From rforno at infowarrior.org Tue Apr 1 12:21:41 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 Apr 2008 08:21:41 -0400 Subject: [Infowarrior] - 'Protecting The Children' Can 'Hurt The Children' Message-ID: Finally, some sanity on this from politicos.........rf UK Gov't Report Recognizes That 'Protecting The Children' Can 'Hurt The Children' http://techdirt.com/articles/20080331/002412702.shtml Politicians absolutely love to come out with laws saying that they're "protecting the children" as it plays well during election time. The problem, though, is that many of these laws do exactly the opposite. What they end up doing is actually preventing children from actually being able to learn necessary skills and how to deal with situations they will almost certainly face later in life. Yes, children can be much more vulnerable, but the answer isn't to hide them away from everything, but to teach them how to better deal with situations they may face. However, that tends not to be politically popular -- which is why it's that much more surprising to hear of a new report, requested by the UK Prime Minister pointing out just how problematic the rush to "protect the children" can be. As Slashdot points out, the key line from the exec summary is worth repeating: "Children and young people need to be empowered to keep themselves safe -- this isn't just about a top-down approach. Children will be children -- pushing boundaries and taking risks. At a public swimming pool we have gates, put up signs, have lifeguards and shallow ends, but we also teach children how to swim." This reminds me, too, of a line used last year by famed judge (and IP expert, to boot) Richard Posner in striking down an anti-video game law: "Violence has always been and remains a central interest of humankind and a recurrent, even obsessive theme of culture both high and low ... It engages the interest of children from an early age, as anyone familiar with the classic fairy tales collected by Grimm, Andersen, and Perrault are aware. To shield children right up to the age of 18 from exposure to violent descriptions and images would not only be quixotic, but deforming; it would leave them unequipped to cope with the world as we know it." If only more people would recognize such things. From rforno at infowarrior.org Tue Apr 1 13:37:33 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 Apr 2008 09:37:33 -0400 Subject: [Infowarrior] - Cybercrime Law Enforcement Debated Message-ID: Cybercrime Law Enforcement Debated Tuesday April 1, 7:38 am ET By Jan Sliva, Associated Press Writer http://biz.yahoo.com/ap/080401/eu_cybercrime.html?.v=1 Europe Debates Cybercrime Law Enforcement in NATO, Council of Europe Meetings BRUSSELS, Belgium (AP) -- Two groups working separately to boost Europe's defenses against online crime will present proposals this week, almost a year after most of the nation of Estonia's links to the Internet were disrupted for days or weeks. At a two-day conference starting Tuesday in Strasbourg, France, the Council of Europe will to review implementation of the international Convention on Cybercrime and discuss ways to improve international cooperation. Cyber defense also will be on the agenda when heads of state from NATO's 26 member nations gather in Bucharest Wednesday for three days. The leaders are expected to debate new guidelines for coordinating cyber defense. The Convention on Cybercrime, a binding treaty ratified by most members of the 47-nation Council of Europe, provide guidelines to protect computer users against hackers and Internet fraud. The controversial agreement also covers electronic evidence used in prosecution of such offenses as child sexual exploitation, organized crime and terrorism. At this week's conference, the council will discuss guidelines to bolster the convention to improve cooperation between investigators and Internet providers, according to the council's Web site. Participants and speakers at the conference -- including police officials and representatives of technology companies such as Microsoft Corp., eBay Inc., McAfee Inc. and Symantec Inc. -- also will address training. NATO's three-day summit, which is to focus on enlarging the treaty organization and on its operations in Kosovo and Afghanistan, will include a special briefing on cyber defense, according to the treaty organization's Web site. Some cybercrime experts are casting current Internet security challenges in terms of terrorism, while others remain focused on data loss, identity theft and fraud. Marco Gercke, lecturer in computer law at University of Cologne in Germany, said cybercrime poses new law enforcement challenges because data can now be exchanged very fast over vast international reaches. "Compared to regular terror attacks, it is much easier for the offenders to hide their identity. There are at least 10 unique challenges that make it very difficult to fight computer-related crime," said Gercke, one of the conference participants. "The success rate of cybercrime is very high." Privacy advocates, the American Civil Liberties Union and others are concerned that the Cybercrime Convention presses businesses and individuals to aid law enforcement in new ways and subjects them to surveillance that violates the U.S. Constitution. President Bush signed the treaty in 2003 and the U.S. Senate ratified it in 2006. The convention has been ratified by 21 other nations. The type of assault Estonian Internet service providers suffered -- which included denial-of-service attacks, where criminals flood a server with so many requests for connections that it is overwhelmed -- is particularly difficult to block because servers can't easily distinguish between legitimate and bogus requests for access, experts have said. Estonian officials initially blamed the attacks on the Russian government but later acknowledged they had no proof of government involvement, though they said most of the computers launching the attacks were in Russia. Estonia has set up a center to tackle computer-related crime and wants a global treaty on combatting cyber attacks because laws in many countries are inadequate or conflict, which can make prosecution of cyber criminals difficult. The tiny Baltic state, which has one of the world's highest rates of Internet use, has said the attacks damaged its economy because it depends heavily on the Internet. Russian officials deny any involvement in the cyber onslaught which erupted during violent protests by ethnic Russians against moving a Soviet-era monument out of the Estonian capital of Tallinn. Web sites run by media outlets, government institutions and banks denied access to users outside Estonia. Among other impacts, Estonians traveling abroad couldn't get at their bank accounts. The attack also included e-mail spam. http://www.coe.int/cybercrime http://www.nato.int/docu/update/2008/04-april/e0402b.html (This version CORRECTS short headline to delete reference to EU) From rforno at infowarrior.org Tue Apr 1 14:43:04 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 Apr 2008 10:43:04 -0400 Subject: [Infowarrior] - Internet Hoax Gooses Stock Market Message-ID: Internet Hoax Gooses Stock Market Tuesday, April 01, 2008 | 10:00 AM http://bigpicture.typepad.com/comments/2008/04/internet-hoax-g.html Traders woke up to a pleasant surprise on Tuesday morning, with equity Futures strongly higher. CNBC anchors were exuberant as previous earnings and credit fears melted away. The cause? An internet April Fool's hoax that backfired. Dedicated short fund manager Doug Kass, of Seabreeze Partners Short LP, put out an early morning, tongue-in-cheek commentary, titled Time to Buy the Bull? The long time Bearish market pundit and writer for The Street.com and Real Money announced that he was raising his year end price targets for the S&P500 to 1,666, which would reflect a yearly gain of 26%. The Financial press read the commentary literally. The WSJ announced "Bear Flips Bullish!," causing equity futures to rally. CNN Money covered the joke as if it were a real news item, and Marketwatch declared "Short Seller Starts Stock Rampage." Barron's headline read "Longtime Bear Tosses in the Towel; Says New Bull Market is Upon Us." Bloomberg data service ran a full news alert, specifying the details of the longtime Bear's hoax, without recognizing it wasn't real: - The writedown of toxic paper throughout the world's financial system has dramatically overstated the severity of the credit issue. - The major money center banks and brokers will be a contributing factor to a surprising 25%+ rise in corporate profits. - Shares of financials, which have been unfairly targeted by the short community over the last year (monoline insurers, banks, brokerages, etc.), could double in price by year-end. - Oil prices, stimulated almost entirely by managed commodity trading funds and hedge funds are destined to drop below $50/barrel by year end. - The U.S. economy will avoid recession, as housing has definitely bottomed; Bloomberg failed to note these comments were all in jest, adding to the upwards market pressure. The veteran fund manger had assumed that readers would get the April Fool's joke -- but never imagined it would go over the heads of veteran financial writers. Shortly after the open, US equities were in a strong rally mode. The Dow was up over 230 points, and Nasdaq had gained almost 2%, up 50 points. The short seller issued a sheepish mea culpa that morning. "I apologize to my partners, and to my friends, and especially to the SEC, for whom I have the greatest possible respect. I never intended markets to be manipulated in this manner. I was only trying to make some traders, who have been having a tough year, break a smile . . . One part of the joke turned out to have a surprising result. As part of the April fool's joke, Kass announced he would host a new CNBC show, called "The Mad Bull," at 4:30 p.m. EDT daily and after "The Closing Bell." CNBC program director Bill McChesney said that the station had already test marketed the idea, and the show had a very enthusiastic response. The program "The Mad Bull" will begin airing in June. From rforno at infowarrior.org Tue Apr 1 20:32:49 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 Apr 2008 16:32:49 -0400 Subject: [Infowarrior] - DHS Issues Maine Ultimatum on Real ID Message-ID: Does anyone else feel a chill when reading the last paragraph in the below extract? And I don't just mean folks from Maine, either. -rf http://blog.wired.com/27bstroke6/2008/04/dhs-issues-main.html > Maine has until Wednesday to agree to driver's licenses changes demanded by > the federal government or face the consequences of having Maine driver's > licenses rejected as valid identification at the nation's airports come May > 11. > > DHS all but told the state Monday that it was the country's "weakest link" and > that the state needed to change its licensing ways or face the fed's wrath. < - > > DHS told Maine Monday that it has until 5 p.m. Wednesday to explain what > executive orders and legislative steps it will be taking, otherwise DHS will > start preparing airport security screeners to pat down all Maine residents who > attempt to fly domestically without showing a passport. From rforno at infowarrior.org Tue Apr 1 20:51:36 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 Apr 2008 16:51:36 -0400 Subject: [Infowarrior] - MS OOXML Standard Said to Get Global Approval Message-ID: (would prefer this be a story that got broken tomorrow, given that it is April Fools today.......rf) April 1, 2008 Microsoft Open Format Standard Said to Get Global Approval By KEVIN J. O'BRIEN http://www.nytimes.com/2008/04/01/technology/01cnd-soft.html Microsoft won an international standards designation for its open document format, according to a copy of voting results obtained Tuesday, apparently ending a divisive year-long battle with some of its software rivals before a global standards-setting organization. Microsoft?s Office Open XML, a format for interchangeable Web documents, was approved by 24 of 32 countries in a core group of nations in a ballot by the International Organization for Standardization, according to the document. Approval by the Geneva standards-setting body, which is known by its French acronym, I.S.O., is almost certain to influence software spending by governments and large companies. The tally reverses Microsoft?s loss in first-round voting before the full 87-nation panel in September in a process that has been marked on both sides by heavy-handed lobbying of members of national standards committees, typically made up of technicians, engineers and bureaucrats. ?This has been a remarkable process, involving literally thousands of technical experts, technology consumers, and governments in 87 countries, whose input has helped to improve? the document format, Microsoft said Monday in a statement that did not mention the results. In the final round of voting, which ended Saturday, three-quarters of the core members, including Britain, Japan, Germany and Switzerland, supported Microsoft?s standard, called Ooxml, according to the results document. Of the 87 nations total national votes, only 10 opposed the standard, including Brazil, Canada, China, Cuba, Ecuador, India, Iran, New Zealand, South Africa and Venezuela. Under organization rules, at least 66 percent of core group members must accept a standard for it to be approved, and no more than 25 percent of all voting nations can oppose it. Roger Frost, an I.S.O. spokesman in Geneva, would not confirm on Tuesday whether Microsoft?s format had been designated as meeting the organization?s standard, saying the organization would disclose the vote on Wednesday after informing its membership. The International Herald Tribune obtained the results from one of the member delegations contacted by the I.S.O. Microsoft?s request for fast-track approval of its Ooxml standard in early 2007 unleashed an intense lobbying campaign by International Business Machines and Sun Microsystems, which helped develop a rival interchangeable document format called Open Document Format. O.D.F. was the first interchangeable document format to receive I.S.O. approval in 2006, and its backers used the exclusive I.S.O. endorsement to pitch the technology to governments and large companies. O.D.F. is now being considered for use by 70 nations. Controversy over the approval process continued into this week. On Monday, the chairman of an advisory committee to the voting body, Steve Pepper, asked the I.S.O. to suspend Norway?s vote to approve Ooxml until an internal investigation could take place, saying the ballot cast did not reflect the interests of his group. ?The vast majority of people were against this,? Mr. Pepper said. Ivar Jachwitz, the deputy managing director of Standards Norway, the country?s national standards organization and the person who ultimately submitted Norway?s ?yes? vote for Ooxml, disputed Mr. Pepper?s assertion that most people involved in Norway?s voting process had opposed Ooxml. ?We had an initial vote back in 2007 of nearly 50 people and the vast majority were in favor,? Mr. Jachwitz said. He did acknowledge that 21 members of the group last week submitted a letter asking for Norway to oppose Ooxml. ?Our vote reflected the majority opinion,? Mr. Jachwitz said. ?I do not see that it was improper.? Mr. Frost said he had received Mr. Pepper?s complaint, but upon investigation considered the Norwegian dispute to be an internal matter. ?We have received background information from them and have no reason to question the validity of their vote,? Mr. Frost said. In Malaysia, which abstained on Ooxml, members of the country?s voting delegation barred uninvited employees of Microsoft and I.B.M. from participating in their deliberations. Sweden nullified its support of the standard last year after one member of its delegation reportedly voted twice. And some members of Germanys delegation complained that I.S.O. rules had not been properly followed and a steering committee of the country?s national standards group, called D.I.N., was called in to rule on whether rules had been followed properly. In the end, the D.I.N. decided to submit no formal second vote to I.S.O., which allowed Germany?s initial approval to stand, according to Jan Dittberner, a spokesman for D.I.N. Demands for speedy approval of Microsoft?s 6,000-page document sparked objections from many I.S.O. members, who felt the organization was being pressured by Microsoft, whose Office application suite is the standard on more than 90 percent of computers and archives around the world, according to International Data Corporation, a research group in Framingham, Mass. Contention over the outcome even influenced the remarks of representatives of countries that abstained from the vote, like the Netherlands. ?This is like someone with six shopping carts of food trying to go through the express lane at a supermarket,? said Michiel Leenaars, a member of the Dutch voting delegation. ?The end result of this will be confusion. The standard is simply too big. There are still a lot of questions out there.? From rforno at infowarrior.org Tue Apr 1 23:40:14 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 Apr 2008 19:40:14 -0400 Subject: [Infowarrior] - Clarification: Rick's departure note Message-ID: Hi folks -- For