, who's the top Republican on the House Judiciary committee. "I applaud the attorney general for recognizing the need to protect intellectual property." Still, it's too early to tell what might happen. A similar copyright bill that Smith, the RIAA, and the Software and Information Industry Association announced with fanfare last April never went anywhere. News.com's Anne Broache contributed to this report From rforno at infowarrior.org Thu May 17 12:51:33 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 17 May 2007 08:51:33 -0400 Subject: [Infowarrior] - Dramatic 2004 pushback aginst WH on wiretapping Message-ID: Gonzales Hospital Episode Detailed Ailing Ashcroft Pressured on Spy Program, Former Deputy Says http://www.washingtonpost.com/wp-dyn/content/article/2007/05/15/AR2007051500 864.html By Dan Eggen and Paul Kane Washington Post Staff Writers Wednesday, May 16, 2007; A01 On the night of March 10, 2004, as Attorney General John D. Ashcroft lay ill in an intensive-care unit, his deputy, James B. Comey, received an urgent call. White House Counsel Alberto R. Gonzales and President Bush's chief of staff, Andrew H. Card Jr., were on their way to the hospital to persuade Ashcroft to reauthorize Bush's domestic surveillance program, which the Justice Department had just determined was illegal. In vivid testimony to the Senate Judiciary Committee yesterday, Comey said he alerted FBI Director Robert S. Mueller III and raced, sirens blaring, to join Ashcroft in his hospital room, arriving minutes before Gonzales and Card. Ashcroft, summoning the strength to lift his head and speak, refused to sign the papers they had brought. Gonzales and Card, who had never acknowledged Comey's presence in the room, turned and left. The sickbed visit was the start of a dramatic showdown between the White House and the Justice Department in early 2004 that, according to Comey, was resolved only when Bush overruled Gonzales and Card. But that was not before Ashcroft, Comey, Mueller and their aides prepared a mass resignation, Comey said. The domestic spying by the National Security Agency continued for several weeks without Justice approval, he said. "I was angry," Comey testified. "I thought I just witnessed an effort to take advantage of a very sick man, who did not have the powers of the attorney general because they had been transferred to me." The broad outlines of the hospital-room conflict have been reported previously, but without Comey's gripping detail of efforts by Card, who has left the White House, and Gonzales, now the attorney general. His account appears to present yet another challenge to the embattled Gonzales, who has strongly defended the surveillance program's legality and is embroiled in a battle with Congress over the dismissals of nine U.S. attorneys last year. It also marks the first public acknowledgment that the Justice Department found the original surveillance program illegal, more than two years after it began. Gonzales, who has rejected lawmakers' call for his resignation, continued yesterday to play down his own role in the dismissals. He identified his deputy, Paul J. McNulty, who announced his resignation Monday, as the aide most responsible for the firings. "You have to remember, at the end of the day, the recommendations reflected the views of the deputy attorney general," Gonzales said at the National Press Club. "The deputy attorney general would know best about the qualifications and the experiences of the United States attorneys community, and he signed off on the names," he added. Those comments appear to differ, at least in emphasis, from earlier remarks by Gonzales, who has previously laid much of the responsibility for the dismissals on his ex-chief of staff, D. Kyle Sampson. They stand in contrast to testimony and statements from McNulty, who has acknowledged signing off on the firings but has told Congress he was surprised when he heard about the effort. The Justice Department and White House declined to comment in detail on Comey's testimony, citing internal discussions of classified activities. The warrantless eavesdropping program was approved by Bush after the Sept. 11, 2001, attacks. It allowed the NSA to monitor e-mails and telephone calls between the United States and overseas if one party was believed linked to terrorist groups. The program was revealed in late 2005; Gonzales announced in January that it had been replaced with an effort that would be supervised by a secret intelligence court. The crisis in March 2004 stemmed from a review of the program by the Justice Department's Office of Legal Counsel, which raised "concerns as to our ability to certify its legality," according to Comey's testimony. Ashcroft was briefed on the findings on March 4 and agreed that changes needed to be made, Comey said. That afternoon, Ashcroft was rushed to George Washington University Hospital with a severe case of gallstone pancreatitis; on March 9, his gallbladder was removed. The standoff between Justice and White House officials came the next night, after Comey had refused to certify the surveillance program on the eve of its 45-day reauthorization deadline, he testified. About 8 p.m. on March 10, Comey said that his security detail was driving him home when he received an urgent call from Ashcroft's chief of staff, David Ayres, who had just received an anxious call from Ashcroft's wife, Janet. The White House -- possibly the president -- had called, and Card and Gonzales were on their way. Furious, Comey said he ordered his security detail to turn the car toward the hospital, careening down Constitution Avenue. Comey said he raced up the stairs of the hospital with his staff, beating Card and Gonzales to Ashcroft's room. "I was concerned that, given how ill I knew the attorney general was, that there might be an effort to ask him to overrule me when he was in no condition to do that," Comey said, saying that Ashcroft "seemed pretty bad off." Mueller, who also was rushing to the hospital, spoke by phone to the security detail protecting Ashcroft, ordering them not to allow Card or Gonzales to eject Comey from the hospital room. Card and Gonzales arrived a few minutes later, with Gonzales holding an envelope that contained the executive order for the program. Comey said that, after listening to their entreaties, Ashcroft rebuffed the White House aides. "He lifted his head off the pillow and in very strong terms expressed his view of the matter, rich in both substance and fact, which stunned me," Comey said. Then, he said, Ashcroft added: "But that doesn't matter, because I'm not the attorney general. There is the attorney general," and pointed at Comey, who was appointed acting attorney general when Ashcroft fell ill. Later, Card ordered an 11 p.m. meeting at the White House. But Comey said he told Card that he would not go on his own, pulling then-Solicitor General Theodore Olson from a dinner party to serve as witness to anything Card or Gonzales told him. "After the conduct I had just witnessed, I would not meet with him without a witness present," Comey testified. "He replied, 'What conduct? We were just there to wish him well.' " The next day, as terrorist bombs killed more than 200 commuters on rail lines in Madrid, the White House approved the executive order without any signature from the Justice Department certifying its legality. Comey responded by drafting his letter of resignation, effective the next day, March 12. "I couldn't stay if the administration was going to engage in conduct that the Department of Justice had said had no legal basis," he said. "I just simply couldn't stay." Comey testified he was going to be joined in a mass resignation by some of the nation's top law enforcement officers: Ashcroft, Mueller, Ayres and Comey's own chief of staff. Ayres persuaded Comey to delay his resignation, Comey testified. "Mr. Ashcroft's chief of staff asked me something that meant a great deal to him, and that is that I not resign until Mr. Ashcroft was well enough to resign with me," he said. The threat became moot after an Oval Office meeting March 12 with Bush, Comey said. After meeting separately with Comey and Mueller, Bush gave his support to making changes in the program, Comey testified. The administration has never disclosed what those changes were. Staff researcher Julie Tate contributed to this report. From rforno at infowarrior.org Fri May 18 11:57:00 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 18 May 2007 07:57:00 -0400 Subject: [Infowarrior] - CALEA: It doesn't apply to universities and libraries after all Message-ID: CALEA: It doesn't apply to universities and libraries after all http://arstechnica.com/news.ars/post/20070517-calea-it-doesnt-apply-to-unive rsities-and-libraries-after-all.html By Nate Anderson | Published: May 17, 2007 - 11:32PM CT Back in 2005-2006, when CALEA was being expanded to cover broadband providers and VoIP companies, libraries and universities raised a massive ruckus over the plan. Their worry was that CALEA would require any network that connected to the public Internet to comply with FBI wiretapping guidelines; universities across the country would be faced with a multibillion dollar bill for upgrading their networks. Now that the new CALEA rules are in effect (the deadline for compliance was Monday), how are universities and libraries handling the issue? In large part, they aren't. That's because the FCC and the Department of Justice clarified some of the CALEA provisions last year after several educational library groups took them to court. Even after the various rulings were handed down, "much information related to the CALEA order remains confusing and incomplete," according to EDUCAUSE, one of the groups involved in the cases. Despite the vagueness of several key provisions and terms, this much became clear after the court decisions: "with rare possible exceptions, universities, colleges, and libraries are exempt from CALEA." Networks are exempt from the electronic surveillance rules if they meet two tests: they must be private, and the institution that runs them must not "support" the Internet connection. A "private" network is not actually defined, but legal analysis by educational groups has concluded that universities are private networks so long as they do not offer Internet access to other groups in turn, like municipal organizations or local communities. But this raises a question: how "private" does a private network have to be? Most of the network traffic on college and university networks is generated by faculty, staff, and students of those institutions, but most schools also provide some public access in libraries and other common spaces. Does this mean that the schools lose their CALEA exemption? Most legal opinions we have seen suggest that it does not, but because there is no hard and fast guidance, some suggest erring on the side of caution. American University stopped offering public Internet access in its library earlier this week for exactly this reason. Assuming that a school's network is private, the next question concerns the Internet connection. If the line and routing hardware is maintained by a telecommunications company, then the school remains exempt from CALEA. If the school runs its own fiber links to another network or even manages its own gateway router, it may incur obligations under CALEA. If that happens, schools won't need to replace every router on campus, as was once feared. The gateway router may need to be replaced in order to make it easy to siphon off traffic from one IP address or user and funnel it to the feds, but this work can also be handled by a Trusted Third Party (for a fee, of course). In neither case will the entire network architecture need to be reworked. In 2005, when the new rules were being proposed, the FCC noted that CALEA would not be extended to libraries "that acquire broadband Internet access service from a facilities-based provider to enable their patrons for customers to access the Internet." The American Library Association worries that this isn't good enough, though, writing in January 2007 that "it is possible the private network connections that serve libraries still could be subject to CALEA obligations" though their connections to regional library networks or universities. Currently, though, it does not appear that most libraries believe they must comply. Regardless of how CALEA is applied, libraries and universities both have an obligation to comply with government wiretap requests; CALEA simply will make those requests much easier for the feds to make (and it does not currently expand reporting requirements to include e-mail or web browsing information). From rforno at infowarrior.org Mon May 21 01:42:17 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 20 May 2007 21:42:17 -0400 Subject: [Infowarrior] - Estonia computers blitzed, possibly by the Russians Message-ID: Estonia computers blitzed, possibly by the Russians By Steven Lee Myers http://news.com.com/Estonia+computers+blitzed%2C+possibly+by+the+Russians/21 00-7349_3-6185120.html Story last modified Sun May 20 06:00:04 PDT 2007 MOSCOW--The computer attacks, apparently originating in Russia, first hit the Web site of Estonia's prime minister on April 27, the day the country was mired in protest and violence. The president's site went down, too, and soon so did those of several departments in a wired country that touts its paperless government and likes to call itself E-stonia. Then the attacks, coming in waves, began to strike newspapers and television stations, then schools and finally banks, raising fears that what was initially a nuisance could have economic consequences. The attacks have peaked and tapered off since then, but they have not ended, prompting officials there to declare Estonia the first country to fall victim to a virtual war. "If you have a missile attack against, let's say, an airport, it is an act of war," a spokesman for the Estonian Defense Ministry, Madis Mikko, said Friday in a telephone interview. "If the same result is caused by computers, then how else do you describe that kind of attack?" Officials in Estonia have accused Russia of orchestrating the attacks, officially or unofficially. They raised the issue at a meeting of NATO on Monday, with Defense Minister Jaak Aaviksoo saying that the alliance, which Estonia joined in 2004, needed to urgently debate the question--once seemingly a distant threat--of whether mass computer attacks posed a threat to national security. "Events of this nature make a lot of people sit up," a NATO spokesman, Robert Pszczel, said in a telephone interview. "Today Estonia, tomorrow it could be somebody else." The Kremlin has repeatedly denied government involvement in the attacks, dismissing Estonia's complaints as fabrications. Estonian officials, including Prime Minister Andrus Ansip, have said security officials traced the initial attacks to Russian computer servers, including domains registered to the government and the administration of President Vladimir V. Putin. Since those computers could be used by another party, it is unlikely that involvement of the Russian authorities can be proved, though an Estonian government spokesman, Martin Jasko, said the timing and targets raised suspicion enough. The attacks began on the day that the Estonian authorities removed a Soviet-era war monument that had been the source of protests and diplomatic tensions with Russia for months. Russia reacted vehemently, accusing Estonia, a former republic of the Soviet Union, of besmirching the memory of Soviet soldiers who fought against Nazi Germany. In the days that followed, Russia suspended rail service, ostensibly for track repairs, while protesters in Moscow staged raucous demonstrations, harassing Estonia's ambassador in one instance. Senior officials have called for a boycott of Estonian goods, which at least one supermarket chain has observed. The tensions with Estonia, along with Russian disputes with Poland and Lithuania, overshadowed a meeting in southern Russia near the city of Samara on Friday between Putin and the European Union's leaders, including Chancellor Angela Merkel of Germany, the Union's rotating president, and Jos? Manuel Barroso, the president of the European Commission, the Union's governing body. Tensions between Russia and Estonia were discussed at the meeting, but the computer