the record, I can confirm now that the reports of my departure from the information security community have been greatly exaggerated. In fact, they weren't just exaggerated but also fabricated. Such "news" was provided in the spirit of good, geeky, deviant Intertubey mischief that only happens once a year, and I'm quietly pleased with how many folks I 'got' with this year's prank. :) However, in all seriousness....please know that I am both honored and humbled by the many notes from readers offering congratulations, well-wishes, and support after reading or hearing about my "news" today. While I don't go looking for kudos, I'm always humbled when receiving them, which I embrace as support and motivation to carry forward here. So thank you again! For those interested, a sampling of reader feedback can be found at the (revised) hoax page: http://www.infowarrior.org/update-2008/ Until later.... -rick Infowarrior.org From rforno at infowarrior.org Tue Apr 1 23:59:24 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 Apr 2008 19:59:24 -0400 Subject: [Infowarrior] - Google Privacy Policy Doesn't Offer Privacy Message-ID: Google Has A Privacy Policy That Doesn't Offer Privacy Posted by Thomas Claburn, Mar 31, 2008 05:29 PM http://tinyurl.com/2ljt6z In an effort to demonstrate its commitment to privacy, Google on Friday announced a revamp of its online Privacy Center, a repository for information about Google's privacy policies and practices. On Sunday, the San Francisco Chronicle reported that Google's enterprise search hardware is finding its way into U.S. intelligence agencies, which also have turned to Google to power Intellipedia, a Wikipedia of sorts for spies. It should hardly come as a surprise that spy agencies want a bit of that Google magic to help them mine their vast stores of data. What is remarkable is that Google insists that it is strongly committed to protecting user privacy. Google, and more broadly search engines, have done more to diminish privacy than any technology since the camera. Google makes information available and thus by definition diminishes privacy, which is best defined as the absence of information. Google insists there's another kind of privacy, the kind where some information is collected: personal information when you register with Google, your IP address when you use Google services, the data and time of Google visits, and so on. Google's privacy is a privacy of degrees. You have some privacy, but not complete privacy. And even that "some privacy" you have is subject to conditions: If Google gets a subpoena or national security letter, that privacy you had isn't yours anymore. Real privacy is what you get when you walk into a store and pay cash (pretend for a moment you're not being recorded on a security camera): There's no record of the transaction. Privacy is binary. Either you have it or you don't. It is anonymity. It is secrecy. Don't accept a watered-down substitute manufactured to make marketing easier. Privacy can be both good and bad. It allows whistle blowers and human rights activists to expose corruption and abuse without being targeted for reprisal. At the same time, it allows pedophiles to operate online. So Google's insistence on semi-privacy is understandable. It reflects the broad social difficulty of acknowledging the need for privacy while also acknowledging the social need to prevent the exploitation of privacy to commit misdeeds. But really, what Google has isn't a privacy policy. A privacy policy would be no longer than six words: We record no information about you. What Google has, what every site has, is a disclosure policy. Perhaps if Google and other companies admitted as much, we might have a more fruitful discussion about what the absence of privacy really means for Internet users. From rforno at infowarrior.org Wed Apr 2 02:28:32 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 Apr 2008 22:28:32 -0400 Subject: [Infowarrior] - Interrogators Immune From Prosecution, '03 Memo Says Message-ID: Terrorism Interrogators Immune From Prosecution, '03 Memo Says Since Rescinded, the Document Granted Nearly Unfettered Presidential Power By Dan Eggen and Josh White Washington Post Staff Writers Tuesday, April 1, 2008; 6:32 PM http://www.washingtonpost.com/wp-dyn/content/article/2008/04/01/AR2008040102 213_pf.html Federal laws prohibiting assault and other crimes did not apply to military interrogators who questioned al-Qaeda captives because the president's ultimate authority as commander-in-chief overrode such statutes, according to a newly declassified 2003 Justice Department memo released today. The memo--which was rescinded just nine months after it was issued--provides an expansive argument for nearly unfettered presidential power in a time of war, contending that numerous laws and treaties that forbid torture or cruel treatment should not apply to the interrogations of enemy combatants overseas. The 81-page document was sent to the Pentagon's general counsel on March 14, 2003 by John C. Yoo, then a deputy in the Justice Department's Office of Legal Counsel, and became the legal foundation for the Defense Department's use of aggressive interrogation practices. The memo asserts that domestic and international laws and treaties, as well as the U.S. Constitution, would not apply to U.S. interrogations in foreign lands because of the president's inherent wartime powers. "If a government defendant were to harm an enemy combatant during an interrogation in a manner that might arguably violate a criminal prohibition, he would be doing so in order to prevent further attacks on the United States by the al Qaeda terrorist network," Yoo wrote in the memo. "In that case, we believe that he could argue that the executive branch's constitutional authority to protect the nation from attack justified his actions." Interrogators who harmed a prisoner also would be protected by a "national and international version of the right to self-defense," Yoo wrote. Congress passed the Detainee Treatment Act of 2005, which required the Defense Department to limit interrogation technique to those described in the Army Field Manual. In 2006, the Army rewrote the manual, which now specifically prohibits many of the tactics the administration sought to use. Although the existence of the March 14, 2003 memo has long been known, its contents previously have never been disclosed. The memo was rescinded along with another from August 2002 that narrowly defined the bounds of torture, which also was written by Yoo but signed by another Justice Department official who is now a federal judge. The documents are part of a growing collection of disputed or controversial legal memoranda and internal reports that undergirded a series of coercive interrogation techniques employed by the Bush administration in the years after the Sept. 11, 2001 terrorist attacks. The newly released memo was sent by the Justice Department late today to lawmakers on Capitol Hill, who have long pushed for its declassification. The working group report, along with the memos from Yoo and others, were withdrawn after a group of dissident lawyers at the Justice Department later concluded that the legal reasoning behind the documents was deeply flawed. In his 2007 book, "The Terror Presidency," Jack Goldsmith, who was head of the Office of Legal Counsel from 2003 to 2004, writes that the Yoo memorandum was one of two internal Justice Department opinions that "stood out" for "the unusual lack of care and sobriety in their legal analysis." Among many other problems, Goldsmith wrote, both memos "were wildly broader than was necessary to support what was actually being done." Yoo's memo in March 2003 came amid contentious debate inside the Pentagon about which interrogation techniques should be allowed at Defense Department facilities and which could open U.S. service members to potential legal troubles, both in domestic and international courts. A Pentagon working group began meeting in January 2003 after then-Defense Secretary Donald H. Rumsfeld suspended a list of aggressive techniques he had allowed for a single detainee at Guantanamo Bay, Cuba. The prisoner, military investigators later would determine, faced an interrogation regime that included stress positions, nudity, hooding, exposure to dogs and other aggressive techniques. The working group's 2003 report, prepared under the supervision of then-general counsel William J. Haynes II, said that "in order to respect the President's inherent constitutional authority to manage a military campaign . . . [the prohibition against torture] must be construed as inapplicable to interrogations undertaken pursuant to his Commander-in-Chief authority." In the days before Yoo sent his memo to Haynes, the top lawyers for each service wrote strenuous objections to the use of Justice Department arguments on the matter, arguing that the use of such extreme techniques could send a dangerous message to other nations about what the United States considers acceptable, and that using such techniques could amount to "unlawful" conduct by U.S. troops. "Implementation of questionable techniques will very likely establish a new baseline for acceptable practice in this area, putting our service personnel at far greater risk and vitiating many of the POW/detainee safeguards the U.S. has worked hard to establish over the past five decades," wrote Maj. Gen. Thomas J. Romig, then the Army's Judge Advocate General, on March 3, 2003. Rear Adm. Michael F. Lohr, the Navy's top lawyer, asked in a memo at the time whether the American people would find "we have missed the forest for the trees by condoning practices that, while technically legal, are inconsistent with our most fundamental values?" A draft memo from the working group on March 6, 2003 dismissed most of the service lawyers' recommendations and relied heavily on the Justice Department's reasoning. Air Force General Counsel Mary Walker, who wrote the memo, used the administration's position on denying detainees Geneva Convention rights and on the definition of torture to justify the use of aggressive tactics. Walker's group issued a final report on April 4, 2003, that defends the use of extremely aggressive tactics. In part of its discussion about techniques such as using dogs, removal of clothing, slaps, sleep deprivation and other techniques, the report said: "Generally, the legal analysis that was applied is that understood to comport with the views of the Department of Justice." The service JAGs did not receive a copy of Yoo's March memo and did not know about the final working group report for more than a year. "There was no consensus on the working group, and the report that Mary Walker put together was done with very little of our input, or she just didn't listen to the input from the group," Romig, now dean of the Washburn University School of Law in Kansas, said yesterday. "When this all came out, I think it just caused a level of confusion, where people were trying to push the envelope. It gave more credence to the argument that this was all a new model, a new dynamic we were in, and therefore the old rules didn't apply." Romig said top civilians in the Pentagon and within the Bush administration consistently refused to listen to lawyers in uniform, despite their dire predictions that deviating from time-tested interrogation norms could result in disaster. "It taints the military in a way that it doesn't by and large deserve," Romig said. "Nevertheless, these things have occurred. It's terribly damaging to the armed forces and to our country to have had this happen in the way that it's happened." Staff researcher Julie Tate contributed to this report. From rforno at infowarrior.org Wed Apr 2 02:51:00 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 Apr 2008 22:51:00 -0400 Subject: [Infowarrior] - DOJ 2003 Torture Opinion (PDF, complete) Message-ID: (AKA one of the "infamous Yoo Memos" from 2003) March 14,2003 Memorandum for William J. Haynes II, General Counsel of the Department of Defense Re: Military Interrogation of Alien Unlawful Combatants Held Outside the United States Single 18MB PDF of the just-declassified 81 page memo can be found at: www.infowarrior.org/users/rforno/DOJ-OLC-TortureOpinion-2003.pdf >From a WaPo article tonight, for a bit of background: http://www.washingtonpost.com/wp-dyn/content/article/2008/04/01/AR2008040102 213.html < - > The memo--which was rescinded just nine months after it was issued--provides an expansive argument for nearly unfettered presidential power in a time of war, contending that numerous laws and treaties that forbid torture or cruel treatment should not apply to the interrogations of enemy combatants overseas. The 81-page document was sent to the Pentagon's general counsel on March 14, 2003 by John C. Yoo, then a deputy in the Justice Department's Office of Legal Counsel, and became the legal foundation for the Defense Department's use of aggressive interrogation practices. From rforno at infowarrior.org Wed Apr 2 12:19:07 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 02 Apr 2008 08:19:07 -0400 Subject: [Infowarrior] - In Spy Debate, Top Spy Lobbies, Attorney General Misleads Message-ID: In Spy Debate, Top Spy Lobbies, Attorney General Misleads By Ryan Singel EmailApril 01, 2008 | 7:19:39 PMCategories: NSA, Spooks Gone Wild http://blog.wired.com/27bstroke6/2008/04/in-spy-debate-t.html When it comes to spying, the nation's top officials just can't keep from misleading the American people. But has two years of end-of-the-world rhetoric and dodgy legalistic explanations from an Administration that secretly turned NSA's formidable spying apparatus on the American people finally run its course? On Sunday, the New York Times' Eric Lichtblau put paid on accusatiions that Attorney General Alberto Gonzales lied to Congress when he said there was no internal disagreement over the warrantless wiretapping of Americans. If the Ashcroft ICU showdown wasn't enough to earn Gonzales the official title of liar, the story that FBI employees thought the law was being broken 12 hours after the secret wiretapping of Americans started certainly does. Tuesday, the Los Angeles Times reports that Democrats no longer trust the "straight shooting" Director of National Intelligence Michael McConnell and consider him to be a "lobbyist." In letters to lawmakers, McConnell warned that prolonged debate by the House was making the nation "more vulnerable to terrorist attack and other foreign threats." In a newspaper interview last year, he said that merely debating the issue meant that "some Americans are going to die," because terrorists and other adversaries would learn more about America's surveillance capabilities. More recently, at a House hearing in February, McConnell was accused of offering misleading testimony when he warned that allowing temporary eavesdropping authority to lapse would cause phone companies to quit cooperating. For the past year, McConnell has largely been allowed to get away with his fear-mongering and exaggerated claims about the effect of curtails on wiretapping powers because even the most basic facts about the the president's rogue wiretapping program remain classified. But even with that cloak of darkness to hide the truth, McConnell still manages to mislead Congress and make statements so absurd that's its impossible for anyone actually paying attention to the debate to believe him. Like when he trotted out the Iraqi hostage story after it had been debunked, or told Congress how the powers under Protect America Act snagged German terrorists and then had to retract the politically convenient exaggeration. And he's been yapping all over that a secret court destroyed 70 percent of the nation's spies' ability to eavesdrop around the world and then it turns out the problem is all about not being able to harvest every email that enters or leaves switches based in the United States. You'd think at least that the nation's top law enforcement official Attorney General Michael Mukasey would tell the truth, but he seems to have caught the same exaggeration flu that McConnell suffers from. Last week, Mukaskey came to San Francisco and said that the "government shouldn't need a warrant when someone picks ups a phone in Iraq and calls the United States." He's right and it never has. He also said that before 9/11, the government knew about a call from a safe house in Afghanistan to somewhere in the United States. "We didn't know precisely where it went." He suggested that the U.S. might have prevented another terrorist attack if the government could have monitored that call without court approval. It could have. It should have. The CIA and the FBI, under the Bush administration, could have taken Al Qaeda seriously and stopped 9/11 with the tools they had. They did not. And now the nation's top law enforcement official is lying about wiretapping laws. And he added that companies such as AT&T, Sprint and Verizon that massively violated federal privacy laws should be given amnesty, which he said "was just not fair." That's just absurd. As we learned over the last two years, even John Ashcroft knew the targeting wiretaps at Americans without warrants was illegal. The telecoms certainly knew it, too. And in another stunning revelation in Sunday's New York Times story, we learn that from the start, the Deputy Attorney General Larry Thompson refused to sign off on any applications for full wiretaps that used information from the illegal wiretaps. To top it off the next day, he tops himself by saying that theft of intellectual property fosters terrorism. These people have no shame. Now Congress is returning to session and the White House is now willing to make some sort of deal now that it's figured out its fear mongering, terror armageddon rhetoric isn't working any more. The House shouldn't bargain lightly and the more time passes, the more that this program comes into focus as an immense and illegal operation that violated every legal boundary put into place after the country learned about Nixon and Hoover's wiretapping excesses. Just today, John Yoo's infamous torture memo was declassified. There's no reason that Congress should be in any hurry to hand more wiretapping power to this administration of exaggerators and chicken littles until it releases the other John Yoo memo -- the one that gave legal cover to the government's spying on American citizens without court orders. The one that told this President that he had the power to order his minions to collect, store and sift through my phone records and internet usage without getting a judge's approval. From rforno at infowarrior.org Wed Apr 2 12:22:48 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 02 Apr 2008 08:22:48 -0400 Subject: [Infowarrior] - Public Communications: Whitehall 2.0 Message-ID: Original URL: http://www.theregister.co.uk/2008/04/02/government_info_sharing/ New(ish) Labour plans Whitehall 2.0 By Joe Fay Published Wednesday 2nd April 2008 11:36 GMT The UK government has dulled the glamorous sheen of Web 2.0 by pledging guidelines on how civil servants should exploit use social media for developing policies and getting their messages out to the public. The Cabinet Office has published an Interim Progress Report (http://www.cabinetoffice.gov.uk/reports/power_of_information/interim_progre ss_report_html.aspx) on its information strategy, carried out by Tom Steinberg and Ed Mayo, which details Whitehall?s efforts to ?get? social media in its efforts to communicate with we the people. The interim report?s appearance coincided with the setting up of a Power of Information Taskforce ? which will include Steinberg ? to flesh out the strategy and which was revealed in a speech by Tom Watson, MP, Labour?s minister for transformational government. In his speech, Watson argued that freeing up data ?will allow us to unlock the talent of British entrepreneurs? while ?engaging people ? using the simple tools that bring them together ? will allow the talents of all our people to be applied to the provision of public services?. Watson promised the COI and the Cabinet Office would ?produce a set of guidelines that adheres to the letter of the law when it comes to the civil service code but lives within the spirit of the age?. We think this means Civil Servants need an approved way to dip into sites like mumsnet to share their wisdom on, for example, how to claim maternity benefits. We presume it doesn?t mean putting in place a bureaucratic procedure to ensure that all civil servants Wikipedia edits on Avril Lavigne have been signed off by the Cabinet Office and Number 10. Watson said draft proposals would be ready for the taskforce by the end of this week. Government also needed to adopt social media, Watson argued. ?Whitehall is arguably Britain?s most important knowledge factory,? he said, ?but we?re using out of date tools.? So, it would appear Sir Humphrey and pals will be forced to thrash out policy and career paths over blogs, wikis, forums and shared workspaces instead of over the port and cheese board. Watson also pledged to overhaul the way information produced by government bodies, for example regulatory information or Ordnance Survey mapping data, is disseminated and charged for. ?There has been a lively debate about whether the overall benefits to the economy and society are better served by giving the data away at marginal cost.? He said he had asked the Treasury and BERR to help build arguments in this area. More disturbingly, perhaps, Watson reminisced about how hard it used to be for ?any community organiser or activist to ?get people together to do something?. He recalled how he spent his formative years in ?endless hours of turning the handle of a manual duplicating machine whilst my dad fermented [sic] revolution in the pub.? He went on to claim that ?social media has removed the requirement for my son to turn the handle for his dad. It allows people to organise a demonstration or a lobby at a single click, with global effect.? Which is funny, as we?d never thought organising spontaneous demonstrations was part of the government?s remit. ? From rforno at infowarrior.org Wed Apr 2 17:18:05 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 02 Apr 2008 13:18:05 -0400 Subject: [Infowarrior] - US reveals plans to hit back at cyber threats Message-ID: US reveals plans to hit back at cyber threats 02 Apr 2008 15:12 http://news.zdnet.co.uk/security/0,1000000189,39378374,00.htm The US Air Force Cyber Command is just as interested in attack as defence, according to a senior general The US Air Force Cyber Command is developing capabilities to inflict denial of service, confidential data loss, data manipulation, and system integrity loss on its adversaries, and to combine these with physical attacks, according to a senior US general. Air Force Cyber Command (AFCYBER), a US military unit set up in September 2007?to fight?in cyberspace, is due to become fully operational in the autumn under the aegis of the US Eighth Air Force. Lieutenant general Robert J Elder, Jr, who commands the Eighth Air Force's Barksdale base, told ZDNet.co.uk at the Cyber Warfare Conference 2008 that Air Force is interested in developing its capabilities to attack enemy forces as well as defend critical national infrastructure. "Offensive cyberattacks in network warfare make kinetic attacks more effective, [for example] if we take out an adversary's integrated defence systems or weapons systems," said Elder. "This is exploiting cyber to achieve our objectives." However, this is a double-edged sword, as adversaries will also attempt to develop similar capabilities, especially considering the US military's heavy use of technology, said Elder. "Terrorists and criminals are doing the same thing. We depend so heavily as a military on the use of cyber, we have to be cautious about it," said Elder. "Cyber gives us a huge advantage but adversaries look at our capabilities and see areas they can undermine. We need to protect our asymmetric advantage - on the one hand by having people further exploit cyber, and on the other by having mission assurance." This problem is made more pressing by the military's reliance on the public internet to perpetrate cyberattacks. The infrastructure the US military uses?to both launch and defend against cyberattacks runs through the public internet system. Military networks such as the Global Information Grid are linked to US government and critical national infrastructure systems, which in turn are linked to the public internet. Adversary systems are subverted by the US military through public channels - however, this also leaves the US military open to attack through the same channels, said Elder. "The infrastructure on which the Air Force depends is controlled by both military and commercial entities and is vulnerable to attacks and manipulation," said Elder. Other causes for military concern include possible supply-chain vulnerabilities, where vulnerabilities are introduced into chipsets during manufacturing that an adversary can then exploit, and electronics vulnerabilities. "We need to make sure chips aren't manipulated - we're worried about information assurance just like everyone else," said Elder. Other problems being faced by the Cyber Command are centred around different Air Force and military units needing to?improve their?channels of communication before the autumn. "We have 10,000 people to do this, but the problem is they are stovepiped," said Elder. "Stovepiping" has two complementary meanings. In IT terms?it describes information held?in separate databases which is difficult to access due to its multiple locations - the UK equivalent term would be "siloed". In intelligence-gathering terms - the Eighth also serves as the US Air Force information operations headquarters - "stovepiping" refers to information which has been passed up the chain of command without undergoing due diligence. Elder said that, while he was satisfied with AFCYBER's covert operations capabilities and its demonstrable ability to?remotely destroy missile defence systems, he wished to further develop its attack capabilities. "IT people set up traditional IT networks with the idea of making them secure to operate and defend," said Elder. "The traditional security approach is to put up barriers, like firewalls - it's a defence thing - but everyone in an operations network is also part of the [attack] force. We're trying to move away from clandestine operations. We're looking for real physics - a bigger bang resulting in collateral damage." US Cyber Command?also needs to?develop the means to quickly pinpoint exactly where an attack is coming from, to be able to retaliate, and also to deter potential attackers. "We haven't done a good job in the cyber-domain just yet," said Elder. "We have to demonstrate the capability to do [rapid forensics] then message that to our adversaries. For deterrence we have to clearly identify the attacker. We're working on rapid forensics to determine who the adversary is." While cyber-espionage was inevitable, said Elder, knowledge of the US military being able to pinpoint the source of cyberattacks could deter assaults on critical national infrastructure?that use Supervisory Control And Data Acquisition (Scada) systems. "We're not going to deter cyber-espionage, but we might be able to deter attacks on Scada networks," said Elder. As well as developing forensics tools, Cyber Command is also coding tools to check for incursions, including a "Cyber Sidearm", which will monitor activity on the Combat Information Transport System - the US Air Force cyber-network. "We've been working to get the functionality built - we're supposed to have it in the next couple of months," said Elder. US Eighth Air Force said it was seeking partnerships with both public- and private-sector organisations to "secure cyberspace". The Department for Homeland Security's Strategy to Secure Cyberspace includes establishing a public-private architecture to gauge and respond to cyberthreats, and increase information-sharing between public- and private-sector organisations and the military. Story URL: http://news.zdnet.co.uk/security/0,1000000189,39378374,00.htm From rforno at infowarrior.org Wed Apr 2 19:00:52 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 02 Apr 2008 15:00:52 -0400 Subject: [Infowarrior] - OT: 2008 Congressional Pig Book Message-ID: http://www.cagw.org/site/PageServer?pagename=reports_pigbook2008 PORKBUSTERS UPDATE: Citizens Against Government Waste has released the 2008 Congressional Pig Book, and it's full of juicy, greasy, goodness. http://www.cagw.org/site/PageServer?pagename=reports_pigbook2008 Here's a summary: Some of the biggest pork projects, according to the group, include a Lobster Institute; the Rocky Flats, Colorado, Cold War Museum; and the First Tee, a program to build young people's character through golf. Members of Congress requested funds for all these pet projects and thousands of others last year, according to the latest copy of the annual "Pig Book" released by Citizens Against Government Waste. "Congress stuffed 11,610 projects" worth $17.2 billion into a dozen spending bills, the group said in the report released Wednesday. The "Pig Book" names dozens of what the citizens group considers the most egregious porkers, the lawmakers who funnel money to projects on their home turf. Sen. Thad Cochran of Mississippi, the top Republican on the Senate Appropriations Committee, requested the most money, $892.2 million, according to the group. . . . "There were several candidates for the Narcissist Award," Tom Schatz, the president of the group said. "But this one went to House Ways and Means Chairman Charlie Rangel for the Charles Rangel Public Service Center at the City College of New York -- $1,950,000 (to a project) that he named after himself." Rangel, a Democrat from New York, said last summer he was "honored that City College chose to have my name attached to what is an important project, not just for the residents of my congressional district, but for New York City and this nation." A call to Rangel's office wasn't immediately returned. Both parties came in for criticism, with the Democrats who control both houses of Congress topping the Republicans in spending. http://www.cagw.org/site/PageServer?pagename=reports_pigbook2008 From rforno at infowarrior.org Thu Apr 3 13:09:01 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 Apr 2008 09:09:01 -0400 Subject: [Infowarrior] - Memo Justified Warrantless Surveillance Message-ID: Memo Justified Warrantless Surveillance Email this Story Apr 2, 7:47 PM (ET) By PAMELA HESS and LARA JAKES JORDAN http://apnews.myway.com/article/20080402/D8VQ1NG80.html WASHINGTON (AP) - For at least 16 months after the Sept. 11 terror attacks in 2001, the Bush administration believed that the Constitution's protection against unreasonable searches and seizures on U.S. soil didn't apply to its efforts to protect against terrorism. That view was expressed in a secret Justice Department legal memo dated Oct. 23, 2001. The administration on Wednesday stressed that it now disavows that view. The October 2001 memo was written at the request of the White House by John Yoo, then the deputy assistant attorney general, and addressed to Alberto Gonzales, the White House counsel at the time. The administration had asked the department for an opinion on the legality of potential responses to terrorist activity. The 37-page memo is classified and has not been released. Its existence was disclosed Tuesday in a footnote of a separate secret memo, dated March 14, 2003, released by the Pentagon in response to a Freedom of Information Act lawsuit by the American Civil Liberties Union. "Our office recently concluded that the Fourth Amendment had no application to domestic military operations," the footnote states, referring to a document titled "Authority for Use of Military Force to Combat Terrorist Activities Within the United States." Exactly what domestic military action was covered by the October memo is unclear. But federal documents indicate that the memo relates to the National Security Agency's Terrorist Surveillance Program. That program intercepted phone calls and e-mails on U.S. soil, bypassing the normal legal requirement that such eavesdropping be authorized by a secret federal court. The program began after the Sept. 11 terrorist attacks and continued until Jan. 17, 2007, when the White House resumed seeking surveillance warrants from the Foreign Intelligence Surveillance Court. The October memo was written just days before Bush administration officials, including Vice President Dick Cheney, briefed four House and Senate leaders on the NSA's secret wiretapping program for the first time. The government itself related the October memo to the TSP program when it included it on a list of documents that were responsive to the ACLU's request for records from the program. It refused to hand them over. On Wednesday, Justice Department spokesman Brian Roehrkasse said the statement in the footnote does not reflect the current view of the department's Office of Legal Counsel. "We disagree with the proposition that the Fourth Amendment has no application to domestic military operations," he said. "Whether a particular search or seizure is reasonable under the Fourth Amendment requires consideration of the particular context and circumstances of the search." Roehrkasse would not say exactly when that legal opinion was overturned internally. But he pointed to a January 2006 white paper issued by the Justice Department a month after the TSP was revealed by The New York Times. "The white paper does not suggest in any way that the Fourth Amendment does not apply to domestic military activities, and that is not the position of the Office of Legal Counsel," he said. Suzanne Spaulding, a national security law expert and former assistant general counsel at the Central Intelligence Agency, said she found the Fourth Amendment reference in the footnote troubling, but added: "To know (the Justice Department) no longer thinks this is a legitimate statement is reassuring." "The recent disclosures underscore the Bush administration's extraordinarily sweeping conception of executive power," said Jameel Jaffer, director of the ACLU's National Security Project. "The administration's lawyers believe the president should be permitted to violate statutory law, to violate international treaties, and even to violate the Fourth Amendment inside the U.S. They believe that the president should be above the law." "Each time one of these memos comes out you have to come up with a more extreme way to characterize it," Jaffer