attacks were not, Taneli Lahti, a member of the European delegation, said in a telephone interview. Estonian officials assert that the cyberattack is the largest ever against a country. NATO, which itself came under a similar though smaller attack during its war against Serbia in 1999, sent a computer expert to Estonia this week to observe the attacks firsthand. The computer attacks have inundated Estonia's Web sites, overwhelming servers and forcing them to shut down, sometimes for a few hours, sometimes longer. Mikko, the Defense Ministry spokesman, said sites that typically received 1,000 visits a day had been buried under as many as 2,000 a second. The attacks spiked on May 3, the day of the most boisterous protests in Moscow, and again on May 8 and 9, the days that Europe commemorates the victory over Nazi Germany in World War II. For many Estonians the end of the war ushered in nearly five decades of Soviet occupation, and the monument was a symbol of it. Another spike in attacks occurred on Tuesday, forcing one of Estonia's biggest banks to suspend access from abroad. Another bank faced an attack last week. As the attacks have continued, they are now being traced to computers around the world, from Vietnam to the United States, according to Hillar Aarelaid, the head of the country's newly created Computer Emergency Response Team. Aarelaid said attacks involved "botnets," networks of computers that have been compromised by an unauthorized user, who can then command and control them, surreptitiously and usually nefariously. Instructions in Russian on how to attack Estonian sites have circulated on the Internet, he added, suggesting that the world's first cyberwar would continue. "We can't say we have seen the biggest attack yet," he said, "because each wave is bigger than the one before." Copyright ?1995-2007 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Mon May 21 11:41:33 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 21 May 2007 07:41:33 -0400 Subject: [Infowarrior] - Google targets ISPs: is there a dark side? Message-ID: Google targets ISPs: is there a dark side? http://apcmag.com/6138/the_dark_side_of_google_apps_for_isps * 20th May 2007 * Angus Kidman * Internet All your ISP email belong to Google: but will it be good for all humankind?All your ISP email belong to Google: but will it be good for all humankind?Pretty much every Internet service provider on the planet offers email as part of their package, but that doesn't mean they do a particularly good job of it. OK, the majority don't suffer embarrassing outages like Australian ISP BigPond's infamous email meltdown in October 2003 , but limited download speeds, variable quality web mail interfaces, tiny online storage quotas and the tie-in effect of choosing an email address linked to a specific provider mean that using an ISP-provided email service often winds up looking like a pretty poor choice. That's especially the case with providers that only offer a limited number of email accounts for each customer (such as the single inboxes offered by BigPond or Unwired, for example, on their cheapest plans). Search giant Google is hoping to change that attitude with the latest expansion to its Google Apps software platform, designed specifically to attract ISPs and other Internet businesses. In a characteristically Google-esque move, Google announced the new program in a posting on its blog. "This new version, which we're calling the Partner Edition, makes it easy for large and small service providers to offer your subscribers the latest versions of powerful tools, like Gmail, Google Calendar, and Google Docs & Spreadsheets, without having to worry about hosting, updating, or maintaining any of the services yourself," product manager Hunter Middleton wrote. The slick Gmail interface and multi-gigabyte inbox limit might seem might good selling points for an ISP-branded Gmail service, but Google's fundamental selling point is a single one: laziness. "You can quit spending your resources and time on applications like webmail -- and leave the work to our busy bees at the Googleplex," Middleton wrote. Google may well be on the money here -- APC's past discussions with ISPs has indicated that running the email system for customers and dealing with spam while offering an acceptable amount of reliability is a major cost and headache for companies that, frankly, would prefer to focus on the 'tubes'. However, despite that, there's a few elements of Google's new offering that might give ISPs (and their customers) pause for thought. Unlike the individually accessible Google Apps services, which are primarily supported through advertising, ISPs will have to pay for the service. Google is being rather coy about the pricing, merely inviting ISPs and other interested parties to apply and learn more, but does suggest in its product information page that the service will be offered "affordably". Secondly, while Google talks up the potential for ISPs to customise the service, that might not always be good for end users. For instance, a key selling point of Partner edition is the ability to "offer subscribers the latest Google applications on your domain". If a Gmail account is tied to ispname.com.au, it suddenly becomes a lot less appealing, because, like any other ISP email address, changing ISP means having to tell everyone you know about your new email address. Google hasn't indicated yet whether customers of this ISP-sponsored Gmail will be able to easily port their mail over to a new Gmail address, either. Similarly, the promised storage volume is "up to 10GB". If Google offers ISPs the choice of how much storage space to offer customers (and if less space costs an ISP less dollars) then the chances are that ISPs will offer a minimal amount. For Australian ISPs, there's also the question of whether Google will consider them worth their time, or offer sufficient differentiations. Google's application form categorises ISPs into five size groups, with the smallest covering up to 200,000 customers -- a number that would cover all but Australia's very largest ISPs. Size, in this case, might not be everything. From rforno at infowarrior.org Tue May 22 11:41:56 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 May 2007 07:41:56 -0400 Subject: [Infowarrior] - RIAA Takes Cue From The Onion on Music Promotion Message-ID: RIAA Takes Cue From The Onion: Wants Radio Stations To Pay Up For Promoting Music http://techdirt.com/articles/20070521/235819.shtml You know your business is in trouble when you feel the need to start taking cues from the Onion for ways to squeeze more money out of customers. Last year, it was Verizon, who was found to have copied The Onion's satirical "charge-you-at-a-whim" plan. The latest, as submitted by a few folks, is that the RIAA is following the basic recommendation famously laid out by the Onion five years ago to go after radio stations for "giving away free music." It's not quite that bad, but pretty close. The LA Times notes that the RIAA and some musicians are asking Congress to change the law to force radio stations to pay up for promoting their music. Of course, radio stations already do have to pay some royalties, but they're for composers and publishers. The actual musicians are exempt from royalties because Congress (correctly) recognized that they get the benefit of their music being promoted. However, the new charge is being led by an original member of the Supremes, Mary Wilson, with the support of the RIAA, complaining that she can't just sit at home and collect royalties and actually has to (gasp!) work to get paid these days. Oh, the horror. If only everyone else could sit at home and get paid for work they did forty years ago. In the meantime, she ignores the fact that radio play is a big part of what helped make the Supremes famous allowing her to make any money from her music at all. It's what drove people to buy the records. It's what drove people to go to the concerts. This is just like the musicians in the UK whining about not extending copyright. They're acting as if this is a welfare system, and the government needs to make sure they keep getting paid for work they did decades ago. From rforno at infowarrior.org Tue May 22 13:28:19 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 May 2007 09:28:19 -0400 Subject: [Infowarrior] - Service Outages for XM Customers Continue Into Second Day Message-ID: Ahead of the Bell: XM Satellite Silent Tuesday May 22, 8:43 am ET Service Outages for XM Customers Continue Into Second Day http://biz.yahoo.com/ap/070522/xm_satellite_ahead_of_the_bell.html?.v=1 NEW YORK (AP) -- With XM Satellite Radio service outages entering a second day Tuesday, subscribers from around the country posted increasingly frustrated messages on user Web sites and analysts started raising the prospect of potential cancellations. XM on Monday said some customers had their service disrupted due to software problems, beginning around noon Eastern Time. The company did not say how many of its 8 million subscribers were affected, but said it expected the problem to be fixed by Monday evening. Overnight, some subscribers received an e-mail message that anticipated "full signal strength will be restored by early Tuesday morning." But, a string of postings early Tuesday on XMFan.com, an independent Web site, indicated the outages were still widespread. While many comments suggested users were surprised by the reception problems, a few showed increasing frustration that they could not get a signal. Representatives for the company could not be immediately reached early Tuesday, and there was nothing posted on the company's Web site addressing the issue. RBC Capital Markets analyst David Bank said the problem will become an issue for investors if subscribers begin to turn away from the service. "We'll have to find out exactly what happened, whether it's a systemic problem or just a fluke," Bank said. Outside of the "headline risk," or bad publicity associated with the problem, Bank said the service problem is not likely to be a long-term concern. "If the issue is cleared up soon, it's probably not that big a deal, unless it's a systemic issue within the network." The real concern would be if the problems result in lost subscribers, called "churn" in the industry, Bank said, but it is too early to tell if that will result. XM and competitor Sirius Satellite Radio Holdings Inc. are in the midst of trying to combine. In premarket electronic trading, XM shares were flat with Monday's close at $11.14. Sirius shares were up 2 cents at $2.81, from their Monday close at $2.79. From rforno at infowarrior.org Wed May 23 11:28:05 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 May 2007 07:28:05 -0400 Subject: [Infowarrior] - =?iso-8859-1?q?Google_=B9_s_goal=3A_to_organise_y?= =?iso-8859-1?q?our_daily_life?= Message-ID: Google?s goal: to organise your daily life By Caroline Daniel and Maija Palmer Published: May 22 2007 21:08 | Last updated: May 22 2007 21:08 http://www.ft.com/cms/s/c3e49548-088e-11dc-b11e-000b5df10621.html Google?s ambition to maximise the personal information it holds on users is so great that the search engine envisages a day when it can tell people what jobs to take and how they might spend their days off. Eric Schmidt, Google?s chief executive, said gathering more personal data was a key way for Google to expand and the company believes that is the logical extension of its stated mission to organise the world?s information. Asked how Google might look in five years? time, Mr Schmidt said: ?We are very early in the total information we have within Google. The algorithms will get better and we will get better at personalisation. ?The goal is to enable Google users to be able to ask the question such as ?What shall I do tomorrow?? and ?What job shall I take???? The race to accumulate the most comprehensive database of individual information has become the new battleground for search engines as it will allow the industry to offer far more personalised advertisements. These are the holy grail for the search industry, as such advertising would command higher rates. Mr Schmidt told journalists in London: ?We cannot even answer the most basic questions because we don?t know enough about you. That is the most important aspect of Google?s expansion.? He said Google?s newly relaunched iGoogle service, which allows users to personalise their own Google search page and publish their own content, would be a key feature. Another service, Google personalised search, launched two years ago, allows users to give Google permission to store their web-surfing history, what they have searched and clicked on, and use this to create more personalised search results for them. Another service under development is Google Recommendations ? where the search suggests products and services the user might like, based on their already established preferences. Google does not sell advertising against these services yet, but could in time use them to display more targeted ads to people. Yahoo unveiled a new search technology this year dubbed Project Panama ? which monitors what internet users do on its portal, and use that information to build a profile of their interests. The profiles are then used to display ads to the people most likely to be interested in them. Autonomy, the UK-based search company is also developing technology for ?transaction hijacking?, which monitors when internet surfers are about to make a purchase online, and can suggest cheaper alternatives. Although such monitoring could raise privacy issues, Google stresses that the iGoogle and personalisation services are optional. The Information Commissioner?s Office in the UK said it was not concerned about the personalisation developments. Earlier this year, however, Google bowed to concerns from privacy activists in the US and Europe, by agreeing to limit the amount of time it keeps information about the internet searches made by its users to two years. Google has also faced concerns that its proposed $3.1bn acquisition of DoubleClick will lead to an erosion of online privacy. Fears have been stoked by the potential for Google to build up a detailed picture of someone?s behaviour by combining its records of web searches with the information from DoubleClick?s ?cookies?, the software it places on users? machines to track which sites they visit. Mr Schmidt said this year that the company was working on technology to reduce concerns. Copyright The Financial Times Limited 2007 From rforno at infowarrior.org Wed May 23 11:48:47 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 May 2007 07:48:47 -0400 Subject: [Infowarrior] - Microsoft man seeks to re-engineer the Web Message-ID: Microsoft man seeks to re-engineer the Web http://www.theinquirer.net/default.aspx?article=39662 By Wendy M. Grossman: Wednesday 16 May 2007, 15:06 KIM CAMERON'S AMBITION is quite modest, really: he just wants to re-engineer the Internet so it has what he calls an ?identity layer?. Because: ?There is no mechanism for knowing who you?re talking to.? Cameron says he?s been working toward this his whole career, but his first big splash was late last year, when he published his paper The Laws of Identity and proposals for A Privacy-Compliant Identity Metasystem (PDF). The latter is the basis of CardSpace, identification technology that is built into Windows Vista and is available for download for XP. Many sites, he says, have it in beta and it is ?beginning to ramp up?. Cameron calls an ?identity? a set of claims. Cardspace?s basic unit of authentication, instead of a user ID and password, is the Information Card, which is generated securely on the user?s machine. When a site asks for authentication, the user selects (or generates) a card from a graphical display. The information held in the card isn?t sent to the site; instead the card generates a security token which completes authentication. A graphical display verifies to the user who owns the site, where the underlying business is located, and so on to help the user verify that the site is genuine. There are various controversies surrounding this idea. First and foremost is the question of why Microsoft didn?t join the existing Liberty Alliance, a many-vendor attempt at the same kind of thing. When asked about this at the recent ACM conference on Computers, Freedom, and Privacy ), he