said. The ACLU is challenging in court the government's withholding of the October 2001 memo. From rforno at infowarrior.org Thu Apr 3 13:10:26 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 Apr 2008 09:10:26 -0400 Subject: [Infowarrior] - ACLU: Military skirting law to spy Message-ID: ACLU: Military skirting law to spy http://news.yahoo.com/s/ap/20080402/ap_on_re_us/national_security_letters&pr inter=1;_ylt=AisCpuTSCnT3gg3T7LVmhzRH2ocA By LARRY NEUMEISTER, Associated Press WriterWed Apr 2, 6:39 AM ET The military is using the FBI to skirt legal restrictions on domestic surveillance to obtain private records of Americans' Internet service providers, financial institutions and telephone companies, the ACLU said Tuesday. The American Civil Liberties Union based its conclusion on a review of more than 1,000 documents turned over by the Defense Department after it sued the agency last year for documents related to national security letters, or NSLs, investigative tools used to compel businesses to turn over customer information without a judge's order or grand jury subpoena. "Newly unredacted documents released today reveal that the Department of Defense is using the FBI to circumvent legal limits on its own NSL power," said the ACLU, whose lawsuit was filed in Manhattan federal court. ACLU lawyer Melissa Goodman said the documents the civil rights group studied "make us incredibly concerned." She said it would be understandable if the military relied on help from the FBI on joint investigations, but not when the FBI was not involved in a probe. The FBI referred requests for comment Tuesday to the Defense Department. A department spokesman, Air Force Lt. Col. Patrick Ryder, said in an e-mail that the department had made "focused, limited and judicious" use of the letters since Congress extended the capability to investigatory entities other than the FBI in 2001. He said the department had acted legally in using a necessary investigatory tool and noted that "unusual financial activity of people affiliated with DoD can be an indication of potential espionage or terrorist-related activity." Ryder said the information in the ACLU claims came in part from an internal review of DoD's use of the letters. "We have since developed training and provided it to the services for their use," he said. He said that there was no law requiring it to track use of the letters but that the department had decided it was in its best interest to do so. Goodman, a staff attorney with the ACLU National Security Project, said the military is allowed to demand financial and credit records in certain instances but does not have the authority to get e-mail and phone records or lists of Web sites that people have visited. That is the kind of information that the FBI can get by using a national security letter, she said. "That's why we're particularly concerned. The DoD may be accessing the kinds of records they are not allowed to get," she said. Goodman also noted that legal limits are placed on the Defense Department "because the military doing domestic investigations tends to make us leery." In other allegations, the ACLU said: ? The Navy's use of the letters to demand domestic records has increased significantly since the Sept. 11 attacks. ? The military wrongly claimed its use of the letters was limited to investigating only Defense Department employees. ? The Defense Department has not kept track of how many national security letters the military issues or what information it obtained through the orders. ? The military provided misleading information to Congress and silenced letter recipients from speaking out about the records requests. Goodman said Congress should provide stricter guidelines and meaningful oversight of how the military and FBI make national security letter requests. "Any government agency's ability to demand these kinds of personal, financial or Internet records in the United States is an intrusive surveillance power," she said. From rforno at infowarrior.org Thu Apr 3 13:28:38 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 Apr 2008 09:28:38 -0400 Subject: [Infowarrior] - Pentagon Is Expected to Close Intelligence Unit Message-ID: April 2, 2008 Pentagon Is Expected to Close Intelligence Unit By MARK MAZZETTI http://www.nytimes.com/2008/04/02/washington/02intel.html?_r=2&oref=slogin&p agewanted=print WASHINGTON ? The Pentagon is expected to shut a controversial intelligence office that has drawn fire from lawmakers and civil liberties groups who charge that it was part of an effort by the Defense Department to expand into domestic spying. The move, government officials say, is part of a broad effort under Defense Secretary Robert M. Gates to review, overhaul and, in some cases, dismantle an intelligence architecture built by his predecessor, Donald H. Rumsfeld. The intelligence unit, called the Counterintelligence Field Activity office, was created by Mr. Rumsfeld after the Sept. 11, 2001, terrorist attacks as part of an effort to counter the operations of foreign intelligence services and terror groups inside the United States and abroad. Yet the office, whose size and budget is classified, came under fierce criticism in 2005 after it was disclosed that it was managing a database that included information about antiwar protests planned at churches, schools and Quaker meeting halls. The Pentagon?s senior intelligence official, James R. Clapper, has recommended to Mr. Gates that the counterintelligence field office be dismantled and that some of its operations be placed under the authority of the Defense Intelligence Agency, the government officials said. Pentagon officials said Mr. Gates had yet to approve the recommendation. Mr. Gates, a former director of central intelligence, has promised to improve coordination of the Pentagon?s intelligence collection with other spy agencies and help rebuild some of the relationships bruised under Mr. Rumsfeld?s tenure. Mr. Rumsfeld and some of his aides had expressed deep suspicion toward the Central Intelligence Agency in particular, and some people accused Mr. Rumsfeld of trying to build an intelligence empire of his own. Shortly after taking over the Pentagon last year, Mr. Gates ordered a broad review of its intelligence operations and of the Defense Department?s relationships with other spy agencies. It is unclear whether Mr. Clapper is also recommending tighter restrictions on Pentagon counterterrorism and counterespionage operations in the United States. Some civil liberties groups said they worried that the change might be cosmetic and that the Pentagon might be closing the office to farm out its operations to other agencies that receive less scrutiny. Lt. Col. Patrick Ryder, a Pentagon spokesman, said the recommendation to close the office had nothing to do with its troubled history. The move is aimed, Colonel Ryder said, at ?creating efficiencies and streamlining? Pentagon efforts to thwart operations by foreign intelligence services and terror networks. Representative Silvestre Reyes, Democrat of Texas and chairman of the House Intelligence Committee, called the decision long overdue. Mr. Reyes said the office ?was a Rumsfeld-era relic that triggered major concern about domestic intelligence gathering by the Pentagon against Americans.? The work of coordinating the Pentagon?s various counterintelligence activities would remain important, Mr. Reyes said, but ?vigorous oversight? would be needed under the new structure. Some current and former Pentagon officials expressed concern that putting the mission of countering foreign intelligence services under the Defense Intelligence Agency could signal a decline in its priority. But Colonel Ryder, the Pentagon spokesman, said the recommendation to close the counterintelligence office was intended to strengthen counterintelligence operations. Pentagon officials said that the database that housed information about the war protesters was built to track terrorist threats against domestic military bases and that reports about war protesters were put into it by mistake. Mr. Clapper ordered an end to the database, called Talon, last year. The disclosure that the Pentagon was collecting information about citizens in the United States prompted memories of its activities decades ago, when the military used electronic surveillance to monitor civilians protesting the Vietnam War. The Pentagon is traditionally barred from conducting domestic intelligence operations. The counterintelligence office was also brought into the scandal surrounding Representative Randy Cunningham, a California Republican, who resigned from Congress in 2005 after pleading guilty to taking bribes from military contractors. Some of the contracts that Mr. Cunningham channeled to Mitchell J. Wade, a longtime friend, were for programs of the counterintelligence office. Newly declassified documents released on Tuesday shed more light on another activity coordinated by the Pentagon?s counterintelligence office, issuing letters to banks and credit agencies to obtain financial records in terrorism and espionage investigations. The Pentagon has issued hundreds of so-called national security letters, which are noncompulsory, as a tool to examine the income of employees suspected of collaborating with a foreign spy service or international terrorist network. The documents, released as part of a Freedom of Information lawsuit brought by the American Civil Liberties Union, include an internal review begun in 2007 that examined the Pentagon?s use of the letters. The review found poor coordination and a lack of standardized training inside the Defense Department about using the letters, but uncovered no instances where the department broke any laws. The Pentagon is authorized to issue the letters, sometimes in coordination with the Federal Bureau of Investigation, to obtain financial records of civilian and military Defense Department employees and their families. Colonel Ryder said that since the Sept. 11 attacks there had been six cases where the letters were used to obtain records about the family members of Defense Department employees. From rforno at infowarrior.org Thu Apr 3 17:39:57 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 Apr 2008 13:39:57 -0400 Subject: [Infowarrior] - EULA required to buy Fuji digital camera Message-ID: Fuji makes you sign bizarre EULA to buy a camera Posted by Cory Doctorow, April 2, 2008 12:43 PM | permalink http://www.boingboing.net/2008/04/02/fuji-makes-you-sign.html#comments Edie sez, "I'm in the market for a digital SLR, and found something rather disturbing. B&H Photo says that to purchase a Fujifilm IS-1 camera, you must fill out an end user license agreement. Even weirder is the EULA itself: It asks what 'legitimate business purpose' (their words, not mine) the camera will be put to. Additionally, if the camera is sold, lost or transfered, you have to notify Fujifilm. WTF BBQ?" Apparently, this is one of those infrared see-through-clothes cameras, but I'm with Edie, WTF? INFORMATION ABOUT END USER BUSINESS (1) Is End User purchasing a Fujifilm Infrared or Ultraviolet Sensitive Digital Camera for a legitimate business purpose? _______ (2) How long has End User been engaged in his/her profession or business? _________ (3) Please state End User?s legitimate business purpose?________________________________________________ (4) Has End User presented reseller with recognized forms or identification for End User and End User?s business? ___________ (5) Has End User provided reseller with copies of forms of identification presented in connection with (3), above? ____________ (6) Was End User Questionnaire completed at a business location of a Pro Digital Camera Authorized Reseller? ______________ (7) Please provide the business address where End User will pick up the camera listed below_________________________ By signing this End User Questionnaire, End User certifies that (1) the subject camera is being purchased by End User for the above stated legitimate business purpose, (2) End User will make its best efforts to safeguard the camera from being used by others, and (3) in the event End User transfers the camera or the camera is lost, stolen or is otherwise no longer in End User?s possession, End User will immediately notify Fujifilm of such event. From rforno at infowarrior.org Thu Apr 3 17:43:47 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 Apr 2008 13:43:47 -0400 Subject: [Infowarrior] - DHS Strategy On Real ID: We'll Just Pretend Everyone Implemented It Message-ID: New DHS Strategy On Real ID: We'll Just Pretend Everyone Implemented It from the hell-no-means-yes dept http://techdirt.com/articles/20080403/005107735.shtml The Department of Homeland Security had been threatening that drivers' licenses in certain states wouldn't be valid federal IDs if states didn't promise by the end of March to implement the troubled Real ID rules. However, somewhere along the line (with a handful of states vehemently protesting the rules), it appears that Secretary Chertoff and the DHS simply decided that it would pretend every state agreed to implement Real ID and deal with reality later. DHS put out a press release claiming that all states had met the "initial requirements" for Real ID, and even painted its silly map green to show "compliance." The problem is that this simply isn't true. It looks as though DHS simply decided that any communication, even if it was to tell the DHS that there was no chance the state would implement Real ID, would be read as if it were the state agreeing to enact Real ID's rules. The whole thing is rather comical until you realize these are the folks who are supposed to be protecting the country. From rforno at infowarrior.org Thu Apr 3 17:49:37 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 Apr 2008 13:49:37 -0400 Subject: [Infowarrior] - USAF may outsource cyberwarfare ops In-Reply-To: Message-ID: Inside the Pentagon April 3, 2008 General seeks ?different kind of warrior? AIR FORCE EYES OUTSOURCING CYBERWARFARE BILLETS TO CONDUCT OPS As Air Force leaders finalize the initial organizational details for their new Cyber Command, the service may need to lean on contractors to carry out cyberwarfare missions, the command?s chief said this week. ?There are efforts to look at civilians, to look at contractors . . . there is an enormous amount of civilian continuity required, especially in this kind arena, at the same time you have to bring in this innovation,? Air Force Cyber Command head Maj. Gen. William Lord said in a March 31 briefing with reporters organized by the Council on Foreign Relations. By October, the command (AFCYBER) is slated to reach initial operating status, meaning 50 percent of the command?s anticipated 8,000-man force will be stood up across the continental United States, according to Lord. However, the Air Force?s is having difficulty recruiting personnel with the necessary skills to support the command?s mission, Lord said. As a result, AFCYBER leaders will have to lean on contractor support in the near-term to conduct operations. ?Perhaps they are not the same kind of folks that you want to march to breakfast in the morning,? he said, noting cyberwarriors do not fit the traditional military mold. ?Perhaps that is not the right kind of construct for these kids in the future.? Aside from the regimented training apparatus, he noted that service officials are also having trouble selling the idea of extended military service to a group ?that you might not want to hook up to a polygraph.? ?I have said that perhaps we need a different kind of warrior for this domain,? the three-star general added. ?How do attract the brains of this crowd . . . [and] use their wonderful, innovative ability?? Other senior military leaders have also expressed frustration regarding the challenges in recruiting the U.S. military?s next-generation of cyberwarriors. Lt. Gen Frank Kearney, deputy commander for U.S. Special Operations Command, said internal deliberations within SOCOM are under way in order to address recruitment challenges, including offering potential recruits numerous incentives, such as signing bonuses. (ITP, February 28, p1). SOCOM officials are also looking to partner with their counterparts at the State Department and across the intelligence community, he added during a Feb 26 hearing on Capitol Hill. Bolstering the number of U.S. military personnel trained to fight in the digital domain is part of the Defense Department?s overall strategy for future cyberwarfare operations, according to a DOD budget justification document for fiscal year 2009. The plan, dubbed the ?National Military Strategy for Cyberwarfare Operations,? is geared toward focusing DOD action ?in the areas of military, intelligence, and business operations in and through cyberspace,? the document states. Along with growing the number of U.S. cyberwarriors, DOD strategists are looking to leverage cyberwarfare capabilities ?across the full range of military operations? in order to disrupt state and non-state actors from carrying out attacks against the U.S. and its allies, it adds. As the Pentagon and the services continue to grapple with how to find and train cyberwarriors, Lord said some kind of shift within the DOD?s approach is needed. ?We have got to shed some of our own traditional recruiting mechanisms to go after a different crowd,? Lord said. -- Carlo Mu?oz From rforno at infowarrior.org Fri Apr 4 02:55:28 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 Apr 2008 22:55:28 -0400 Subject: [Infowarrior] - Bush Officials Oppose Media Shield Bill Message-ID: Bush Officials Oppose Media Shield Bill By PETE YOST The Associated Press Thursday, April 3, 2008; 9:44 PM http://www.washingtonpost.com/wp-dyn/content/article/2008/04/03/AR2008040303 200_pf.html WASHINGTON -- Attorney General Michael Mukasey and three other top Bush administration officials are weighing in against legislation that would allow reporters to protect the identities of confidential sources who provide sensitive, sometimes embarrassing information about the government. The "Free Flow of Information Act" proposed by Sen. Arlen Specter, R-Pa., could harm national security and would encourage more leaks of classified information, the four officials wrote in letters to senators made public Thursday. The legislation gives an overly broad definition of journalists that "can include those linked to terrorists and criminals," wrote Mukasey and National Intelligence Director Mike McConnell. "All individuals and entities who 'gather' or 'publish' information about 'matters of public interest' but who are not technically designated terrorist organizations, foreign powers or agents of a foreign power will be entitled to the bill's protections," Mukasey and McConnell stated in their joint letter. Specter, the top Republican on the Senate Judiciary Committee, responded: "My staff met today with DNI and DoJ officials regarding the concerns expressed in the letter, and we are considering them." "I think the legislation has an important purpose," Specter added. "I think we can make reasonable accommodations to their concerns, and we're working on it." In a separate letter, Defense Secretary Robert Gates said the nation would be more vulnerable to "adversaries' counterintelligence efforts to recruit" those shielded by the bill. Homeland Security Secretary Michael Chertoff said the bill would erect roadblocks to gathering information "from anyone who can claim to be a journalist, including bloggers" and Internet service providers. The opposition of the top Bush administration officials follows recent high-profile episodes in which reporters have fought efforts to reveal their government sources. Former USA Today reporter Toni Locy is seeking to reverse a contempt of court citation for refusing to reveal her Justice Department and FBI sources for stories about the criminal investigation of the 2001 anthrax attacks. Among the government leakers of CIA operative Valerie Plame's identity, it turns out, were President Bush's top political adviser, Karl Rove, and Vice President Dick Cheney's former chief of staff, I. Lewis "Scooter" Libby. Former New York Times reporter Judith Miller spent 85 days in jail for refusing to identify Libby to investigators. The leaks of Plame's identity occurred after Plame's husband publicly accused the administration of twisting prewar intelligence to exaggerate the Iraqi threat. Special Counsel Patrick Fitzgerald eventually won convictions against Libby for perjury, obstruction and lying to the FBI. Bush commuted Libby's 30-month prison sentence. Co-sponsors on the bill include Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., Democratic Sens. Barbara Boxer of California, Christopher Dodd of Connecticut, Charles Schumer of New York and Tim Johnson of South Dakota, along with Republican Sens. Lindsey Graham of South Carolina and Richard Lugar of Indiana. "We've already sought to address these security concerns in a careful way," Schumer said in a statement. "The administration ought to overcome its visceral dislike of the media and do the right thing." From rforno at infowarrior.org Fri Apr 4 19:37:45 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 04 Apr 2008 15:37:45 -0400 Subject: [Infowarrior] - Editorial: Real ID act has been a real fiasco Message-ID: Friday, April 4, 2008 Editorial: Real ID act has been a real fiasco Many states ? including California ? are rightly resisting this form of national ID card An Orange County Register editorial http://www.ocregister.com/articles/act-states-state-2011439-security-federal One of the deadlines has passed for states to comply with the so-called Real-ID Act, which would force state driver's licenses to comply with certain federal standards and put personal data into a database accessible by thousands of government employees. The Department of Homeland Security has agreed to pretend that several states that are actively resisting the act's unfunded mandates are actually taking steps toward compliance, and has granted them waivers, mainly to save face. A better course would be for Congress to admit that the act was a mistake in the first place and repeal it. Enacted in 2005, the Real ID Act was a knee-jerk response to the threat of terrorism, specifically to the fact that the 19 9/11 hijackers had state driver's licenses, some fraudulently obtained. If we tighten up the requirements, went the rationale, and require more secure identification ? like an original copy of a birth certificate ? maybe we can make things a little tougher for future would-be terrorists. But there is no popular constituency for a national ID card beyond a few determined bureaucrats, and even as degraded as current understanding of the Constitution is, the federal government has no power to require state governments to issue driver's licenses in a uniform fashion. But federal officials have a lever. Under the legislation, a Real-ID form of identification will be required to enter federal facilities, such as federal courthouses, or to use federally regulated forms of transportation, like airlines. That's a big hammer. If states don't fall into line, their residents might not be able to board a commercial airliner. The act also, of course, allows the secretary of Homeland Security to require such an ID for "any other purposes that the Secretary shall determine." There's already talk of requiring one to open a bank account, and one assistant secretary has proposed requiring the ID for cold medicine. Yep, cold medicine. The big trouble is that there's no evidence that this Draconian act, even if fully implemented, would be more than a minor inconvenience for a determined terrorist. But having all that information ? including copies of birth certificates and Social Security cards ? available in one database would make an irresistible target for identity thieves. And it would be a major inconvenience for millions of innocent Americans and a major expense for state governments ? meaning taxpayers. The Department of Homeland Security estimates it will cost states $3.9 billion to comply with the act, but the National Conference of State Legislatures pegs it at more than $11 billion; 17 states have passed laws or resolutions opposing Real ID. In California, Assembly Joint Resolution 51 is pending. In the Senate Judiciary Committee on Wednesday Chairman Patrick Leahy of Vermont criticized the Department of Homeland Security for "bullying" the states over Real ID. He and others should bite the bullet and repeal this useless, intrusive, money-wasting law. From rforno at infowarrior.org Fri Apr 4 19:38:02 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 04 Apr 2008 15:38:02 -0400 Subject: [Infowarrior] - Congress Freaks Out Over Second Life Terrorism Message-ID: Congress Freaks Out Over Second Life Terrorism By Sharon Weinberger http://blog.wired.com/defense/2008/04/second-life.html Oh no, the virtual terrorists are coming to get us! Well, maybe. Congress, in its infinite wisdom, had an entire hearing about virtual worlds and terrorism, even calling in the chief executive of Linden Lab to testify about the possibility of Second Life being used for evil terrorist ends. One of the concerns, brought up by some members of Congress, was that Second Life could be used launder terrorist funds. The possibility was quickly dispelled: The average withdrawal from Second Life -- from Linden dollars into U.S. dollars -- is one dollar, so it's "relatively easy to spot larger transactions," [Philip] Rosedale said. "We have managed to maintain a fraud rate that is a fraction of a percentage point. The industry average is closer to 1 percent." Virtual community Entropia Universe last year earned $400,000 after it auctioned off banking licenses to several well-known virtual world players. The licenses allow their owners to lend cash to the community's participants for the virtual purchase of anything from game-fighting weapons to real estate. Second Life celeb Anshe Chung was among those who purchased a license. Lawmakers on Tuesday denied that they were looking to regulate the virtual world. Virtual reality is "going to be a highly competitive world. We just want to make sure it's not highly regulated," said ranking member Cliff Stearns of Florida. There seems to be a trend here: THREAT LEVEL had described the Intel Community's fascination with fighting terrorism in multi-player games. DANGER ROOM has written about spooks' desire to recruit in Second Life. And, as we all know, industry has sunk a lot of money into creating a presence in Second Life. So perhaps it's no surprise that Congress is worried about terrorists. The problem is that Congress clearly doesn't know quite what it's worrying about; its sounds like some members are getting freaked out by something they don't understand. As this Wired Magazine makes clear, a lot of the hoopla is just that: Then there's the question of what people do when they get there. Once you put in several hours flailing around learning how to function in Second Life, there isn't much to do. That may explain why more than 85 percent of the avatars created have been abandoned. Linden's in-world traffic tally, which factors in both the number of visitors and time spent, shows that the big draws for those who do return are free money and kinky sex. On a random day in June, the most popular location was Money Island (where Linden dollars, the official currency, are given away gratis), with a score of 136,000. Sexy Beach, one of several regions that offer virtual sex shops, dancing, and no-strings hookups, came in at 133,000. The Sears store on IBM's Innovation Island had a traffic score of 281; Coke's Virtual Thirst pavilion, a mere 27. And even when corporate destinations actually draw people, the PR can be less than ideal. Last winter, CNET's in-world correspondent was conducting a live interview with Anshe Chung, an avatar said to have earned more than $1 million on virtual real estate deals, when Chung was assaulted by flying penises in a griefer attack. Maybe Congress can legislate against by flying penises. From rforno at infowarrior.org Fri Apr 4 19:40:41 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 04 Apr 2008 15:40:41 -0400 Subject: [Infowarrior] - Classification System Failure: the OLC Torture Memo Message-ID: (agree 100% -- have seen this stuff all over the place in recent years.....-rf) http://www.fas.org/sgp/news/secrecy/2008/04/040308.html THE OLC TORTURE MEMO AS A FAILURE OF THE CLASSIFICATION SYSTEM The Justice Department Office of Legal Counsel memo on interrogation of enemy combatants that was declassified this week "exemplifies the political abuse of classification authority," Secrecy News suggested yesterday. J. William Leonard, the nation's top classification oversight official from 2002-2007, concurred. "The disappointment I feel with respect to the abuse of the classification system in this instance is profound," said Mr. Leonard, who recently retired as director of the Information Security Oversight Office, which reports to the President on classification and declassification policy. "The document in question is purely a legal analysis," he said, and it contains "nothing which would justify classification." Beyond that crucial fact, the binding technical requirements of classification were ignored. Thus, he explained: There were no portion markings, identifying which paragraphs were classified at what level. The original classifier was not identified on the cover page by name or position. The duration of classification was not given. A concise basis for classification was not specified. Yet all of these are explicitly required by the President's executive order on classification. "It is not even apparent that [John] Yoo [who authored the memo] had original classification authority," Mr. Leonard said. "All too often, government officials simply assert classification. To enjoy the legal safeguards of the classification system, you need to do more than that. Those basic, elemental steps were not followed in this instance." "Also, for the Department of Defense to declassify a Department of Justice document," as in this case, "is highly irregular," Mr. Leonard said. (The DoD declassifier mistakenly cited "Executive Order 1958" on the cover page of the declassified memorandum. The correct citation is "Executive Order 12958, as amended.") Violations of classification policy pale in comparison to the policy deviations authorized by the Justice Department memo, which was ultimately rescinded. Nevertheless, such classification violations are significant because they enabled the Administration to pursue its interrogation policies without independent scrutiny or accountability. "To learn that such a document is classified has the same effect for me as waking up one morning and learning that after all these years there is a 'secret' Article IV to the Constitution that the American people did not even know about," said Mr. Leonard. "There is no information contained in this document which gives an advantage to the enemy," he said. "The only possible rationale for making it secret was to keep it from the American people." From rforno at infowarrior.org Fri Apr 4 19:41:36 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 04 Apr 2008 15:41:36 -0400 Subject: [Infowarrior] - DNI issues new info-sharing strategy Message-ID: DNI ISSUES NEW INFORMATION SHARING STRATEGY http://www.fas.org/sgp/news/secrecy/2008/04/040208.html A new "Information Sharing Strategy" from the Office of the Director of National Intelligence warns that traditional security practices that restrict disclosure of information have become counterproductive. "The Intelligence Community's 'need to know' culture, a necessity during the Cold War, is now a handicap that threatens our ability to uncover, respond, and protect against terrorism and other asymmetric threats," the document declares. The new Strategy defines information sharing goals and as well as near-term and long-term implementation objectives. Goals include uniform government-wide information policies, improved connectivity, and increased inter-agency collaboration. Notably absent from the document is any role for the public in information sharing. The DNI Strategy has no place for the notion of an engaged citizenry that has intelligence information needs of its own. A copy of the new Strategy, which has not yet been released, was obtained by Secrecy News. See "U.S. Intelligence Community Information Sharing Strategy," February 22, 2008: http://www.fas.org/irp/dni/iss.pdf A new "Information Sharing Strategy" from the Office of the Director of National Intelligence warns that traditional security practices that restrict disclosure of information have become counterproductive. "The Intelligence Community's 'need to know' culture, a necessity during the Cold War, is now a handicap that threatens our ability to uncover, respond, and protect against terrorism and other asymmetric threats," the document declares. The new Strategy defines information sharing goals and as well as near-term and long-term implementation objectives. Goals include uniform government-wide information policies, improved connectivity, and increased inter-agency collaboration. Notably absent from the document is any role for the public in information sharing. The DNI Strategy has no place for the notion of an engaged citizenry that has intelligence information needs of its own. A copy of the new Strategy, which has not yet been released, was obtained by Secrecy News. See "U.S. Intelligence Community Information Sharing Strategy," February 22, 2008: http://www.fas.org/irp/dni/iss.pdf From rforno at infowarrior.org Fri Apr 4 19:43:51 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 04 Apr 2008 15:43:51 -0400 Subject: [Infowarrior] - DHS ponders microwave raygun missile defences at airports Message-ID: DHS ponders microwave raygun missile defences at airports Electropulse blasters will keep skies safe By Lewis Page ? More by this author Published Friday 4th April 2008 14:06 GMT http://www.theregister.co.uk/2008/04/04/microwave_dhs_airport_raygun_missile _defences/ The US Department of Homeland Security (DHS) will consider fitting high-power microwave electropulse rayguns at US airports, in order to defend against the threat of terrorists firing portable anti-aircraft missiles at airliners. American defence heavyweight Raytheon would partner with Israel's Rafael and Kongsberg of Norway to provide the technology, according to a report in Flight International. The proposed kit is known as "Vigiliant Eagle", and is competing for DHS securo-dollars with defensive systems that could be fitted to the airliners themselves - for instance BAE Systems' JetEye. "I really don't think the airlines are going to want to add more stuff [to the airliner] that's going to add weight," Raytheon exec Michael Booen told Flight. Vigilant Eagle, unlike its rivals, would be sited at the airport. Light, portable anti-aircraft missiles of the type used by terrorists/insurgents lack the ability to hit a jet at cruising altitude, so such attacks would need to be mounted close to takeoff or landing. Vigilant Eagle would detect any missiles fired using a network of infrared cameras to pick out the hot rocket exhaust plume. The system would then focus an intense microwave beam on the flying weapon, generated by a so-called Active Electronically Scanned Array (AESA) of the type used in the latest fighter radars. The microwave beam would not be intense enough to melt or explode the missile, but Raytheon are confident that it would reliably scramble the circuitry of the guidance systems, sending the weapon veering off course. The company says that successful tests have been carried out. On the issue of possible effects on airliner systems - or even people - Raytheon insist that Vigilant Eagle is safe as houses. "Transmitted electromagnetic fields are well within Occupational Safety and Health Administration standards" says the company spec sheet (pdf). Booen told Flight that the wavelengths involved are the same used by commercial cell phones, which - apparently - means there is no risk to airliner avionics. Some elements of Vigilant Eagle have already been tried out at "an undisclosed US airport", it appears, and Raytheon would now like $10m from the DHS for a live-fire trial. ? From rforno at infowarrior.org Sat Apr 5 01:37:07 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 04 Apr 2008 21:37:07 -0400 Subject: [Infowarrior] - ISPs Hog Rights in Fine Print Message-ID: SPs Hog Rights in Fine Print By PETER SVENSSON ? 