said he didn?t think Liberty was the same thing at all. ?It doesn?t give the user their own agent under their control.? In addition, critics ask what the threat model is (he says this information is, for now, confidential although they are considering publishing it), and what the use case is (?We feel it has to solve all use cases?). It?s been a long road to this point. Cameron, a Canadian, fell into computing while studying physics and mathematics at Dalhousie University in Halifax, Nova Scotia. He added an MA in sociology at the University of Montreal ? and then quit before writing his doctoral dissertation to join a rock band called Limbo Springs. A bout of teaching led him into a private company where, in the early 1980s, he built an email system called Zoomit, based on the old X.400 standard. The addresses, he says, were ?frightening? ? and made the need for directories ?self-evident?. Building those was his next project. And that?s where he first came up against the idea of the central authority that everyone would use for everything. Imagine that: it would be incredibly slow, it would be incredibly expensive ? but it would be spam-free. ?By this time, I thought it?s not human nature. It?s a multi-centered world. People will be using a bunch of different directories forever. We need to accept it.? He developed a technology called metadirectory, trying to solve the problem of keeping information accurate across different directories while allowing everyone autonomy. That was, he says, the technology that Microsoft bought in 1999. He arrived in Redmond in time to watch the centralised idea play itself out again in Passport Microsoft?s Internet-wide single sign-on service. ?It seemed a lot simpler,? he says. ?You have a single place where you give everybody an identity.? Indeed ? provided that everyone is willing to let Microsoft own their identity. Unsurprisingly, many people weren?t ? but it wasn?t the total failure people think. Says Cameron, ?Passport does a billion authentications a day for Hotmail and so on. It has 300 million active users. So if you go to the Passport guys and say it wasn?t a good idea, they say, ?I do a billion authentications a day. How many do you do??? Even so, it isn?t the direction Cameron thinks is the right one. ?It didn?t have the quality of being part of a wider identity system.? ? From rforno at infowarrior.org Wed May 23 12:56:22 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 May 2007 08:56:22 -0400 Subject: [Infowarrior] - NVD scope expands Message-ID: The National Vulnerability Database (NVD, http://nvd.nist.gov ) has expanded its scope to enable organizations to automate and standardize vulnerability management, security measurement, and compliance reporting (e.g., FISMA). Thus, NVD now enables organizations to ensure that information technology assets are configured securely, automate technical control policy compliance checking, customize secure configuration requirements, standardize measurement of low level vulnerabilities, and integrate vulnerability and product databases using a standards based approach. A full announcement is attached that describes the new services and how organizations can benefit from these services. We hope that the information technology security industry and security professionals take advantage of the expanded services. Please do not hesitate to provide any feedback to nvd at nist.gov. Peter Mell National Vulnerability Database Program Manager NIST Computer Security Division 301-975-5572 nvd at nist.gov http://nvd.nist.gov From rforno at infowarrior.org Thu May 24 01:32:16 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 May 2007 21:32:16 -0400 Subject: [Infowarrior] - OpenNet Initiative looks at net censorship/surveillance Message-ID: The OpenNet Initiative is a collaborative partnership of four leading academic institutions: the Citizen Lab at the Munk Centre for International Studies, University of Toronto, Berkman Center for Internet & Society at Harvard Law School, the Advanced Network Research Group at the Cambridge Security Programme, University of Cambridge, and the Oxford Internet Institute, Oxford University. Our aim is to investigate, expose and analyze Internet filtering and surveillance practices in a credible and non-partisan fashion. We intend to uncover the potential pitfalls and unintended consequences of these practices, and thus help to inform better public policy and advocacy work in this area. To achieve these aims, the ONI employs a unique multi-disciplinary approach that includes: 1. Development and deployment of a suite of technical enumeration tools and core methodologies for the study of Internet filtering and survellance; 2. Capacity-building among networks of local advocates and researchers; 3. Advanced studies exploring the consequences of current and future trends and trajectories in filtering and surveillance practices, and their implications for domestic and international law and governance regimes. http://opennet.net/about From rforno at infowarrior.org Thu May 24 11:25:08 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 May 2007 07:25:08 -0400 Subject: [Infowarrior] - Exceptions to the First Amendment Message-ID: Exceptions to the First Amendment By Michael Hampton Posted: May 24, 2007 6:45 am http://www.homelandstupidity.us/2007/05/24/exceptions-to-the-first-amendment / ?Congress shall make no law . . . abridging the freedom of speech, or of the press . . .? Unless, of course, it wants to. This is the topic of a recent report from the Congressional Research Service titled, ?Freedom of Speech and Press: Exceptions to the First Amendment.? The First Amendment had exceptions? Where?s my copy of the Constitution? I?ve got to see this. Now, if you actually go and read the First Amendment, you won?t find any exceptions listed. But if you intend to do any public speaking, or perhaps operate a Web site, you might want to become familiar with the exceptions, and perhaps where they came from. This report provides an overview of the major exceptions to the First Amendment ? of the ways that the Supreme Court has interpreted the guarantee of freedom of speech and press to provide no protection or only limited protection for some types of speech. For example, the Court has decided that the First Amendment provides no protection to obscenity, child pornography, or speech that constitutes ?advocacy of the use of force or of law violation . . . where such advocacy is directed to inciting or producing imminent lawless action and is likely to incite or produce such action.? The Court has also decided that the First Amendment provides less than full protection to commercial speech, defamation (libel and slander), speech that may be harmful to children, speech broadcast on radio and television, and public employees? speech. Even speech that enjoys the most extensive First Amendment protection may be subject to ?regulations of the time, place, and manner of expression which are content-neutral, are narrowly tailored to serve a significant government interest, and leave open ample alternative channels of communication.? And, even speech that enjoys the most extensive First Amendment protection may be restricted on the basis of its content if the restriction passes ?strict scrutiny,? i.e., if the government shows that the restriction serves ?to promote a compelling interest? and is ?the least restrictive means to further the articulated interest.? ? Freedom of Speech and Press: Exceptions to the First Amendment That?s right, if the government says it has a compelling interest in restricting your speech, then it will do so, and the courts will look the other way. As the computer people say, this isn?t a bug; it?s a feature. The common law legal system used in the U.S. provides that the law is whatever judges decide it is. These decisions then pile up and become case law, which you?re expected to know in addition to the millions of pages of actual written laws on the books. This is why the First Amendment is said to not be absolute: because judges in the past have ruled that the government may restrict speech, regardless of what?s written on the piece of paper. CRS reports are not routinely released to the public. They?re prepared for members of Congress and CRS has said it intends to keep it that way. This report was obtained by the Federation of American Scientists. Link: http://www.fas.org/sgp/crs/misc/95-815.pdf From rforno at infowarrior.org Thu May 24 23:38:00 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 May 2007 19:38:00 -0400 Subject: [Infowarrior] - EU probes Google grip on data Message-ID: EU probes Google grip on data By Maija Palmer in London Published: May 24 2007 19:49 | Last updated: May 24 2007 19:49 http://www.ft.com/cms/s/dc89ec96-0a24-11dc-93ae-000b5df10621.html European data protection officials have raised concerns that Google could be contravening European privacy laws by keeping data on internet searches for too long. The Article 29 working party, a group of national officials that advises the European Union on privacy policy, sent a letter to Google last week asking the company to justify its policy of keeping information on individuals? internet searches for up to two years. The letter questioned whether Google had ?fulfilled all the necessary requirements? on data protection. The data kept by Google includes the search term typed in, the address of the internet server and occasionally more personal information contained on ?cookies?, or identifier programs, on an individual?s computer. This is separate to the personal information Google has begun collecting over the past two years from people who give the group explicit permission to do so. Standard search information is kept about everyone who uses the search engine, and privacy groups are concerned that even this ostensibly non-personal data can be used to identify individuals and create profiles of their political opinions, religious beliefs and sexual preferences. Google previously kept such data indefinitely, but in March announced it would limit the storage time to two years, in an attempt to assuage concerns. But many members of the working party feel that even two years is too long to keep data, and the group has asked Google to justify its policy. Separately, the Norwegian Data Inspectorate began an investigation into Google and other search engine companies last October and has stated that the 18- to 24-month period proposed by Google was too long. ?After the service is finished we cannot see reasons why the company should keep the addresses for a longer period. Of course there can be reasons like security, but 18 to 24 months is to our point of view far to long,? the inspectorate said. Peter Fleischer, European privacy counsel for Google, said the company needed to keep search information for some time for security purposes ? to help guard against hacking and people trying to misuse Google?s advertising system. Mr Fleischer is set to respond to the working party before their next meeting in June. He said other companies such as Yahoo and Microsoft had not yet declared a limit to the information they keep. Copyright The Financial Times Limited 2007 From rforno at infowarrior.org Fri May 25 01:48:10 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 May 2007 21:48:10 -0400 Subject: [Infowarrior] - =?iso-8859-1?q?=8C_Star_Wars_=B9_is_30_years_old_?= =?iso-8859-1?q?today?= Message-ID: Geeks of the world, unite in celebration and Jedi tomfoolery this weekend! :) -rf ?Star Wars? is 30 years old today; but is the Force as strong as it once was? By JOHN LUDWIG Published: Thursday, May 24, 2007 7:57 PM CDT http://www.maryvilledailyforum.com/articles/2007/05/24/news/news1.txt jludwig at maryvilledailyforum.com It defines the idea of "a cinematic experience" for millions of people worldwide, and today marks the 30th anniversary of the theatrical release of "Star Wars." When it was first released May 25, 1977, the little space-opera-that-could opened in only 40 theaters across the country. Since that day, the film has made countless people believe in the power of the force and unnumbered young boys daydream of being a Jedi Knight (and, if you were truly honest with yourself, you could admit that as an adult you would still rather be a Jedi Knight than whatever profession you're employed in). According to Nate Rice, assistant manager of Movie Magic in Maryville, Star Wars still has incredible staying power, both in Hollywood and in the minds of fans around the globe. "Star Wars, even though it's 30 years old, is still having a great impact in our entertainment," Rice said. That impact has been so far reaching that the History Channel will air a documentary special this Sunday, "Star Wars: The Legacy Revealed," highlighting the film franchise and its 30-year history while focusing on various real world historical and cultural elements that inspired potions of the film, such as the influence of Japanese samurai on the role of the ever-popular lightsaber. For many, seeing director George Lucas' Star Wars in the theater was akin to a life-changing moment, and the History Channel's special will include interviews with people who were influenced by the film in some way. Political pundit Steven Colbert and former NBC anchor Tom Brokaw are just two of the people interviewed for the program, and both talk of the impact the film had on them when they first saw it in theaters. The Star Wars films have become known for their groundbreaking special effects, which helped to add realism to a very fictional world. "The graphics from Star Wars just set a precedence that allowed future space movies to start from, because Lucas created a lot of graphics just for the movie," Rice said. "We might look back and think that some of them are lame, but at the time they were mind boggling." With impressive space scenes, interstellar dogfights, a deep history and its mythological themes, Star Wars has managed to recapture the hearts and minds of each new generation that experiences the films. "It's the ultimate story, good versus evil, the underdog triumphing over the big giant," Rice said. "You've got friendship, you've got love, responsibility, you've got errors, religious beliefs, and it just keeps going because of those factors. It's just an epic story." And in celebrating its 30th anniversary, there seems to be no slowing down for the popularity of the saga. Movies, video games, books and virtually everything you can think of has bore the Star Wars logo over the years; but despite all the hype and all the marketing, the movies, and the stories behind them, are still touching movie-goers and still sparking the imaginations of people around the world. Some movies make a big splash and then disappear from the radar, but Star Wars has tapped the country's consciousness in such a way that it has become as much a part of Americana as baseball and apple pie. It's a movie that has proven again and again that it has staying power, even after six films and 30 years. Indeed, the Force is strong with this one. From rforno at infowarrior.org Fri May 25 03:10:06 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 May 2007 23:10:06 -0400 Subject: [Infowarrior] - Cyberfearism story In-Reply-To: Message-ID: Estonia notwithstanding, it's been a while since we had a scary gloom-n-doom cyberfearism? story......rf -rf Attack of the cyber terrorists by MICHAEL HANLON At first it would be no more than a nuisance. No burning skyscrapers, no underground explosions, just a million electronic irritations up and down the land. Thousands of government web pages suddenly vanish to be replaced with the Internet's version of the Testcard - that dreaded screen '404 - Not Found' or, more amusingly, some pastiche or parody. Then the Labour website starts to promise a wholesale renationalisation of the railways. The popular response this generates turns to amusement then bemusement as everything from Jaguar to BT is, the sites claim, to be taken back into state hands. < - > From rforno at infowarrior.org Fri May 25 13:05:25 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 25 May 2007 09:05:25 -0400 Subject: [Infowarrior] - iGasm ad rubs Apple up the wrong way Message-ID: iGasm ad rubs Apple up the wrong way http://www.computing.co.uk/vnunet/news/2190671/apple-outraged-igasm-ad Iain Thomson, vnunet.com, 24 May 2007 Apple is taking