9 hours ago http://ap.google.com/article/ALeqM5gzgjqaZN-Enb-TKgxeyS171dkxbgD8VR5IIG0 NEW YORK (AP) ? What's scary, funny and boring at the same time? It could be a bad horror movie. Or it could be the fine print on your Internet service provider's contract. Those documents you agree to ? usually without reading ? ostensibly allow your ISP to watch how you use the Internet, read your e-mail or keep you from visiting sites it deems inappropriate. Some reserve the right to block traffic and, for any reason, cut off a service that many users now find essential. The Associated Press reviewed the "Acceptable Use Policies" and "Terms of Service" of the nation's 10 largest ISPs ? in all, 117 pages of contracts that leave few rights for subscribers. "The network is asserting almost complete control of the users' ability to use their network as a gateway to the Internet," said Marvin Ammori, general counsel of Free Press, a Washington-based consumer advocacy group. "They become gatekeepers rather than gateways." But the provisions are rarely enforced, except against obvious miscreants like spammers. Consumer outrage would have been the likely result if AT&T Inc. took advantage of its stated right to block any activity that causes the company "to be viewed unfavorably by others." Jonathan Zittrain, professor of Internet governance and regulation at Oxford University, said this clause was a "piece of boilerplate that is passed around the corporate lawyers like a Christmas fruitcake. "The idea that they would ever invoke it and point to it is nuts, especially since their terms of service already say they can cut you off for any reason and give you a refund for the balance of the month," Zittrain said. AT&T removed the "unfavorably by others" wording in February after The Associated Press asked about the reason behind it. Subscribers, however, wouldn't know that it was gone unless they checked the contract word for word: The document still said it was last updated Oct. 8, 2007. Most companies reserve the right to change the contracts at any time, without any notice except an update on the Web site. Verizon used to say it would notify subscribers of changes by e-mail, but the current contract just leaves that as an option for the company. This sort of contract, where the subscriber is considered to agree by signing up for service rather than by active negotiation, is given extra scrutiny by courts, Zittrain said. Any wiggle room or ambiguity is usually resolved in favor of the consumer rather than the company. Yet the main purpose of ISP contracts isn't to circumscribe the service for all subscribers, but rather to provide legal cover for the company if it cuts off a user who's abusing the system. "Without the safeguards offered in these policies, customers could suffer from degradation of service and be exposed to a broad variety of malware threats," said David Deliman, spokesman at Cox Communications. The language does matter: In a case involving a student accused of hacking, a federal appeals court held last year that subscribers should have a lower expectation of privacy if their service provider has a stated policy of monitoring traffic. But these broadly written contracts still don't provide all the legal cover ISPs want. Comcast Corp. is being investigated by the Federal Communications Commission for interfering with file sharing by its subscribers. The company has pointed to its Acceptable Use Policy, which said, in general terms, that the company had the right to manage traffic. Since the investigation began, it has updated the policy to describe its practices in greater detail, and recently said it would stop targeting file-sharing once it puts a new traffic-management system in place late this year. The Comcast case is a rare example of the government getting into the nitty-gritty of one of these contracts. "There really should be an onus on the regulators to see this kind of thing is done correctly," said Bob Williams, who deals with telecom and media issues at Consumers Union. If there were more competition, market forces might straighten out the contracts, he said. But most Americans have only two choices for broadband: the cable company or the phone company. Williams himself knows that it's tough to pay attention to the contracts. He recently had Verizon Communications Inc.'s FiOS broadband and TV service installed in his home. Only after the installation was completed did he get the contract in the mail. He could have read some of the terms earlier, when placing the order online, but he just clicked the "Accept" button. "I'm a hard-nosed consumer advocate type ... I really should have examined it better than I did," he said. But, he added, he acted like most consumers, because of the lack of alternatives. "You click the 'Accept' button because it's not like you're going somewhere else." Other common clauses of ISP contracts: ISPs can read your e-mail Practically all ISPs reserve the right to read your e-mails and look at the sites you visit, without a wiretap order. This reflects the open nature of the Internet ? for privacy purposes, e-mails are more like postcards than letters. It's also prompted by the ISPs' need to identify and stop subscribers who use their connections to send spam e-mails. Some ISPs, like AT&T Inc., make clear that they do not read their subscriber's traffic as a matter of course, but also that they need little or no excuse to begin doing so. Cablevision, a cable operator in the Northeast, says one of the reasons it might look at what a customer is doing online would be to help operate its service properly. The federal Electronic Communications Privacy Act protects e-mail and other Internet communications from eavesdropping, but several of its provisions can be waived by agreements between the ISP and the subscriber. Also, the law is mainly aimed at making it difficult for the government, not companies, to snoop. Wiretapping laws may also apply, but the situation is unclear. A federal appeals court panel in 2004 dismissed charges against a company that provided e-mail services for booksellers and snooped on their Amazon.com order confirmations. The charges of illegal wiretapping were reinstated by the full appeals court the next year, but the case hasn't been tried. ___ ISPs can block you from Web sites Or at least they would like to think so. In a clause typical of ISPs, Comcast reserves the right to block or remove traffic it deems "inappropriate, regardless of whether this material or its dissemination is unlawful." The ISP sees itself as the sole judge of whether something is appropriate. Broad enforcement of this kind of clause for business purposes other than protecting users is likely to draw attention from regulators like the FCC, as is happening in the Comcast file-sharing case. ___ ISPs can shut you down for using the connection too much For cable ISPs, up to 500 households may be sharing the capacity on a single line, and a few traffic hogs can slow the whole neighborhood down. But rather than saying publicly how much traffic is too much, some cable companies keep their caps secret, and simply warn offenders individually. If that doesn't work, they're kicked off. It's difficult to reach these secret bandwidth caps unless users are downloading large amounts of high-quality video from the Internet, but the advent of high-definition Internet video set-top boxes like the Apple TV and the Vudu could make it more common. Oddly, some ISPs, like Cox, say it's the responsibility of subscribers to ensure that they don't hog the traffic of other subscribers, a determination that's impossible for a home broadband user. Cox, however, does make the monthly download and upload limits public on its Web site. Time Warner Cable Inc. has said it will test putting public caps on how much new subscribers in Beaumont, Texas, can download per month, and charge them more if they go over. Digital subscriber line providers like AT&T and Verizon aren't as concerned about bandwidth hogs, because phone lines aren't shared among households. From rforno at infowarrior.org Sat Apr 5 14:18:41 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 05 Apr 2008 10:18:41 -0400 Subject: [Infowarrior] - The Already Big Thing on the Internet: Spying on Users Message-ID: Editorial Observer The Already Big Thing on the Internet: Spying on Users Article Tools Sponsored By By ADAM COHEN Published: April 5, 2008 http://www.nytimes.com/2008/04/05/opinion/05sat4.html?_r=1&oref=slogin In 1993, the dawn of the Internet age, the liberating anonymity of the online world was captured in a well-known New Yorker cartoon. One dog, sitting at a computer, tells another: ?On the Internet, nobody knows you?re a dog.? Fifteen years later, that anonymity is gone. It?s not paranoia: they really are spying on you. Technology companies have long used ?cookies,? little bits of tracking software slipped onto your computer, and other means, to record the Web sites you visit, the ads you click on, even the words you enter in search engines ? information that some hold onto forever. They?re not telling you they?re doing it, and they?re not asking permission. Internet service providers are now getting into the act. Because they control your connection, they can keep track of everything you do online, and there have been reports that I.S.P.?s may have started to sell the information they collect. The driving force behind this prying is commerce. The big growth area in online advertising right now is ?behavioral targeting.? Web sites can charge a premium if they are able to tell the maker of an expensive sports car that its ads will appear on Web pages clicked on by upper-income, middle-aged men. The information, however, gets a lot more specific than age and gender ? and more sensitive. Tech companies can keep track of when a particular Internet user looks up Alcoholics Anonymous meetings, visits adult Web sites, buys cancer drugs online or participates in anti-government discussion groups. Serving up ads based on behavioral targeting can itself be an invasion of privacy, especially when the information used is personal. (?Hmm ... I wonder why I always get those drug-rehab ads when I surf the Internet on Jane?s laptop??) The bigger issue is the digital dossiers that tech companies can compile. Some companies have promised to keep data confidential, or to obscure it so it cannot be traced back to individuals. But it?s hard to know what a particular company?s policy is, and there are too many to keep track of. And privacy policies can be changed at any time. There is also no guarantee that the information will stay with the company that collected it. It can be sold to employers or insurance companies, which have financial motives for wanting to know if their workers and policyholders are alcoholics or have AIDS. It could also end up with the government, which needs only to serve a subpoena to get it (and these days that formality might be ignored). If George Orwell had lived in the Internet age, he could have painted a grim picture of how Web monitoring could be used to promote authoritarianism. There is no need for neighborhood informants and paper dossiers if the government can see citizens? every Web site visit, e-mail and text message. The public has been slow to express outrage ? not, as tech companies like to claim, because they don?t care about privacy, but simply because few people know all that is going on. That is changing. ?A lot of people are creeped-out by this,? says Ari Schwartz, a vice president of the Center for Democracy and Technology. He says the government is under increasing pressure to act. The Federal Trade Commission has proposed self-regulatory guidelines for companies that do behavioral targeting. Anything that highlights the problem is good, but self-regulation is not enough. One idea starting to gain traction in Congress is a do-not-track list, similar to the federal do-not-call list, which would allow Internet users to opt out of being spied on. That would be a clear improvement over the status quo, but the operating principle should be ?opt in? ? companies should not be allowed to track Internet activities unless they get the user?s expressed consent. The founders wrote the Fourth Amendment ? guaranteeing protection against illegal search and seizure ? at a time when people were most concerned about protecting the privacy of their homes and bodies. The amendment, and more recent federal laws, have been extended to cover telephone communications. Now work has to be done to give Internet activities the same level of privacy protection. From rforno at infowarrior.org Mon Apr 7 16:13:07 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 07 Apr 2008 12:13:07 -0400 Subject: [Infowarrior] - Comcast using new disruptive traffic-shaping Message-ID: New traffic shaping can disrupt a Comcast Internet connection Recently, it has been observed that Comcast is disrupting TCP connections using forged TCP reset (RST) packets [1]. These reset packets were originally targeted at TCP connections associated with the BitTorrent file-sharing protocol. However, Comcast has stated that they are transitioning to a more "protocol neutral" traffic shaping approach [2]. We have recently observed this shift in policy, and have collected network traffic traces to demonstrate the behavior of their traffic shaping. In particular, we are able (during peak usage times) to synthetically generate a relatively large number of TCP reset packets aimed at any new TCP connection regardless of the application-level protocol. Surprisingly, this traffic shaping even disrupts normal web browsing and e-mail applications. Specifically, we observe two different types of packet forgery and packets being discarded. < - > http://systems.cs.colorado.edu/mediawiki/index.php/Broadband_Network_Managem ent From rforno at infowarrior.org Mon Apr 7 16:18:04 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 07 Apr 2008 12:18:04 -0400 Subject: [Infowarrior] - DARPA Turns 50 Message-ID: The Idea Factory That Spawned the Internet Turns 50 http://www.washingtonpost.com/wp-dyn/content/article/2008/04/06/AR2008040601 821_pf.html By Stephen Barr Monday, April 7, 2008; D01 The best program managers are "freewheeling zealots" with big ideas. The staff has been called "100 geniuses connected by a travel agent." And the boss describes his agency as a home for "radical innovation." It's DARPA -- the Defense Advanced Research Projects Agency, which is celebrating its 50th anniversary with a dinner for 1,700 alumni, friends and partners Thursday night in Washington. >From its beginning, the Defense Department agency has looked worldwide for fundamental scientific and technology discoveries ready for conversion into a blockbuster asset for the military. "DARPA will take a chance on an idea with no data. We'll put up the money to go get the data and see if the idea holds," said Anthony J. Tether, the agency director. "That is the highest-risk type of research you can have." Small and secretive, DARPA has compiled a number of impressive achievements in the past 50 years. It pulled together researchers who created the blueprint for the Internet. It sponsored the inventor of the computer mouse (the first was carved from wood and had one button). It developed the Saturn rocket engine program that allowed the nation to go to the moon. It came up with the technologies that have made possible stealth fighters and bombers, precision munitions and the pilot-less Predator planes used in Iraq and Afghanistan. Like many government initiatives, DARPA was born out of a crisis. The Soviets launched the satellite Sputnik in 1957, beating the United States into space. At the direction of President Dwight D. Eisenhower, DARPA opened for business the next year, focused on helping guard the nation against technological surprises. The agency's mission has been evolving ever since, and today DARPA also works to create its own technological surprises that permit the U.S. military to overwhelm adversaries. Unlike most federal agencies, DARPA operates with little red tape. It has only two management layers, encouraging the rapid flow of ideas and decisions. About 240 people work at DARPA, and 120 of them are program managers and office directors on appointments of four to six years. The agency does not own or operate labs, but sponsors research carried out by industry and universities. By rotating technical professionals every few years, DARPA has "a constant freshness of people and energy," Tether said. "Everything else we do stems from that." One of those short-term managers returning for Thursday's anniversary dinner is Lawrence G. Roberts, who led a DARPA team that designed a network that evolved into the Internet. He made some of the key decisions in 1967, when he was 30. As Roberts described it, "Putting A and B together and getting Z. Taking obscure things and seeing there is an intersection there." He hopes that DARPA will always be able to focus on innovation -- "working on something that should change the country and generate the economy shift that the Internet did." Some of DARPA's current projects may hold that potential. Researchers are working on a two-way speech translation system that would permit soldiers to go anywhere in the world and understand the people around them. The idea, Tether said, is to create a miniature headset that would immediately translate a foreign language into English and feed it to an earpiece. In turn, a reply by an English speaker would be converted into the appropriate language and broadcast from small speakers on the headset. When the technology is perfected, "the world will become a safer place. People will be able to talk to one another and understand one another," Tether said. Another project looks for ways to restore severely injured soldiers. Researchers are trying to develop a prosthetic arm and hand that can be directly controlled by the brain and used as a natural limb, with dexterity and sensations. Prototypes are in development, Tether said, and hold promise that disabled soldiers can stay in the military "and contribute as before" rather than be discharged. DARPA conducts research in almost every field -- biology, microelectronics, satellites, unmanned cars and aircraft. "We are extraordinarily broad. If you can think of it, we're doing it," Tether said. Of course, numerous projects are classified because they may have a useful military application or because DARPA does not want the world to know everything it is doing. The government always will need a place to test and finance big ideas, Tether said. "The 50 years of history proves it has been well worth it, and I have to believe that in the next 50 years DARPA will come out with technological advances that will stagger even my imagination." Stephen Barr's e-mail address isbarrs at washpost.com. From rforno at infowarrior.org Mon Apr 7 16:21:39 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 07 Apr 2008 12:21:39 -0400 Subject: [Infowarrior] - 'System of Systems' info-sharing consortium Message-ID: (Sounds like Matrix meets Talon Meets TIA? --rf) http://cryptome.org/doj040708.htm 7 April 2008 [Federal Register: April 7, 2008 (Volume 73, Number 67)] [Notices] [Page 18811] >From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr07ap08-88] ----------------------------------------------------------------------- DEPARTMENT OF JUSTICE Antitrust Division Notice Pursuant to the National Cooperative Research and Production Act of 1993--System of Systems Security (SOSSEC) Consortium Notice is hereby given that, on February 25, 2008, pursuant to Section 6(a) of the National Cooperative Research and Production Act of 1993, 15 U.S.C. 4301 et seq. (``the Act''), System of Systems Security (SOSSEC) Consortium has filed written notifications simultaneously with the Attorney General and the Federal Trade Commission disclosing (1) the identities of the parties and (2) the nature and objectives of the venture. The notifications were filed for the purpose of invoking the Act's provisions limiting the recovery of antitrust plaintiffs to actual damages under specified circumstances. Pursuant to Section 6(b) of the Act, the identities of the parties are: DDN, Incorporated, Danville, NH; MATRX, Morgantown, WV; CACI, Eatontown, NJ; MountainTop Technologies Inc., Johnstown, PA; Abacus Technology Corp., Chevy Chase, MD; Rutgers University, The Center for Information Management, Newark, NJ; (Individual) L. Robert Kimball, Ebensburg, PA; FirTH, Alexandria, VA; and Concurrent Technology Corp., Largo, FL. The general area of SOSSEC Consortium's planned activity is improving by an order of magnitude the nation's ability to detect, intervene, respond and recover to and from any and all threats on the homeland by integrating multiple existing and emerging Homeland Defense, Homeland Security and Force Protection projects and systems to markedly improve regional security, rapidly and efficiently; implementing practical strategies for core research, technology transition, system engineering and expansion and replication of regional capabilities to accelerate achievement of large scale interoperable security capabilities; also, growing SOSSEC to represent a community of interest, both public and private to foster best of breed concepts, technologies, techniques and procedures for long term national Homeland Defense, Homeland Security and Force Protection development. Patricia A. Brink, Deputy Director of Operations, Antitrust Division. [FR Doc. E8-7013 Filed 4-4-08; 8:45 am] BILLING CODE 4410-11-M From rforno at infowarrior.org Tue Apr 8 01:32:16 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 07 Apr 2008 21:32:16 -0400 Subject: [Infowarrior] - Video: Flight Deck Safety In-Reply-To: <1346013602-1463747838-1207616338@boing.topica.com> Message-ID: (c/o questor) ------ Forwarded Message From: "Steven J. Greenwald" We've all heard about the recent "accidental discharge" of a pilot's pistol on a plane. When I heard about it I had extreme difficulty understanding how it could happen. Now I understand why it happened. Thank you stupid TSA rules! I attach a URL for a (3 minute) video that demonstrates the security requirements for Federal Flight Deck Officers (pilots and co-pilots). People I trust have vouched for the veracity of the video. (FFDO = federal flight deck officer). http://youtube.com/watch?v=eTODo6yxRWI Judge for yourself, but I think the TSA have effectively made a system so dangerous that it seems more dangerous to have a gun than not! The TSA rules as demonstrated clearly add a level of unacceptable danger and complexity. We should all recall that before 9/11 no rules at all existed for pilots and co-pilots carrying guns and many did (one hijacking got foiled due to this). Post 9/11 the rules for flight deck officers to carry a firearm have truly gotten onerous and draconian (psychological evaluations, time off for training at their own expense, etc.). The way I see it: if a person has control of a multi-million dollar passenger jet with dozens or hundreds of people aboard, then letting them have a firearm truly truly enters the realm of a trivial issue. For example, if they have a psychological problem that would not allow them to have a gun, then I submit they should not fly an aircraft (a much more dangerous object, as 9/11 has shown). We need rules in place that actually makes things safer, not less safe! Some technical issues for those interested follow (if you have no interest in firearms or firearms safety please skip). The holster in the video has the name "paddle holster" due to its paddle shape. It has a design for "outside the pants" wear. Concealment (if any) happens via an outergarment like a jacket. This type of holster also does not work well with women for anatomical reasons (the curvature of their hips). The particular sanctioned holster also has a "snap" and therefore also has the name "snap holster." No serious user of firearms uses snap holsters. A good holster does not need a snap as friction securely holds the pistol in place. Also, snaps slow things down in an emergency and add a level of undesired complexity and other failure modes. Cheap holsters typically have snaps or Velcro because they lack the quality for a good friction fit (figure $10 for a cheapo snap holster vs. $100 and up for a quality one). The firearm required lacks an external safety (also known as a "thumb safety" or "manual safety"). I personally like thumb safeties as they add a proprietary aspect to the firearm in case a bad person gets it (they probably will not know how to work the safety, or at least take time allowing other options). The particular firearm sanctioned has a lot of other internal safeties (more properly known as "interlocks" in the non-firearm world). I prefer my old fashioned 1911 (.45 caliber "government model" or the old fashioned 20th century .45) as it has a "grip safety" and cannot fire without the user depressing the grip safety. The kind of discharge shown could not happen with the kind of pistol I prefer. Trigger locks (one of the worst ideas ever) add a level of danger that I consider totally unacceptable. If a pistol needs to get secured due to children or other reasons, then I prefer locking then entire pistol in a lock box or safe. Or unloading it and THEN using a trigger lock (manufacturers of trigger locks states that they should never get used on a loaded firearm). The trigger lock the TSA uses seems particularly primitive: a simple combination padlock no different than the TSA approved luggage lock I use. I could easily design a better system for cockpits. For example, I think it trivial to add a lock box system to a cockpit, and also use a more modern holster that facilitates removal from the belt more quickly. The big question: why do pilots have to disarm themselves outside the cockpit? Presumably to prevent a bad person from taking their firearm. My opinion: good training prevents that ("retention training"). Also, I might add, an armed person has, for various reasons, more situational awareness, so I believe that decreases the likelihood of that problem. However, in fairness, please note that about half of all cops shot get shot by their own firearm (to some extent this undermines my opinion). --Steve From rforno at infowarrior.org Tue Apr 8 19:25:42 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 Apr 2008 15:25:42 -0400 Subject: [Infowarrior] - NSA releases new version of Linux software Message-ID: NSA releases new version of Linux software Published: March 24, 2008 at 11:13 AM http://www.upi.com/International_Security/Emerging_Threats/Briefing/2008/03/ 24/nsa_releases_new_version_of_linux_software/9918/ WASHINGTON, March 24 (UPI) -- The U.S. National Security Agency has released its own version of the open-source computer operating system Linux, which offers enhanced security for users. The new software was rolled out earlier this month to an e-mail list for users of Linux -- an operating system that many experts believe provides a more secure alternative to the ubiquitous Microsoft Windows. Linux is open-source, which means the core code is available to programmers to improve, as the NSA has done with its latest version of the so-called Security-Enhanced Linux, or SELinux. The version provides what experts call Mandatory Access Control, which essentially limits the kind of instructions that software packages and users can issue to the computer, helping guard against hackers compromising it. MAC "confine(s) user programs and system servers to the minimum amount of privilege they require to do their jobs," says the agency on its Web site. "This work is not intended as a complete security solution," said the agency in a March 5 statement about the latest update. "It is simply an example of how mandatory access controls that can confine the actions of any process, including an administrator process, can be added into a system." The agency added the security features of the system were limited. "The focus of this work has not been on system assurance or other security features such as security auditing, although these elements are also important for a secure system." The release was first reported by Government Computer News. The NSA has been working on SELinux since 2000, and it has been available to Linux users since 2003. The NSA is also pushing for MAC to be made an option for Internet servers using the Network File System protocol, according to the Dark Reading IT security Web site. The site said the proposal was discussed at a meeting of the Internet Engineering Task Force in Philadelphia earlier this month. ? 2008 United Press International. All Rights Reserved. From rforno at infowarrior.org Tue Apr 8 19:28:28 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 Apr 2008 15:28:28 -0400 Subject: [Infowarrior] - U.S. Pitches 'Phase One' of Net Monitoring Plan at RSA Message-ID: U.S. To Pitch 'Phase One' of Net Monitoring Plan at RSA By Ryan Singel EmailApril 08, 2008 | 11:58:43 AMCategories: RSA Conference Chertoff http://blog.wired.com/27bstroke6/2008/04/gov-to-pitch-ph.html \ Just how dangerous is the online world? That question draws some 15,000 security professionals and IT bigwigs to San Francisco each year for the RSA Conference, taking place this week. There they learn about the newest threat to corporate networks, and are wooed by the makers of the newest flavor of corporate firewalls, intrusion detection devices and biometric doo-dads. The answer they always get, not surprisingly, is that the online world is pretty darn dangerous, unless you use our products and services. What's new this year is that the U.S. government is joining the party with much the same pitch. The nation's intelligence and anti-terror agencies are newly determined to take a more active role in protecting the United States from cyberattack, and they're seeking new authority to monitor the internet in order to save it. Secretary of Homeland Security Michael Chertoff is traveling Tuesday to the conference to pitch a program the Bush administration calls the Cyber Initiative. Slated for $154 million in funding this year, the plan would put the National Security Agency and DHS in charge of cybersecurity for all federal government agencies. That would mean that the nation's spies -- who began secretly targeting Americans since shortly after 9/11 -- will be monitoring when Americans visit the IRS or the Social Security Administration online. This would mark a significant change in the NSA's defensive responsibilities, which have historically been limited to locking down military and classified networks and providing encryption technologies to soldiers and statesmen. Given that the federal government policy largely forbids even the use of cookies on government websites, that's a sea change in how the government monitors Americans' online interactions with the federal government. It's also reportedly just the first step in having the nation's most powerful spy agency begin to take over information security responsibility for large chunks of the net. In January, President Bush signed an order, National Security Presidential Directive 54, that begins that process. The details are murky, since the order itself is classified. To sell the plan to the private sector, Chertoff and other officials will likely talk about Chinese hackers infiltrating the military's most secure unclassified servers, and perhaps offer another iteration of the claim that a serious computer attack against the United States would deal an economic blow that makes the September 11 terrorist attack look like a parking ticket. Beyond the hype, of course, there are some serious threats that will go under the microscope at RSA -- most prominently the pernicious influence of botnets, the large collections of compromised Windows machines that are used for online crime ranging from spam to phishing. The largest of these are estimated to be hundreds of thousands of computers strong. But in keeping with the tone set by the United States, botnets are being recast as the equivalent of a dirty bomb. Consider the title of one panel on the malware: "Protecting the Homeland: How to Win the BotNet Battle?" Tune in for ongoing coverage from RSA. From rforno at infowarrior.org Tue Apr 8 22:41:02 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 Apr 2008 18:41:02 -0400 Subject: [Infowarrior] - Privacy Fears Threaten Satellite Program Message-ID: Privacy Fears Threaten Satellite Program Democrats Assail Surveillance System; Issues With Charter By SIOBHAN GORMAN April 8, 2008; Page A3 http://online.wsj.com/article/SB120761519810896735.html?mod=googlenews_wsj WASHINGTON -- Homeland Security's domestic satellite surveillance system is running into fresh opposition