legal action against adult retail chain Anne Summers over adverts for a new iGasm sex toy. The device consists of a pair of headphones and a "vibrating unit" which, once plugged into any media player, vibrates in time to the tune. The adverts use the same silhouette figures as Apple, but with a white cord leading inside the figure's underwear. Apple's solicitors have already fired off a letter to Anne Summers requesting that the advert is taken down. "We hope this request to remove it immediately will prevent us having to consider further action," it reads. However Anne Summers is taking the request less than seriously. "Perhaps I can send them an iGasm to put a smile back on their faces," company head Jacqueline Gold told the News of the World. From rforno at infowarrior.org Fri May 25 13:08:07 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 25 May 2007 09:08:07 -0400 Subject: [Infowarrior] - Another trademark-censorship lawsuit Message-ID: May 24, 2007 http://www.citizen.org/pressroom/release.cfm?ID=2444 Infomercial Investment Software Company Cannot Silence Criticism of Its Products on the Internet Under First Amendment, Public Citizen Says Company Cannot Use Trademark Law to Squelch Web Reviews of Infomercial Products WASHINGTON, D.C. ? A company that markets controversial investment software products through television infomercials cannot suppress criticism of those products on the Internet, the consumer group Public Citizen told a Florida court. Public Citizen, along with local counsel Robert W. Murphy in Florida, filed a brief late Wednesday in the U.S. District Court for the Middle District of Florida, Orlando Division. They are defending Arizona resident Justin Leonard against a lawsuit filed by affiliated companies Dynetech Corporation and GlobalTec Solutions, LLP. The Dallas-based GlobalTec and its Orlando-based parent company Dynetech claim that Leonard infringed their trademarks by featuring online reviews of their products on his consumer-oriented Web sites. Public Citizen has asked the court to dismiss the complaint because Leonard?s mention of the companies? products on his Web sites is protected by the First Amendment, because Leonard has not violated trademark or other laws and because the court has no jurisdiction over Leonard in Florida. Leonard is the creator and operator of the sites InfomercialRatings.com and InfomercialScams.com, where users can read and post reviews of infomercial products. His sites are widely read and have been featured in papers such as The New York Times and on influential consumer-information Web sites. Dynetech and GlobalTec sell financial products and services through television infomercials. The companies sued Leonard on Jan. 24 seeking damages and attorneys? fees, as well as a court order prohibiting Leonard from using the names of GlobalTec?s Wizetrade and 4X Made Easy software on his Web sites. GlobalTec?s software is marketed for purposes of day trading on the stock market and on foreign currency exchanges. It purports to indicate, with the use of red or green lights, whether an investment is likely to increase or decrease in value over the next several minutes, days or over longer periods of time. GlobalTec?s trademarked product names are used on Leonard?s Web sites only to identify the subject matter of relevant consumer reviews, many of which are highly critical of the companies? products. ?Through this lawsuit, GlobalTec is attempting to use trademark and unfair competition laws to silence unwanted criticism about its controversial products,? said Deepak Gupta, an attorney with Public Citizen. ?Using this logic, any company dissatisfied with a bad review of its products or services ? whether in a Web site, printed newspaper or magazine ? could bring an infringement action to keep it from being published.? ?Because removing GlobalTec?s trademarks from the Web sites would make it impossible for consumers to find the product reviews posted there, doing so would subvert Florida?s law, which is intended to protect consumers,? said Murphy. ?Instead, the law would be turned into a tool for companies to conceal consumer complaints.? From rforno at infowarrior.org Fri May 25 13:46:51 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 25 May 2007 09:46:51 -0400 Subject: [Infowarrior] - New US Copyright Alliance hopes to strengthen copyright law Message-ID: New Copyright Alliance hopes to strengthen copyright law http://arstechnica.com/news.ars/post/20070518-new-copyright-alliance-hopes-t o-strengthen-copyright-law.html By Nate Anderson | Published: May 18, 2007 - 11:12AM CT A new industry-backed Copyright Alliance was launched yesterday in Washington, DC, with the goal of "promoting the value of copyright as an agent for creativity, jobs, and growth." But the group wants to do more than simply get the word out about the value of copyright?it wants to actively strengthen current copyright law. Backed by organizations like the MPAA, NBC, News Corp., Disney, Time Warner, the Business Software Alliance, Microsoft, ASCAP, the NBA, and others, the Copyright Alliance has already secured initial support from several members of Congress. Rep. John Conyers (D-MI) and "Hollywood" Howard Berman (D-CA) both sent statements of support, and Rep. Howard Coble (R-NC) made sure that the launch was a bipartisan affair. The group is headed by Patrick Ross, a former senior fellow at the Progress & Freedom Foundation, a strongly free-market think tank. Ross has written about IP issues for years, and in a 2005 opinion piece claimed that he was "looking for anyone who wants to join me in seeking that elusive middle ground." His new gig may be a strange place to fight for that "middle ground" in any meaningful sense, as the Alliance is dedicated to "strengthening copyright law" using "bilateral, regional, and multilateral agreements to protect creators" and advancing educational programs "that teach the value of strong copyright." The group does want to "balance those rights with the public good" and hopes to "enrich our culture through incentives to create and disseminate new and innovative creative works." To get a sense of what this might mean, consider the only three documents linked up in their online reading room. The first claims that "a number of pundits have elevated Newton's observation [about standing on the shoulders of giants] into a policy argument against copyright or patents" and supports this assertion by referencing Lawrence Lessig's book Free Culture?a book that is copyrighted under a Creative Commons license and which repeatedly calls for the continued (but reformed) existence of copyright. The second linked paper argues that "rampant piracy is costing the software, movie and music industries (and thus the U.S. economy) billions of dollars" and that the EFF and Cato are meanwhile focusing only on "minor issues" with the DMCA. The third paper (from the same author as the second) argues that most "fair use" claims made today are misleading. All three papers are authored by free-market think tank scholars; this says nothing about their rightness or wrongness, but the papers do give us a glimpse of what the Copyright Alliance is likely to think. The group appears ready to address copyright concerns from a rights-holder, free-market perspective that (rather ironically) will appeal to the government for stronger regulations and an increase in protections for a government-granted monopoly. The argument that stronger copyright protection will benefit consumers by encouraging more creativity is already present in the group's initial materials and is reminiscent of the argument that DRM enables consumer choice by making available material that could not otherwise be accessed?exactly the argument that Ross was in fact making back in 2005. From rforno at infowarrior.org Fri May 25 13:48:08 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 25 May 2007 09:48:08 -0400 Subject: [Infowarrior] - GAO: FBI network security = bad Message-ID: http://www.gao.gov/new.items/d07368.pdf "FBI Needs to Address Weaknesses in Critical Network" "... FBI did not consistently (1) configure network devices and services to prevent unauthorized insider access and ensure system integrity; (2) identify and authenticate users to prevent unauthorized access; (3) enforce the principle of least privilege to ensure that authorized access was necessary and appropriate; (4) apply strong encryption techniques to protect sensitive data on its networks; (5) log, audit, or monitor security-related events; (6) protect the physical security of its network; and (7) patch key servers and workstations in a timely manner. Taken collectively, these weaknesses place sensitive information transmitted on the network at risk of unauthorized disclosure or modification, and could result in a disruption of service, increasing the bureau's vulnerability to insider threats." From rforno at infowarrior.org Fri May 25 22:55:35 2007 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 25 May 2007 18:55:35 -0400 Subject: [Infowarrior] - =?iso-8859-1?q?Finnish_court_rules_CSS_protection?= =?iso-8859-1?q?_used_in_DVDs_=B3_ineffective_=B2?= Message-ID: Finnish court rules CSS protection used in DVDs ?ineffective? May 25th, 2007 by Mikko http://www.turre.com/blog/?p=102 Below is the press release we sent and here?s more detailed analysis of the case and its potential implications. * * * Helsinki May 25, 2007 Turre Legal Free for publication immediately Finnish court rules CSS protection used in DVDs ?ineffective? In an unanimous decision released today, Helsinki District Court ruled that Content Scrambling System (CSS) used in DVD movies is ?ineffective?. The decision is the first in Europe to interpret new copyright law amendments that ban the circumvention of ?effective technological measures?. The legislation is based on EU Copyright Directive from 2001. According to both Finnish copyright law and the underlying directive, only such protection measure is effective, ?which achieves the protection objective.? The background of the case was that after the copyright law amendment was accepted in late 2005, a group of Finnish computer hobbyists and activists opened a website where they posted information on how to circumvent CSS. They appeared in a police station and claimed to have potentially infringed copyright law. Most of the activists thought that either the police does not investigate the case in the first place or the prosecutor drops it if it goes any further. To the surprise of many, the case ended in the Helsinki District Court. Defendants were Mikko Rauhala who opened the website, and a poster who published an own implementation of source code circumventing CSS. According to the court, CSS no longer achieves its protection objective. The court relied on two expert witnesses and said that ??since a Norwegian hacker succeeded in circumventing CSS protection used in DVDs in 1999, end-users have been able to get with ease tens of similar circumventing software from the Internet even free of charge. Some operating systems come with this kind of software pre-installed.? Thus, the court concluded that ?CSS protection can no longer be held ?effective? as defined in law.? All charges were dismissed. Defendant Mikko Rauhala is happy about the judgment: ?It seems that one can apply bad law with common sense, which was unfortunately absent during the preparation of the law? he comments. Defendant?s counsel Mikko V?lim?ki thinks the judgment can have major implications: ?The conclusions of the court can be applied all over Europe since the word ?effective? comes directly from the directive?. He continues: ?A protection measure is no longer effective, when there is widely available end-user software implementing a circumvention method. My understanding is that this is not technology-dependent. The decision can therefore be applied to Blu-Ray and HD-DVD as well in the future.? Further information: Mikko V?lim?ki Defendants? counsel tel. +358-50-5980498 Mikko Rauhala Defendant who opened the forum From rforno at infowarrior.org Sat May 26 19:53:52 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 26 May 2007 15:53:52 -0400 Subject: [Infowarrior] - Ohio University Caves to RIAA: Bans P2P Message-ID: Ohio University Bans P2P http://newteevee.com/2007/04/28/ohio-university-bans-p2p/ Ohio University announced this week that they are completely banning all file sharing on campus. Violators will get their Internet access cut off and possibly face disciplinary action. Ohio University previously made headlines for being the school with the highest number of music piracy complaints in the country. The problem of file sharing on campus is hardly new. Ever since Napster, administrators have tried to stop the swapping with various technical roadblocks. P2P enthusiasts usually react with protest, referring to that Ubuntu ISO they really, really need to get via BitTorrent. Wink Wink, nudge nudge. But nowadays P2P isn?t just about The Pirate Bay anymore. There are major motion pictures for sale on BitTorrent.com, there are Showtime downloads on the Azureus-powered Vuze.com, and then there is Joost. Ohio University?s Anti-P2P policy could spell trouble for all of them ? and in turn put the school in an awkward position. Ohio University?s list of programs that will get you in trouble reads like a Who?s Who of the file sharing world: ?Ares, Azureus, BitComet, BitLord, BitTornado, BitTorrent, FlashGet, Gnutella, KaZaA, LimeWire, Morpheus, Shareaza, uTorrent.? Wide-ranging blocks like these are usually done on a protocol level. Specialized applications analyze the nature of each packet flowing through the local network ? and ring the alarm bell as soon as something looks like Bittorrent or Gnutella. This means that OU students shouldn?t use the Democracy Player / Miro, Pando or Allpeers either, since all of them are based on the Bittorrent protocol. Ohio University didn?t respond in time to clarify whether they will block Joost as well, but the wording of their file sharing advisory makes it clear that you probably don?t even want to try: ?Although P2P file-sharing can sometimes be used for legitimate reasons, any use of P2P software on the campus network may result in Internet access being disabled under this new policy. ? Students who do want to use P2P for legal purposes have to call their IT department and ?provide detailed information about the software you wish to use and your purposes for using it.? My guess is something like ?downloading a licensed Girls Gone Wild episode off of BitTorrent.com? won?t cut it. Of course one could argue that Universities shouldn?t subsidize the downloading of movies with flashing teenagers to begin with. It?s their network, and it?s supposed to be used for education, not entertainment, right? If it only was that easy. The truth of the matter is that universities don?t seem to mind entertainment within their networks if it?s from the right source. Ohio University and roughly 60 other schools have made deals with a company called Cdigix to provide digital music downloads and subscriptions for their students. More than a hundred schools signed with Ruckus.com, a similiar service that also offers movies and TV show downloads. Combine this with a growing trend to enact Anti-P2P measures that block legal P2P platforms offering the very same shows and movies, and you?ve got yourself a nice little conflict of interest. Granted, most folks in higher education could probably care less about where their students buy the next American Pie flick. Universities are driven to radical measures like these because of the flood of litigation against their file-sharing students. But it looks like once again it could be the legal marketplace that suffers the most. From rforno at infowarrior.org Sun May 27 14:52:06 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 27 May 2007 10:52:06 -0400 Subject: [Infowarrior] - Noise keeps spooks out of the loop Message-ID: Noise keeps spooks out of the loop * 23 May 2007 * NewScientist.com news service * D. Jason Palmer http://www.newscientisttech.com/channel/tech/mg19426055.300?DCMP=NLC-nletter &nsref=mg19426055.300 SPYING is big business, and avoiding being spied on an even bigger one. So imagine if someone came up with a simple, cheap way of encrypting messages that is almost impossible to hack into? American computer engineer Laszlo Kish at Texas A&M University in College Station claims to have done just that. He says the thermal properties of a simple wire can be exploited to create a secure communications channel, one that outperforms quantum cryptography keys. His cipher device, which he first proposed in 2005, exploits a property called thermal noise. Thermal noise is generated by the natural agitation of electrons within a conductor, which happens regardless of any voltage passed through it. But it does change depending on the conductor's resistance. Kish and his collaborators at the University of Szeged in Hungary say this can be used to securely pass information, or an encryption key, down any wire, including a telephone line or network cable. In their device, both the sender Alice and the receiver Bob have an identical pair of resistors, one producing high resistance, the other low resistance. The higher the total resistance on the line, the greater the thermal noise. Both Alice and Bob randomly choose which resistor to use. A quarter of the time they will both choose the high resistor, producing a lot of noise on the line, while a quarter of the time they will both choose the low resistor, producing little noise. If either detect a high or a low amount of noise in the line, they ignore any communication. Half the time, however, they will choose differently, producing an intermediate level of thermal noise, and it is now that a message can be sent. If Bob turns on his high resistor, and records an intermediate level of noise, he instantly knows that Alice has chosen her low resistor, in essence sending a bit of information such as 1 or 0. Kish's cipher does this many times, sending a random series of 1s and 0s that can form the basis of an encryption key, the researchers say (http://www.arxiv.org/abs/physics/0612153). That message is also secure. For a start, as Kish notes, it takes an "educated eavesdropper" to even realise information is being sent when there seems to be just low-level noise on the line. If they do try to eavesdrop, they can only tell a message is being sent, not what it is, because it's impossible to tell whether Alice has a high or low resistor turned on, and whether the bit of information is a 1 or a 0. What's more, eavesdropping on the line will naturally alter the level of thermal noise, so Alice and Bob will know that someone is listening in. Kish and his team have now successfully built a device that can send a secure message down a wire 2000 kilometres long, much further than the best quantum key distribution (QKD) devices tried so far. Tests show a signal sent via Kish's device is received with 99.98 per cent accuracy, and that a maximum of just 0.19 per cent of the bits sent are vulnerable to eavesdropping. The error rate is down to the inherent resistance of the wire, and choosing a larger wire in future models should help reduce it further. "A secure message can be sent down a wire 2000 kilometres long" However, this level of security already beats QKD. What's more, the system works with fixed lines, rather than the optical fibres used to carry photons of light at the heart of quantum encryption devices. It is also more robust, as QKD devices are vulnerable to corruption by dust, heat and vibration. It is also much cheaper. "I guess it's around a hundred dollars, at most," Kish says. "This is a system that should be taken seriously," says security specialist Bruce Schneier, who founded network security firm BT Counterpane. He says he was seduced by the simplicity of the idea when it was first proposed by Kish, and now wants to see independent tests of the working model. "I desperately want someone to analyse it," he says. "Assuming it works, it's way better than quantum." >From issue 2605 of New Scientist magazine, 23 May 2007, page 32 From rforno at infowarrior.org Mon May 28 12:42:45 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 28 May 2007 08:42:45 -0400 Subject: [Infowarrior] - NSF picks ARPANET creator to build new experimental network Message-ID: NSF picks ARPANET creator to build new experimental network By John Timmer | Published: May 28, 2007 - 07:09AM CT http://arstechnica.com/news.ars/post/20070528-nsf-picks-arpanet-creator-to-b uild-new-experimental-network.html The National Science Foundation has tapped BBN Technologies to build and manage the GENI project, intended as a proving ground for next-generation network technologies. For BBN, this is a bit of a return to its roots: the company was instrumental in the construction of the US ARPANET project, which gradually morphed into the Internet that we all know and love. GENI will be a Major Research and Equipment Facility Construction Project, which is the NSF's mechanism for funding big-ticket items. It's notable as being the first such project that the NSF has targeted to the computer science community. Planning for GENI has been going on for a number of years, as the NSF has solicited input from the research community regarding their needs and commissioned a number of study groups to do preliminary planning. BBN will now have a few years to create a formal design proposal and cost estimate, after which the NSF will decide whether it's worth constructing. The project isn't expected to follow ARPANET's trajectory to widespread adoption?this is not a "next generation internet." Instead, it is intended to allow computer scientists and networking engineers to test how well their ideas work under real network conditions. Dedicated fiber connections will be used to link a number of major academic institutions, which will host hardware such as remote sensors, compute clusters, and experimental wireless hardware. To facilitate such experimental uses, all of the hardware used in GENI is expected to be programmable, allowing the system to be reconfigured and updated according to users' needs and its successes and failures. Preliminary documents show plans for dedicated fiber connections among research institutions that looks suspiciously like the existing high-speed academic network managed by Internet2/Lambda Rail. Those projects have already dedicated part of its bandwidth to tests of networking technology. Given the apparent overlap in function, it's surprising that none of the GENI documents mention them at all. It's possible that the next few years' worth of architectural work will make it clear whether these academic networks will share resources with GENI or perform parallel functions. Although the GENI network itself won't be merged with the general-use Internet, any successful technology it produces is likely to make its way onto the public network eventually. To speed this process along the NSF is encouraging commercial entities to take part in the project. From rforno at infowarrior.org Tue May 29 02:01:28 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 28 May 2007 22:01:28 -0400 Subject: [Infowarrior] - In Estonia, what may be the first war in cyberspace Message-ID: International Herald Tribune In Estonia, what may be the first war in cyberspace By Mark Landler and John Markoff Monday, May 28, 2007 http://www.iht.com/bin/print.php?id=5901141 TALLINN, Estonia: When the Estonian authorities began removing a bronze statue of a World War II-era Soviet soldier from a park in this Baltic seaport last month, they expected violent street protests by Estonians of Russian descent. They also knew from experience that "if there are fights on the street, there are going to be fights on the Internet," said Hillar Aarelaid, the director of Estonia's Computer Emergency Response Team. After all, for people here the Internet is almost as vital as running water, used routinely to vote, file their taxes, and, with their cellphones, to shop or pay for parking. What followed was what some here describe as the first war in cyberspace, a three-week battle that forced the Estonian authorities to defend their small country from a data flood they say was set off by orders from Russia or ethnic Russian sources in retaliation for the removal of the statue. There are still minor disruptions. "This may well turn out to be a watershed in terms of widespread awareness of the vulnerability of modern society," said Linton Wells 2nd, the principal U.S. deputy assistant secretary of defense for networks and information integration at the Pentagon. "It has gotten the attention of a lot of people." The Estonians note that an Internet address involved in the attacks belonged to an official who works in the administration of Russia's president, Vladimir Putin. The Russian government has denied any involvement in the attacks, which came close to shutting down the country's digital infrastructure, clogging the Web sites of the president, the prime minister, Parliament and other government agencies, staggering the biggest Estonian bank and overwhelming the sites of several daily newspapers. "It turned out to be a national security situation," Estonia's defense minister, Jaak Aaviksoo, said during an interview. "It can effectively be compared to when your ports are shut to the sea." Computer security experts from NATO, the European Union, the United States and Israel have since converged on Tallinn to offer help and to learn what they can about cyberwar in the digital age. When the first digital intruders slipped into Estonian cyberspace at 10 p.m. on April 26, Aarelaid figured he was ready. He had erected firewalls around government Web sites, set up extra computer servers and put his staff on call for a busy week. By April 29, Tallinn's streets were calm again after two nights of riots, but Estonia's electronic Maginot Line was crumbling. In one of the first strikes, a flood of junk messages was thrown at the e-mail server of the Parliament, shutting it down. In another, hackers broke into the Web site of the Reform Party, posting a fake letter of apology from the prime minister, Andrus Ansip, for ordering the removal of the highly symbolic statue. At that point, Aarelaid, a former police officer, gathered security experts from Estonia's Internet service providers, banks, government agencies and the police. He also drew on contacts in Finland, Germany, Slovenia and other countries to help him track down and block suspicious Internet addresses and halt traffic from computers as far away as Peru and China. The bulk of the cyberassaults used a technique known as a distributed denial of service attack. By bombarding the country's Web sites with data, attackers can clog not only the country's servers, but also its routers and switches, the specialized devices that direct traffic on the network. To magnify the assault, the hackers infiltrated computers around the world with software known as bots, banding them together in networks to perform these incursions. The computers become unwitting foot soldiers in a cyberattack, or "zombies." In one case, the attackers sent a single huge burst of data to measure the capacity of the network. Then, hours later, data from multiple sources flowed into the system, rapidly reaching the upper limit of the routers and switches. By the end of the first week, the Estonians, with the help of the authorities in other countries, had become reasonably adept at filtering out malicious data. Still, Aarelaid knew the worst was yet to come. May 9 was Victory Day, the Russian holiday that marks the Soviet Union's defeat of Nazi Germany and honors fallen Red Army soldiers. The Internet was rife with plans to mark the occasion by taking down Estonia's network. The attackers used a giant network of bots - perhaps as many as one million computers in places as far-flung as the United States and Vietnam - to amplify the impact of their assault. In a sign of their financial resources, there is evidence they rented time on other so-called botnets. "When you combine very, very large packets of information with thousands of machines, you've got the recipe for very damaging denial of service attacks," said Jose Nazario, an expert on bots at Arbor Networks, an Internet security firm in Ann Arbor, Michigan. In the early hours of May 9, traffic spiked to thousands of times the normal flow. May 10 was heavier still, forcing the biggest bank in Estonia to shut down its online service for more than an hour. Even now, the bank, Hansabank, is under assault and continues to block access to 300 suspect Internet addresses. It has held losses to about $1 million. Finally, on the afternoon of May 10, the attackers' time on the rented servers expired, and the botnet attacks fell off abruptly. All told, Arbor Networks measured dozens of attacks. The 10 largest assaults blasted streams of 90 megabits of data a second at Estonia's networks, lasting up to 10 hours each. That is a data load equivalent to downloading the entire Windows XP operating system every six seconds for 10 hours. While the last major wave of attacks was May 18, banks continued to experience a diminished level of interruptions. "Hillar and his guys are good," said Bill Woodcock, a U.S. Internet security expert who was also on hand to observe the response. "There aren't a lot of other countries that could combat that on his level of calm professionalism." Linnar Viik, a computer science professor and leader in the high-technology industry in Estonia, said that the episode would serve as a learning experience. The use of botnets, for example, illustrates how a cyberattack on a single country can ensnare many other countries. In recent years, cyberattacks have been associated with Middle East and Serbian-Croatian conflicts. But U.S. computer systems at the Pentagon, the U.S. space agency, universities and research labs have been compromised in the past. Scientists and researchers convened by the U.S. National Academy of Sciences this year heard testimony from military strategy experts indicating that both China and Russia have offensive information-warfare programs. The United States is also said to have begun a cyberwarfare effort. Though Estonia cannot be sure of the attackers' identities, their plans were posted on the Internet even before the attack began. On Russian-language forums and chat groups, the investigators found detailed instructions on how to send disruptive messages, and which Estonian Web sites to use as targets. For NATO, the attack may lead to a discussion of whether it needs to modify its commitment to collective defense. Aarelaid said NATO's Internet security experts said little but took copious notes during their visit. Because of the murkiness of the Internet - where attackers can mask their identities by using the Internet addresses of others, or remotely program distant computers to send data without their owners even knowing it - several experts said that the attackers would probably never be caught. U.S. government officials said the nature of the attacks suggested they were initiated by "hacktivists," technical experts who act independently from governments. "At the present time, we are not able to prove direct state links," Aaviksoo, Estonia's defense minister, said. "All we can say is that a server in our president's office got a query from an IP address in the Russian administration. It is a fact that we have on our logs," he added, using the abbreviation for Internet protocol. Moscow has offered no help in tracking down people who the Estonian government believe may be involved. A spokesman for the Kremlin, Dmitri Peskov, denied Russian state involvement in the attacks and added, "The Estonia side has to be extremely careful when making accusations." Police here arrested and then released a 19-year-old Estonian man of Russian descent whom they suspect of helping to organize the attacks. Meanwhile, Estonia's Foreign Ministry has circulated a document that lists several Internet addresses inside the Russian government that it says took part in the attacks. "I don't think it was Russia, but who can tell?" said Gadi Evron, a computer security expert from Israel who spent four days last week in Tallinn writing a postmortem on the response for the Estonians. "The Internet is perfect for plausible deniability." Now that the attacks on Estonia's systems have ebbed, Aarelaid is mopping up. "I'm a simple IT guy," he said, gazing at a flickering computer screen. "I know a lot about bits and packets of data; I don't know about the bigger questions. But somebody orchestrated this thing." John Markoff reported from San Francisco. Steven Lee Myers contributed reporting from Moscow. From rforno at infowarrior.org Tue May 29 11:12:46 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 May 2007 07:12:46 -0400 Subject: [Infowarrior] - AP, Reuters reprint RIAA/MPAA propaganda Message-ID: If The AP Will Reprint RIAA Propaganda, No Surprise That Reuters Will Reprint MPAA Propaganda http://techdirt.com/articles/20070525/171424.shtml A few weeks ago, we were surprised to see the Associated Press basically reprint RIAA propaganda about their plan to sue college students -- without a single question about how effective (or ineffective) such a policy would be. They didn't even quote anyone who questioned the strategy, but simply acted as if it totally made sense. Apparently Reuters felt left out in sucking up to the entertainment industry. A bunch of folks have pointed us to this Reuters article about the "powerful new weapon" the movie industry is using: night vision goggles. This is nothing new. Theaters have been outfitting people with night vision goggles to capture camcording customers for years. But, suddenly, for Reuters it's a fantastic new tool that's incredibly effective. Nevermind the fact that camcorded films are not a big problem compared to studio leaks of the actual movie. Never mind that customers don't like being treated like criminals. But, don't expect to hear any of that from the reporter who wrote the article. Instead, just expect to read about how "successful" this new strategy is. From rforno at infowarrior.org Tue May 29 11:17:27 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 May 2007 07:17:27 -0400 Subject: [Infowarrior] - Canada: High-tech travel ID 'inevitable' Message-ID: (c/o PWR) High-tech travel ID 'inevitable' The next step in border security is DNA in passports, report warns Carly Weeks, CanWest News Service Published: Monday, May 28, 2007 http://www.canada.com/edmontonjournal/news/story.html?id=6d8beaea-454e-4ace- a9e2-444823b13d11&k=75853 Canadians will inevitably have to carry travel documents with their DNA, biometrics or other biological identifiers embedded into them in order to travel to the United States, according to a new white paper to be revealed to government officials in Ottawa today. While many travellers and governments are frantically trying to comply with current border regulations that require passports for air travel, the report warns that's just one step in the movement toward more secure borders. In order to adequately confirm an individual's identity and speed up the process of screening passengers, governments will surely move to enhanced identity documents that use biological information to identity travellers, the paper says. Already, some jurisdictions, including B.C., are considering imprinting driver's licences with fingerprints or other biometric features. "As the world becomes more complex, and as our expectations with respect to safety and security become greater, governments are going to have to invest in appropriate [measures] ... in order to make sure that people can move freely," said Michael Hawes, who will present the paper as executive director of the Foundation for Educational Exchange between Canada and the United States of America. The Ottawa-based group administers the Canada-U.S. Fulbright Program -- a binational organization funded by both countries that promotes cross-border research and understanding -- as well as the Network on North American Studies in Canada, which released the paper to CanWest News Service. Although some technology, such as DNA-enabled passports, might seem a long way off, terror threats and other looming risks mean governments must begin to seriously consider how they will introduce those measures in the future, Hawes said. He said the paper clearly directs governments to think about developing partnerships with the private sector to help implement new technologies, such as embedding radio frequency identification chips, electronic fingerprints or DNA into documents. Already, a biometric screening program, in place at some U.S. airports, relies on iris and fingerprint scans to identify passengers and quickly move them through airport security. The system is seen as a way to significantly reduce lineups and other delays that have become a major hassle for frequent travellers, and is something that a coalition of Canadian airlines and airports is asking the federal government to bring here. However, the report acknowledges that linking an individual's biological information contained on travel documents to a government database will likely stir a major controversy about privacy rights and protecting personal information. Earlier this year, new rules came into force that require Canadian air travellers to show a passport before they're allowed to fly into the U.S. Soon, Canadians will also have to show passports at land-crossings -- a rule that is expected to come into force sooner rather than later. The original deadline was set for January 2009, but officials in both countries have been pushing for an extension. Government officials and policy experts from the U.S. Embassy, Department of Foreign Affairs and International Trade and the Canada Border Services Agency will discuss the paper today in a panel discussion held in Ottawa. The paper, co-authored by Donald Abelson, chair of political science at the University of Western Ontario, and Duncan Wood, director of the Canadian studies at the Instituto Tecnologico Auto-nomo de Mexico in Mexico City, was sponsored by Accenture, a global management consulting firm whose executive director will moderate the panel discussion. ? Times Colonist (Victoria) 2007 From rforno at infowarrior.org Tue May 29 19:50:56 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 May 2007 15:50:56 -0400 Subject: [Infowarrior] - US travellers possibly exposed to drug-proof TB Message-ID: Travelers possibly exposed to drug-proof TB Infected man flew from Prague to U.S.; authorities seeking those on flight http://www.msnbc.msn.com/id/18923867/ A man with a rare and exceptionally dangerous form of tuberculosis has been placed in quarantine by the U.S. government after possibly exposing passengers and crew on two trans-Atlantic flights earlier this month, health officials said Tuesday. This marks the first time since 1963 that the government issued a quarantine order. The last such order was to quarantine a patient with smallpox, according to the Centers for Disease Control and Prevention. The CDC urged people on the same flights to get checked for tuberculosis. Story continues below ?advertisement The infected man flew from Atlanta to Paris on May 12 aboard Air France Flight 385. He returned to North America on May 24 aboard Czech Air Flight 104 from Prague to Montreal. The man then drove into the United States. He cooperated with authorities after learning he had an unusually dangerous form of TB. He voluntarily went to a hospital and is not facing prosecution, officials said. The man is hospitalized in Atlanta in respiratory isolation, according to the World Health Organization. He was potentially infectious at the time of the flights, so CDC officials recommended medical exams for cabin crew members on those flights, as well as passengers sitting in the same rows or within two rows. The man was infected with ?extensively drug-resistant? TB, also called XDR-TB. It resists many drugs used to treat the infection. Last year, there were two U.S. cases of that strain. Because of antibiotics and other measures, the TB rate in the United States has been falling for years. Last year, it hit an all-time low of 13,767 cases, or about 4.6 cases per 100,000 Americans. Tuberculosis kills nearly 2 million people each year worldwide. From rforno at infowarrior.org Wed May 30 00:51:51 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 May 2007 20:51:51 -0400 Subject: [Infowarrior] - Real ID, real debate Message-ID: Washington Technology home > 05/28/07 issue 05/28/07; Vol. 22 No. 09 Real ID, real debate Sides argue about whether license standardization can or should be done By Alice Lipowicz http://www.washingtontechnology.com/print/22_09/30734-1.html Security experts, vendors and trade associations are sharpening the debate on the controversial 2005 Real ID Act that calls for the standardization of driver?s licenses. Critics say the law could create privacy issues and increase the risk of identity theft. The act requires states to collect and electronically store the personal information of millions of people. The states? databases will link toget her in a network of systems with shared access. Although the idea was recommended by the 9/11 Commission to close loopholes in the existing system, critics say the new requirements create, in effect, a national ID management structure that will make people more vulnerable to identity theft, privacy loss, racial tracking and other civil-liberty threats. But supporters say there are similar shared databases that prove Real ID can work. Bruce Schneier, chief technology officer at BT Counterpane Internet Security Inc., is one of the skeptics. ?Computer scientists don?t know how to keep a database of this magnitude secure,? he said in testimony May 8 to the Senate Judiciary Committee. Another security expert, Eugene Spafford, U.S. policy committee chairman at the Association for Computing Machinery, told the committee that Real ID creates the potential for identity theft on an unprecedented scale. Spafford is also a computer science professor at Purdue University. May 8 was the final day to submit public comments to the Homeland Security Department on the notice of proposed rulemaking for implementation of Real ID. On the pro side, the Information Technology Association of America, an IT industry group, published a statement asserting Real ID?s advantages compared to current driver?s licenses. ?Today?s system is the system that helped to bring us the terrorist attacks of Sept. 11, 2001,? said Phil Bond, ITAA president, in the statement. ?We know the problem, and we have the technology to fix it.? Another trade association, the Smart Card Alliance, focused on the shortcomings of the bar codes that the new driver?s licenses will likely use under Real ID. It recommended encrypted data on smart cards instead. The debate also has brought heightened attention to the paths technology advocacy takes in Washington. There are complaints that industry trade groups support initiatives such as Real ID because their members stand to benefit. ?A lot of the technology input to Congress is driven by industry,? said Lillie Coney, associate director at the Electronic Privacy Information Center. ?There is no formal mechanism for a pure and independent perspective on the technology.? ITAA dismisses that argument. The group?s support of Real ID is ?based upon the experience and expertise of our member companies,? said Charles Greenwald, a spokesman at ITAA. Academics, consultants and vendors are putting forth views on whether available technology can achieve the program?s goals. Other related arguments question: * If the cost is too high for the benefits achieved. * If there are significant unintended consequences. * If it is possible to protect against myriad possible failures, including lost and stolen cards, determined hackers and data thieves, bribed motor vehicle department officials, and simple errors. Some liken the debate to the skepticism related to electronic voting machines, which 37 states have purchased since 2000. Lawmakers are re-examining these machines because they may record votes inaccurately and lack a way to independently audit their results. Spafford is worried that as states rush to meet Real ID deadlines, they will skimp on privacy protections, such as audit trails, background checks on workers and strong access controls on data. He recommends a paper trail for the Real ID system. The potential is huge for human error, fraud and security holes, he said. Although the core databases for Real ID are composed primarily of data already on driver?s licenses, there also are requirements for databases with digital images of documents such as birth certificates, marriage certificates, Social Security numbers and others that include far more personal information to be shared and transferred among states. That means weak links anywhere in the country will be likely targets. Forgery target ?The costs of Real ID are so great, and the benefits are so small,? Schneier told Washington Technology. ?By making the Real ID card more valuable, it is more likely to be forged.? A likely influential commentary was distributed by the DHS Data Privacy and Integrity Advisory Committee, an 18-member panel sponsored by the department?s chief privacy chief containing both IT experts and privacy experts, many of them attorneys who have served as privacy officers and policy directors. The panel called the Real ID Act one of the largest identity management programs in history and concluded that the program raises serious concerns about privacy, data security, cost, fairness and mission creep. Because those concerns have not been fully resolved, the panel declined to endorse the program. However, the panel did point to a database system used by the American Association of Motor Vehicle Administrators as a possible model for Real ID. Since 1992, the association has been operating the Commercial Driver?s License Information System, which shares information among states on 30 million commercial drivers. ?We have had no security breaches,? said Philippe Guiot, senior vice president and chief information officer at AAMVA. ?It is a private network with multiple security layers. If we had to support the same concept for 280 million people, it is doable.? Creating a national ID The computer machinery association, in its published remarks on Real ID, also praised AAMVA?s system as effective, and it said that if the same system design is simply scaled up to handle more people, it would create a national database and a national ID card. Aside from the technology issues, Real ID has been controversial for other reasons. Governors worry about its cost, which is estimated at $11 billion to $23 billion. At the same time, law enforcement officials point to the potential benefit of thwarting terrorists by making it more difficult for them to obtain false identification cards. Several of the 2001 terrorist attackers had fraudulent driver?s licenses from multiple states. To give states adequate time to address the concerns, the National Governors Association, National Council of State Legislatures and AAMVA have said the proposed 2013 completion date is too rushed and they have asked for a workable extension. Spafford and Coney suggest five additional years are needed. ?We need to treat this as a manon- the-moon project that will take a decade to complete,? Coney said. Staff writer Alice Lipowicz can be reached at alipowicz at 1105 From rforno at infowarrior.org Wed May 30 11:18:05 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 May 2007 07:18:05 -0400 Subject: [Infowarrior] - Etiolated.org Updates In-Reply-To: Message-ID: ------ Forwarded Message From: security curmudgeon For attrition fans that may have missed it, our Errata Dataloss project has been going strong for a while now. Under the direction and hard work of Lyger, we have a comprehensive set of 'data loss' incidents. You know, when you get those fun letters from a retailer or bank saying "omg we suck, someone got your credit info, just letting you know kthnx." A few weeks back, Dave Shettler created Etiolated.org as a site that used the Dataloss data set to give a user a way to really understand the history of these incidents. If you have any interest in this or consider yourself a consumer, it's worth a few minutes to check out. ---------- Forwarded message ---------- From: lyger To: dataloss at attrition.org Date: Wed, 30 May 2007 02:55:36 +0000 (UTC) Subject: [Dataloss] Etiolated.org Updates (I strongly encourage all list subscribers to check out this site. This is what we *hoped* could be done with attrition's data loss dataset. The initial site went live in nine days and is now less than three weeks old.) Courtesy Dave Shettler of Etiolated.org: Etiolated.org Changes/Enhancements == Search == Search functionality has been drastically expanded, utilizing a lucene-like backend. Searches can be as complicated as: org_type:Edu AND org_type:Med AND date:[20060401 TO 20070528] AND records:[1000 TO *] Which would get you a list of all breaches at educational institutions associated with medicine that occurred between march 1st, 2006 and may 28th, 2007 with lost records totaling over 1000. For a detailed list of options see http://www.etiolated.org/research == Custom RSS Feeds == Each search now produces a custom RSS feed. For example, for an RSS feed of all educational institution breaches, search for: org_type:Edu And in the header of the results table that follows, you'll see the feed icon that links to the custom RSS feed. == Custom Search-based Graphs == Any search you run can now have a dynamically generated graph produced based on the results. Run a search like those above, click on "Graph Results", choose a title for your graph, set a couple simple parameters, and you'll have your search results in a very visual way. Right click the graph, save as, and use the image as you please. Images won't persist, so if you intend to link to it you are better off saving it someplace where it won't vanish. == Coming Soon == See breaches pinpointed on a pretty map! Dave (dave at etiolated.org) _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 208 million compromised records in 675 incidents over 7 years. From rforno at infowarrior.org Wed May 30 11:33:57 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 May 2007 07:33:57 -0400 Subject: [Infowarrior] - Phrack: History of the Underground Scene Message-ID: ...wow, suddenly I feel nostalgiac. And props to many folks whose impact on the community have had lasting impressions, several of whom are mentioned in this article. A brief history of the Underground scene http://phrack.org/issues.html?issue=64&id=4#article From rforno at infowarrior.org Wed May 30 12:12:21 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 May 2007 08:12:21 -0400 Subject: [Infowarrior] - Harvard Internet & Society Conference this week Message-ID: The Berkman Center for Internet & Society at Harvard University - Internet & Society Conference 2007 The Internet & Society Conference is positioned to generate questions, insight and solutions from diverse perspectives across the landscape of University, with a focus on the role of University as an institution. We seek to establish University as a collective force much like 'Government' or 'Private Enterprise' in its ability to negotiate and compromise for our needs in the digital environment. We will ask how University should relate to the world of intellectual property with respect to what we use and what we produce, and how interconnected the ?library? of University should be. We will consider how the corporate worlds of search and content might thrive by supporting networked Universities. We will collaboratively take on the quest for new forms of compatible efficiency to unleash the generative force of universities in the Net. The Internet & Society Conference 2007 is a university-wide event held on the Harvard Campus, and is open to all who care for the future of University. It will gather a diverse group of scholars, students, entrepreneurs, technologists, administrators, funders, policymakers, and parties with invested interest in University. Through convergent working groups and discussions, the substance of our conversations ? and their outputs ? will be inputs to an ongoing conversation rather than the final word. Harvard University's Internet & Society Conference 2007 will speak from University to authority and say: this is what we want. We will declare University and give it substance in the net. http://www.is2k7.org/ From rforno at infowarrior.org Wed May 30 13:35:33 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 May 2007 09:35:33 -0400 Subject: [Infowarrior] - Police Blotter: Cops need warrant to search cell phone? Message-ID: Police Blotter: Cops need warrant to search cell phone? Alleged medical-marijuana distributors arrested in San Francisco say police should have obtained warrant for search of cell phone. By Declan McCullagh Staff Writer, CNET News.com Published: May 30, 2007, 3:59 AM PDT Police Blotter is a weekly News.com report on the intersection of technology and the law. What: San Francisco Police Department arrests alleged medical marijuana distributors and searches a T-Mobile Sidekick without a search warrant. When: U.S. District Judge Susan Illston in the northern district of California rules on May 23. Outcome: Warrantless search violates Fourth Amendment. < - > http://news.com.com/Police+Blotter+Cops+need+warrant+to+search+cell+phone/21 00-1047_3-6187389.html?part=rss&tag=2547-1_3-0-20&subj=news From rforno at infowarrior.org Wed May 30 14:30:49 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 May 2007 10:30:49 -0400 Subject: [Infowarrior] - Which ISPs Are Spying on You? Message-ID: Which ISPs Are Spying on You? Ryan Singel Email 05.30.07 | 2:00 AM http://www.wired.com/politics/onlinerights/news/2007/05/isp_privacy The few souls that attempt to read and understand website privacy policies know they are almost universally unintelligible and shot through with clever loopholes. But one of the most important policies to know is your internet service provider's -- the company that ferries all your traffic to and from the internet, from search queries to BitTorrent uploads, flirty IMs to porn. Wired News, with help from some readers, attempted to get real answers from the largest United States-based ISPs about what information they gather on their customers' use of the internet, and how long they retain records like IP addresses, e-mail and real-time browsing activity. Most importantly, we asked what they require from law-enforcement agencies before coughing up the data, and whether they sell your data to marketers. Only four of the eight largest ISPs responded to the 10-question survey, despite being contacted repeatedly over the course of two months. Some ISPs wouldn't talk to us, but gave answers to customers responding to a call for reader help on Wired's Threat Level blog. Marc Rotenberg, the executive director of the Electronic Privacy Information Center, says ISPs should be more circumspect about keeping user data. Maintaining detailed data for long periods of time makes any internet company a huge target for law enforcement fishing expeditions. "From a user perspective, the best practice would be for ISPs to delete data as soon as possible," Rotenberg said. "(The government) will treat ISPs as one-stop shops for subpoenas unless there is a solid policy on data destruction," Rotenberg said. The results: AOL, AT&T, Cox and Qwest all responded to the survey, with a mix of timeliness and transparency. But only Cox answered the question, "How long do you retain records of the IP addresses assigned to customers." These records can be used to trace an internet posting, website visit or an e-mail back to an ISP's customers. The records are useful to police tracking down child-porn providers, and music-industry groups use them to sue file sharers. Companies have also used the records to track down anonymous posters who write unflattering comments in stock-trading boards. Cox's answer: six months. AOL says "limited period of time," while AT&T says it varies across its internet-access offerings but that the time limits are all "within industry standards." Comcast, EarthLink, Verizon and Time Warner didn't respond. Some of the most sensitive information sent across an ISP's network are the URLs of the websites that people visit. This so-called clickstream data includes every URL a customer visits, including URLs from search engines, which generally include the search term. AOL, AT&T and Cox all say they don't store these URLs at all, while Qwest dodged the question. Comcast, EarthLink, Verizon and Time Warner didn't respond. When asked if they allow marketers to see anonymized or partially-anonymized clickstream data, AOL, AT&T and Cox said they did not, while Qwest gave a muddled answer and declined to answer a follow-up question. Comcast, EarthLink, Verizon and Time Warner didn't respond. This question was prompted by hints at a web-data conference last March that ISPs were peddling their customer's anonymized clickstream data to web marketers. Anonymization of data such as URLs and search histories is not, however, a perfect science. This became clear last summer when AOL employees attempted to provide the search-research community with a large body of queries that researchers could mine to improve search algorithms. AOL researchers replaced IP addresses with different unique numbers, but news organizations quickly were able to find individuals based on the content of their queries. Wired News also asked the companies if they have been in contact or discussions with the government about how long they should be keeping data. The Justice Department, along with some members of Congress, are pushing for European Union-style data-retention rules that would require ISPs to store customer information for months or years -- a measure law enforcement says is necessary to prosecute computer crimes, such as trading in child pornography. ISPs were nearly universally reluctant to talk about any conversations or meetings they have had with federal officials. AOL had no comment, Qwest dodged the question, AT&T wouldn't say, but noted it would broach the issue with the government as part of an industry-wide discussion. For its part, Cox says it has not been contacted. As for whether they oppose data retention: Qwest said that the market should decide how long data is kept, while Cox was "studying the issue"; AOL is working with the industry and Congress, and AT&T is "ready to work with all parties." Internet surveillance recently got easier, as the deadline passed last week for ISPs to equip their networks to federal specifications for real-time surveillance of a target's e-mails, VOIP calls and internet usage -- as well as data like IP address assignment and web URLs. While law enforcement currently prefers to ask for stored internet records rather than get real-time surveillance, that balance may shift once the nation's networks are wired to government surveillance standards. From rforno at infowarrior.org Wed May 30 18:18:37 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 May 2007 14:18:37 -0400 Subject: [Infowarrior] - Livejournal deleting questionable content? Message-ID: Apparently a new round of internet censorship is in the works, this time on SixApart's LiveJournal service. While I have no problem with LJ shutting down accounts to help prevent crime and pedophilia, it seems that today's actions against online crime is ensnaring folks and communities that might have distasteful, but not illegal, connotations about various things ranging from fanfiction-writing to online RPGs and alternative consenting adult sexuality practices/interests. Read more from a LJ user's perspective at "Permanent Suspensions", or Strikethrough2007 -- http://catrinella.livejournal.com/151812.html I wonder why LiveJournal (SixApart) is doing a 'broad-stroke' deletion process instead of conducting a bit of due diligence first. Shoot-first isn't the way to handle these things....such is a lazy approach to this problem.....and while I have no issue with getting rid of ILLEGAL content, I do have a problem with arbitrarily-eliminating distasteful content, since what's distasteful to one person might not be to another....and I am a firm believe in lawful freedom of expression. (I'll refrain from social commentary about the Culture Police for now.) Of course, anyone involved with child pr0n deserves what they get, and I hope there's a special ring of hades reserved just for them. -rick Infowarrior.org From rforno at infowarrior.org Wed May 30 18:37:58 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 May 2007 14:37:58 -0400 Subject: [Infowarrior] - Counterfeiting Is not Terrorism Message-ID: ...another brillaint Bruce observation I agree with.... http://www.schneier.com/blog/archives/2007/05/counterfeiting_3.html Counterfeiting Is not Terrorism This is a surreal story of someone who was chained up for hours for trying to spend $2 bills. Clerks at Best Buy thought the bills were counterfeit, and had him arrested. The most surreal quote of the article is the last sentence: Commenting on the incident, Baltimore County police spokesman Bill Toohey told the Sun: "It's a sign that we're all a little nervous in the post-9/11 world." What in the world do the terrorist attacks of 9/11 have to do with counterfeiting? How does being "a little nervous in the post-9/11 world" have anything to do with this incident? Counterfeiting is not terrorism; it isn't even a little bit like terrorism. From rforno at infowarrior.org Thu May 31 00:49:23 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 May 2007 20:49:23 -0400 Subject: [Infowarrior] - Apple hides account info in DRM-free music, too Message-ID: Apple hides account info in DRM-free music, too By Ken Fisher | Published: May 30, 2007 - 01:39PM CT http://arstechnica.com/news.ars/post/20070530-apple-hides-account-info-in-dr m-free-music-too.html With great power comes great responsibility, and apparently with DRM-free music comes files embedded with identifying information. Such is the situation with Apple's new DRM-free music: songs sold without DRM still have a user's full name and account e-mail embedded in them, which means that dropping that new DRM-free song on your favorite P2P network could come back to bite you. We started examining the files this morning and noticed our names and e-mail addresses in the files, and we've found corroboration of the find at TUAW, as well. But there's more to the story: Apple embeds your account information in all songs sold on the store, not just DRM-free songs. Previously it wasn't much of a big deal, since no one could imagine users sharing encrypted, DRMed content. But now that DRM-free music from Apple is on the loose, the hidden data is more significant since it could theoretically be used to trace shared tunes back to the original owner. It must also be kept in mind that this kind of information could be spoofed. Concerned users could convert selections to MP3, but there will be a generational loss in quality resulting from the transcoding. We also have to wonder: who is buying DRM-free music with the plans of slapping it up on a P2P share, anyway? It's not like there aren't dozens of other ways to get access to music without paying for it. What would Apple do with the info? The big question, of course, is what might Apple do with this information? Because it can be spoofed, it's not exactly the best way to determine who is sharing music, and in any case, tracing a link back such as this would leave a copyright holder in a gray area. Embedded data or not, the mere presence of the data in a file found on a share is not an unassailable indicator of copyright infringement. That said, it would be trivial for iTunes to report back to Apple, indicating that "Joe User" has M4As on this hard drive belonging to "Jane Userette," or even "two other users." This is not to say that Apple is going to get into the copyright enforcement business. What Apple and indeed the record labels want to watch closely is: will one user buy music for his five close friends? The entertainment industry is obsessed with the idea of "casual piracy," or the occasional sharing of content between friends. I wouldn't be surprised if some data was being analyzed in aggregate, although Apple's current privacy policy does not appear to allow for this. As with the dust-up over the mini-store, Apple should clarify what this embedded data is used for. We've contacted Apple for a response but have not heard back from the company. From rforno at infowarrior.org Thu May 31 01:32:28 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 May 2007 21:32:28 -0400 Subject: [Infowarrior] - US Internet 'Spam King' arrested Message-ID: US Internet 'Spam King' arrested http://news.yahoo.com/s/afp/20070530/tc_afp/usarrestinternetspam_07053020544 9 Wed May 30, 4:54 PM ET SAN FRANCISCO (AFP) - US prosecutors said they captured on Wednesday a nefarious Internet marketer responsible so much junk e-mail they called him "Spam King." Robert Soloway, 27, was arrested in Seattle, Washington, a week after being indicted by a federal grand jury on charges of identity theft, money laundering, and mail, wire, and e-mail fraud. "Spam is a scourge of the Internet, and Robert Soloway is one of its most prolific practitioners," said US Attorney for the Western District of Washington Jeffrey Sullivan. "Our investigators dubbed him the 'Spam King' because he is responsible for millions of spam emails." Between November of 2003 and May of 2007 Soloway "spammed" tens of millions of e-mail messages to promote websites at which his company, Newport Internet Marketing, sold products and services, according to prosecutors. Soloway routinely moved his website to different Internet addresses to dodge detection and began registering them through Chinese Internet service providers in 2006 in an apparent ploy to mask his involvement. Spam messages sent by Soloway used misleading "header" information to dupe people into opening them, according to Sullivan. Soloway is accused of using "botnets," networks of computers, to disguise where e-mail originated and of forging return addresses of real people or businesses that wound up blamed for unwanted mailings. If convicted as charged, Soloway will face a maximum sentence of more than 65 years in prison and a fine of 250,000 dollars. Prosecutors want to seize approximately 773,000 dollars they say Soloway made from his spamming-related activities. From rforno at infowarrior.org Thu May 31 01:44:46 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 May 2007 21:44:46 -0400 Subject: [Infowarrior] - Reality, Not Rhetoric, On FISA Message-ID: Reality, Not Rhetoric, On FISA By Silvestre Reyes Wednesday, May 30, 2007; Page A13 http://www.washingtonpost.com/wp-dyn/content/article/2007/05/29/AR2007052901 637.html?nav=rss_opinion/columns The congressional testimony this month by former deputy attorney general James Comey called into question the accuracy of everything I had heard before about the so-called Terrorist Surveillance Program. According to Comey, in the spring of 2004 President Bush authorized a program of domestic surveillance even though his acting attorney general was so concerned about the surveillance that he could not in good faith "certify its legality." That the program didn't comply with the Foreign Intelligence Surveillance Act (FISA) was not a shock. We have known that fact since the program's existence was disclosed in December 2005. What was shocking was the amount of dissent, even within the president's own Justice Department, about the perils of ignoring FISA. FISA has been on the books since 1978 but has been updated and modernized numerous times. The law's purpose is to facilitate secret surveillance and searches on U.S. soil against spies, terrorists and other foreign powers. A Congressional Research Service report last July found that Congress had made approximately 50 changes to FISA since its inception -- and nearly a dozen updates since Sept. 11, 2001. Whenever FISA has been shown to be inadequate to track the communications of terrorists, Congress has been ready to update the law. In his May 21 op-ed, Mike McConnell, the director of national intelligence, tried to make the case for the administration's new proposal for rewriting FISA. But his complaints about the current system were inaccurate. He stated that our intelligence agencies must obtain a court order to monitor the communications of foreigners abroad. That is not correct. Foreign-to-foreign communications, as a rule, do not require a court order. One of McConnell's principal concerns relates to the time required to obtain a court order under FISA, but what he failed to mention is that the attorney general (or the deputy attorney general or an assistant attorney general) can grant oral approval for surveillance if that Justice Department official believes "an emergency situation exists" and that the facts will support a FISA court order. All that is required to start emergency surveillance under the current law is a phone call from the National Security Agency or the FBI to one of those Justice Department officials. Yet that is not the administration's practice. The administration's practice is to get multiple approvals and involve hordes of lawyers. Before we sweep away the FISA framework, Congress must review the administration's cumbersome, uncoordinated process that leads to delays in getting emergency FISA applications approved. In fact, I believe it was the administration's cumbersome, uncoordinated process and not the statutory requirements that led the president to authorize an end-run around FISA. Last week, I announced that the House Permanent Select Committee on Intelligence would hold hearings on this issue. These hearings will begin next month and will focus on the following important questions: ? What surveillance activities has President Bush authorized under the NSA surveillance program disclosed in December 2005? What was the legal basis for these activities, and how did those activities change since the inception of the program? What activities are occurring today? ? How does the current FISA system operate? Can this system be improved? ? Are current legal authorities adequate for tracking terrorist communications, or are changes to the law required? ? Do current and proposed legal authorities adequately protect the Fourth Amendment rights of Americans? Certain hearings may have to occur in closed session, but a major hearing on legislative proposals -- featuring administration witnesses and outside experts -- will take place in open session. Whenever possible, changes to public laws should be debated in public. Meanwhile, Congress should insist that the Bush administration streamline and modernize its bureaucratic system for handling emergency FISA applications. Thanks to advanced technology, my staff can reach me any time. There is no reason the FBI and the Justice Department can't use every tool at their disposal to speed the process of starting surveillance and searches. If the terrorists move at the speed of the Internet, so should we. The writer, a Democrat from Texas, is chairman of the House Permanent Select Committee on Intelligence. From rforno at infowarrior.org Thu May 31 01:52:20 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 May 2007 21:52:20 -0400 Subject: [Infowarrior] - SANS analyst on e-mail .sigs courtesy Message-ID: Joel Esler from SANS posts a great e-mail .sig ettiqute entry this evening, and it's about time folks began to start talking about this annoying cruft. I daresay this should be passed along to all Internet users, and especially (in the case of #10) corporate e-mail administrators and their generally-clueless counsels who mandate this stuff......bravo, Joel! -rf Source: http://isc.sans.org/diary.html?storyid=2880&rss When it comes to email sigs, he reports the following consensus comments: 1. Sigs should be no more than 4 lines name Title company phone number or web address 2. Quote are okay as long as: a) It's kept to a minimum b) it's kept to PERSONAL email only c) It's does not have a racial or religious theme. (duh?) d) plain text 3. Plain text 4. Plaxo and LinkedIn are bad. 5. jpg's/gif's/png's are bad. (no HTML!) 6. Apparently in some parts of the .eu, you HAVE to put stuff in your Sig block like, company name, web site, email, for disclaimer purposes. http://www.out-law.com/page-431 7. CERTS are okay, but as one reader pointed out, Why tell people what you don't have? 8. Addresses are to be kept out, if I want your address, I'll ask you for it. Email addresses should also be kept out, since it's going to be in your Reply-To: 9. The only thing worse than big long Sig blocks is OOOR. (Out of Office Replies) 10. Last but DEFINITELY not least. The Disclaimers that say stuff like: IF YOU ARE NOT THE INTENDED RECIPIENT OF THIS MESSAGE YOU MUST DELETE AND NOTIFY THE SENDER BLAH BLAH BLAH BLAH BLAH, OR YOU CAN BE FINED 500 BUCKS BLAH BLAH BLAH, INSERT 20 MORE LINES OF STUFF HERE BLAH BLAH BLAH BLAH. < - > Oh, and if you are replying to a reply.. trim your Sig. From rforno at infowarrior.org Thu May 31 03:13:53 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 May 2007 23:13:53 -0400 Subject: [Infowarrior] - DRM: And today's number of the day is.... Message-ID: 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2 ...not to be confused with the previous... 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 The fun never ends, eh? -rf From rforno at infowarrior.org Thu May 31 11:29:46 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 31 May 2007 07:29:46 -0400 Subject: [Infowarrior] - Livejournal's apology to its users Message-ID: Well we really screwed this one up? For reasons we are still trying to figure out what was supposed to be a well planned attempt to clean up a few journals that were violating LiveJournal's policies that protect minors turned into a total mess. I can only say I?m sorry, explain what we did wrong and what we are doing to correct these problems and explain what we were trying to do but messed up so completely. < - > http://news.livejournal.com/99159.html From rforno at infowarrior.org Thu May 31 11:59:49 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 31 May 2007 07:59:49 -0400 Subject: [Infowarrior] - Don't Look a Leopard in the Eye, and Other Security Advice Message-ID: Don't Look a Leopard in the Eye, and Other Security Advice 05.31.07 | 2:00 AM http://www.wired.com/print/politics/security/commentary/securitymatters/2007 /05/securitymatters_0531 If you encounter an aggressive lion, stare him down. But not a leopard; avoid his gaze at all costs. In both cases, back away slowly; don't run. If you stumble on a pack of hyenas, run and climb a tree; hyenas can't climb trees. But don't do that if you're being chased by an elephant; he'll just knock the tree down. Stand still until he forgets about you. I spent the last few days on safari in a South African game park, and this was just some of the security advice we were all given. What's interesting about this advice is how well-defined it is. The defenses might not be terribly effective -- you still might get eaten, gored or trampled -- but they're your best hope. Doing something else isn't advised, because animals do the same things over and over again. These are security countermeasures against specific tactics. Lions and leopards learn tactics that work for them, and I was taught tactics to defend myself. Humans are intelligent, and that means we are more adaptable than animals. But we're also, generally speaking, lazy and stupid; and, like a lion or hyena, we will repeat tactics that work. Pickpockets use the same tricks over and over again. So do phishers, and school shooters (.pdf). If improvised explosive devices didn't work often enough, Iraqi insurgents would do something else. So security against people generally focuses on tactics as well. A friend of mine recently asked me where she should hide her jewelry in her apartment, so that burglars wouldn't find it. Burglars tend to look in the same places all the time -- dresser tops, night tables, dresser drawers, bathroom counters -- so hiding valuables somewhere else is more likely to be effective, especially against a burglar who is pressed for time. Leave decoy cash and jewelry in an obvious place so a burglar will think he's found your stash and then leave. Again, there's no guarantee of success, but it's your best hope. The key to these countermeasures is to find the pattern: the common attack tactic that is worth defending against. That takes data. A single instance of an attack that didn't work -- liquid bombs, shoe bombs -- or one instance that did -- 9/11 -- is not a pattern. Implementing defensive tactics against them is the same as my safari guide saying: "We've only ever heard of one tourist encountering a lion. He stared it down and survived. Another tourist tried the same thing with a leopard, and he got eaten. So when you see a lion...." The advice I was given was based on thousands of years of collective wisdom from people encountering African animals again and again. Compare this with the Transportation Security Administration's approach. With every unique threat, TSA implements a countermeasure with no basis to say that it helps, or that the threat will ever recur. Furthermore, human attackers can adapt more quickly than lions. A lion won't learn that he should ignore people who stare him down, and eat them anyway. But people will learn. Burglars now know the common "secret" places people hide their valuables -- the toilet, cereal boxes, the refrigerator and freezer, the medicine cabinet, under the bed -- and look there. I told my friend to find a different secret place, and to put decoy valuables in a more obvious place. This is the arms race of security. Common attack tactics result in common countermeasures. Eventually, those countermeasures will be evaded and new attack tactics developed. These, in turn, require new countermeasures. You can easily see this in the constant arms race that is credit card fraud, ATM fraud or automobile theft. The result of these tactic-specific security countermeasures is to make the attacker go elsewhere. For the most part, the attacker doesn't particularly care about the target. Lions don't care who or what they eat; to a lion, you're just a conveniently packaged bag of protein. Burglars don't care which house they rob, and terrorists don't care who they kill. If your countermeasure makes the lion attack an impala instead of you, or if your burglar alarm makes the burglar rob the house next door instead of yours, that's a win for you. Tactics matter less if the attacker is after you personally. If, for example, you have a priceless painting hanging in your living room and the burglar knows it, he's not going to rob the house next door instead -- even if you have a burglar alarm. He's going to figure out how to defeat your system. Or he'll stop you at gunpoint and force you to open the door. Or he'll pose as an air-conditioner repairman. What matters is the target, and a good attacker will consider a variety of tactics to reach his target. This approach requires a different kind of countermeasure, but it's still well-understood in the security world. For people, it's what alarm companies, insurance companies and bodyguards specialize in. President Bush needs a different level of protection against targeted attacks than Bill Gates does, and I need a different level of protection than either of them. It would be foolish of me to hire bodyguards in case someone was targeting me for robbery or kidnapping. Yes, I would be more secure, but it's not a good security trade-off. Al-Qaida terrorism is different yet again. The goal is to terrorize. It doesn't care about the target, but it doesn't have any pattern of tactic, either. Given that, the best way to spend our counterterrorism dollar is on intelligence, investigation and emergency response. And to refuse to be terrorized. These measures are effective because they don't assume any particular tactic, and they don't assume any particular target. We should only apply specific countermeasures when the cost-benefit ratio makes sense (reinforcing airplane cockpit doors) or when a specific tactic is repeatedly observed (lions attacking people who don't stare them down). Otherwise, general countermeasures are far more effective a defense. - - - Bruce Schneier is the CTO of BT Counterpane and the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. From rforno at infowarrior.org Thu May 31 13:21:51 2007 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 31 May 2007 09:21:51 -0400 Subject: [Infowarrior] - More on: email .sigs In-Reply-To: <20070531131654.GA15059@gsp.org> Message-ID: ------ Forwarded Message From: Rich K Others have written on these topics as well; relevant links include: Stupid E-Mail Disclaimers and the Stupid Users that Use Them http://attrition.org/security/rants/z/disclaimers.html Mailing and Posting Etiquette http://www.river.com/users/share/etiquette/ Stupid Email Disclaimers http://goldmark.org/jeff/stupid-disclaimers/ Miss Mailers Answers Your Questions on Mailing Lists ftp://rtfm.mit.edu/pub/faqs/mail/miss-mailers As to Plaxo and LinkedIn, both are spammers, and were permanently blacklisted here years ago. I recommend the same course of action to others. As to disclaimers: anyone using them should have a finger smashed with a hammer every time they do. Any corporate attorney recommending or mandating them should be fired on the spot for gross incompetence. -