from Congress, which is threatening to shut down the program if the department doesn't more thoroughly address concerns over protecting privacy. The satellite program, known as the National Applications Office, is designed to provide federal, state and local officials with extensive access to spy satellite imagery to assist with emergency response and other domestic security needs. Lawmakers said the Department of Homeland Security hasn't created legal safeguards to ensure that the office won't be used for domestic spying. They also are asking for assurance that it is legal to use military assets such as spy satellites for domestic security. Recent classified briefings on the program "did not allay any of our concerns," said House Homeland Security Committee Chairman Bennie G. Thompson, a Mississippi Democrat. In a letter to Homeland Security Secretary Michael Chertoff on Monday, written with two colleagues, he wrote: "Should you proceed with the [program] without addressing our concerns, we will take appropriate steps to discontinue it." (Read the letter.) Homeland Security spokeswoman Laura Keehner said her department this week will send lawmakers additional documents -- a certification that plans for the office to comply with the law, descriptions of how the office will operate, and assessments of the impact on privacy and civil liberties. "These documents, along with the charter we delivered to Congress last week, should answer many of Congress' remaining questions," she said in a written statement. Ms. Keehner said the office hadn't been launched, but that DHS "continues to take preparatory steps so that we can stand up to the NAO once the congressional requirements have been met." [Bennie Thompson] The clash is the latest in a series of conflicts between Democrats on Capitol Hill and the administration over privacy issues stemming from intelligence and national-security programs. As recently as last week, Mr. Chertoff said the program would soon be ready to go. "We've fully addressed anybody's concerns," he said. The department has already begun to post job openings; one of the first people they are seeking to hire for the satellite program is a lawyer. The plan ran into resistance on Capitol Hill shortly after it was announced in August, as lawmakers asked for a legal framework and details of how the program would operate to ensure Americans' privacy. Homeland officials promised not to begin the program until they answered lawmakers' concerns. For months, the department worked on a document it called the new program's charter. That document got hung up within the administration last winter because agencies, including the Director of National Intelligence, expressed concerns that it did not untangle legal issues such as how to ensure that state and local privacy guidelines were followed. Plans to provide imagery from the satellite program to state and local law-enforcement officials have been put on hold until legal and privacy issues are resolved. (See the charter.) The charter creates a working group to handle policy and legal issues and lists which privacy-related laws will govern the work of the new spy satellite office. It also clarifies that the satellites won't be used to intercept communications. Democratic lawmakers said the charter doesn't address the requirements they have written into law. Congress said it wouldn't provide money in 2008 for the program until the department certified that it adhered to privacy laws and the Government Accountability Office reviewed it. Homeland Security hasn't yet sent GAO a certification for review. Rep. Thompson, along with Democratic Reps. Jane Harman of California and Christopher P. Carney of Pennsylvania, wrote to Mr. Chertoff to ask he stop further work until he addresses their concerns. "We are disappointed by [the department's] continuing pattern of putting the cart before the horse," they wrote. Rep. Thompson said he wants to see, in writing, how existing laws will be applied to safeguard civil liberties and privacy. The charter describes at what points in the process lawyers will evaluate the legality of a request for data from the office, but it doesn't explain how they will make their determinations. Rep. Harold Rogers of Kentucky, the top Republican on the subcommittee that doles out the Homeland Security department's money, called the spy satellite program "an important tool for domestic counterterrorism operations" and said he will work to ensure the department will meet congressional requirements. Homeland Security's inspector general concluded in a report released last week that the department needs to revise its assessment of the new office's impact on privacy and civil liberties before launching the spy-satellite program. The department said it has done that. Write to Siobhan Gorman at siobhan.gorman at wsj.com From rforno at infowarrior.org Tue Apr 8 22:42:31 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 Apr 2008 18:42:31 -0400 Subject: [Infowarrior] - EMC to buy Zip drive maker Iomega Message-ID: EMC to buy Zip drive maker Iomega Tue Apr 8, 2008 5:35pm EDT http://www.reuters.com/article/technologyNews/idUSWNAS716720080408?sp=true SAN FRANCISCO (Reuters) - Iomega Corp (IOM.N: Quote, Profile, Research) said on Tuesday it had accepted an increased cash takeover offer of $213 million from EMC Corp (EMC.N: Quote, Profile, Research) and would drop a plan to buy a unit of China's Great Wall Technology Co Ltd (0074.HK: Quote, Profile, Research) in a stock swap. The deal allows EMC, the world's largest data-storage provider, to expand in the consumer and small business markets. EMC will pay $3.85 per Iomega share, 6 percent more than Iomega's Tuesday closing price of $3.64 and above an EMC offer in March of $3.75. Shares of Iomega rose 4.4 percent to $3.80 in extended trade following the announcement, and EMC was unchanged at $14.84. Shares of Iomega, known for its Zip drives, peaked in May 1996 at about $110 per share and were popular with online investors in the post-Netscape era of hot initial stock offerings. Iomega had rejected EMC's initial offer and then began talks when the larger company sweetened its bid to $3.75 a share, or $205.5 million, in March. Last December, Iomega had signed a deal to buy ExcelStor, a unit of Great Wall Technology, in a stock swap valued at the time at $306 million. That deal would have made Great Wall its largest shareholder. Iomega said on Tuesday it paid $7.5 million to terminate the ExcelStor deal in favor of EMC's offer. Iomega said on March 17 it was prepared to enter talks with EMC, based in Hopkinton, Massachusetts, after it sweetened its offer to $3.75 a share. EMC said the acquisition, expected to be completed in the second quarter, would have no material impact on EMC finances. Iomega, based in San Diego, was an investor favorite in the 1990s but fell out of favor after the technology bubble burst. The maker of network-attached storage products, external hard-disk drives and removable storage retains a strong brand recognition among consumers. (Reporting by Philipp Gollner and Duncan Martell; editing by Jeffrey Benkoe and Braden Reddall) From rforno at infowarrior.org Wed Apr 9 02:06:00 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 Apr 2008 22:06:00 -0400 Subject: [Infowarrior] - FBI Data Transfers Via Telecoms Questioned Message-ID: FBI Data Transfers Via Telecoms Questioned By Ellen Nakashima Washington Post Staff Writer Tuesday, April 8, 2008; A03 http://www.washingtonpost.com/wp-dyn/content/article/2008/04/07/AR2008040702 364_pf.html When FBI investigators probing New York prostitution rings, Boston organized crime or potential terrorist plots anywhere want access to a suspect's telephone contacts, technicians at a telecommunications carrier served with a government order can, with the click of a mouse, instantly transfer key data along a computer circuit to an FBI technology office in Quantico. The circuits -- little-known electronic connections between telecom firms and FBI monitoring personnel around the country -- are used to tell the government who is calling whom, along with the time and duration of a conversation and even the locations of those involved. Recently, three Democrats on the House Energy and Commerce Committee, including Chairman John D. Dingell (Mich.), sent a letter to colleagues citing privacy concerns over one of the Quantico circuits and demanding more information about it. Anxieties about whether such electronic links are too intrusive form a backdrop to the continuing congressional debate over modifications to the Foreign Intelligence Surveillance Act, which governs federal surveillance. Since a 1994 law required telecoms to build electronic interception capabilities into their systems, the FBI has created a network of links between the nation's largest telephone and Internet firms and about 40 FBI offices and Quantico, according to interviews and documents describing the agency's Digital Collection System. The documents were obtained under the Freedom of Information Act by the Electronic Frontier Foundation, a nonprofit advocacy group in San Francisco that specializes in digital-rights issues. The bureau says its budget for the collection system increased from $30 million in 2007 to $40 million in 2008. Information lawfully collected by the FBI from telecom firms can be shared with law enforcement and intelligence-gathering partners, including the National Security Agency and the CIA. Likewise, under guidelines approved by the attorney general or a court, some intercept data gathered by intelligence agencies can be shared with law enforcement agencies. "When you're building something like this deeply into the telecommunications infrastructure, when it becomes so technically easy to do, the only thing that stands between legitimate use and abuse is the complete honesty of the persons and agencies using it and the ability to have independent oversight over the system's use," said Lauren Weinstein, a communications systems engineer and co-founder of People for Internet Responsibility, a group that studies Web issues. "It's who watches the listeners." Different versions of the system are used for criminal wiretaps and for foreign intelligence investigations inside the United States. But each allows authorized FBI agents and analysts, with point-and-click ease, to receive e-mails, instant messages, cellphone calls and other communications that tell them not only what a suspect is saying, but where he is and where he has been, depending on the wording of a court order or a government directive. Most of the wiretapping is done at field offices. Wiretaps to obtain the content of a phone call or an e-mail must be authorized by a court upon a showing of probable cause. But "transactional data" about a communication -- from whom, to whom, how long it lasted -- can be obtained by simply showing that it is relevant to an official probe, including through an administrative subpoena known as a national security letter (NSL). According to the Justice Department's inspector general, the number of NSLs issued by the FBI soared from 8,500 in 2000 to 47,000 in 2005. The administration has proposed expanding the types of data it can get from telecom carriers under the 1994 Communications Assistance for Law Enforcement Act, so FBI agents can gain faster and more detailed access to information sent by wireless devices that reveals where a person is in real time. The Federal Communications Commission is weighing the request. "Court-authorized electronic surveillance is a critical tool in pursuing both criminal and terrorist subjects," FBI spokesman Richard Kolko said. A Justice Department spokesman said the government is asking only for information at the beginning and end of a communication, and for information "reasonably available" in a carrier's network. Al Gidari, a telecom industry lawyer at Perkins Coie in Seattle who handles wiretap orders for companies, said government officials now "have to rely on a human being at a telecom calling up every 15 minutes to send law enforcement the data." He added: "What they want is an automatic feed, continuously. So you're checking the weather on your mobile device or making a call," and the device would transmit location data automatically. "It's full tracking capability. It's a scary proposition." In an affidavit circulated on Capitol Hill, security consultant Babak Pasdar alleged that a telecom carrier he had worked for maintained a high-speed DS-3 digital line that co-workers referred to as "the Quantico Circuit." He said it allowed a third party "unfettered" access to the carrier's wireless network, including billing records and customer data transmitted wirelessly. He was hired to upgrade network security for Verizon in 2003; sources other than Pasdar said the carrier in his affidavit is Verizon. Dingell and his colleagues said House members should be given access to information to help them evaluate Pasdar's allegations. FBI officials said a circuit of the type described by Pasdar does not exist. All telecom circuits at Quantico are one-way, from the carrier, said Anthony Di Clemente, section chief of the FBI operational technology division. He also said any transmissions of data to Quantico are strictly pursuant to court orders. Records, including who sent and received communications, the duration and the time, are kept for evidentiary purposes and to support applications to extend wiretap orders, he said. Verizon spokesman Peter Thonis said no government agency has open access to the company's networks through electronic circuits. From rforno at infowarrior.org Wed Apr 9 02:19:20 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 Apr 2008 22:19:20 -0400 Subject: [Infowarrior] - Scott Charney: Creating a More Trusted Internet: Message-ID: Creating a More Trusted Internet: By Scott Charney Imagine a more trusted, privacy enhanced Internet experience where devices and software enable people to make more effective choices and take control over who, and what, to trust online. It is not an overstatement to say that the Internet has transformed the way we live. Social networking represents the new town square; blogging has turned citizens into journalists; and e-commerce sites have spurred global competition in the marketplace. But with people of all ages flocking online, and with the proliferation of high-profile, targeted attacks on individual or organizational information, assets and identities, more and more people consider the lack of security and privacy on the Internet to be at an unacceptable level. < - > http://www.microsoft.com/mscorp/twc/endtoendtrust/default.mspx From rforno at infowarrior.org Wed Apr 9 02:50:35 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 Apr 2008 22:50:35 -0400 Subject: [Infowarrior] - Chertoff pushes cybersecurity goals Message-ID: Chertoff pushes cybersecurity goals http://news.yahoo.com/s/ap/20080409/ap_on_hi_te/chertoff_cybersecurity&print er=1;_ylt=AvFNHn.507z99r25tnAzXNVk24cA By JORDAN ROBERTSON, AP Technology Writer1 hour, 32 minutes ago Federal cybersecurity officials are trying to develop an early warning system that alerts authorities to incoming computer attacks targeting critical U.S. infrastructure, Homeland Security Secretary Michael Chertoff said Tuesday. Chertoff's keynote speech at the RSA security conference, however, was light on details about this and other initiatives, many of which he said were classified. Some security experts said the idea of an early warning system seemed far-fetched. Robert Graham, chief executive of Atlanta-based Errata Security and an expert on computer-intrusion prevention, said current technology can only detect when a hack has already occurred ? and even then the breaches usually happen too fast for an early warning. "Technologically, all we can do is a post-warning system ? you've been hacked," he said. "It's instantaneous. It's not like a hurricane or missile coming at you that you can track coming toward you. It's just there." Chertoff did not say how the government plans to detect and flag computer threats as they sneak into government networks. But he did acknowledge the technical challenge in developing such a system. "It's going to be hard. It's hard technically. It's hard because to some degree it requires working together," Chertoff said in response to a question. "The fact that something's hard doesn't mean, 'Let's not do it because it's going to be difficult.' It means, `Let's roll up our sleeves and get started.'" Chertoff said the system would improve upon the government's current tools for analyzing computer threats, which he said are built on "fundamentally a backward-looking architecture" ? that is, they scrutinize threats coming into the networks and work backward to identify the nature and source of the attack. He was referring to the "Einstein Program" run out of the United States Computer Emergency Readiness Team, or US-CERT, a partnership of the homeland security department, other public agencies and private companies. The Einstein program is an automated process for collecting and sharing security information. U.S. officials have acknowledged that hackers have broken into the networks of at least one government research laboratory and even the Pentagon over the past year and are intensifying their attacks. A well-targeted attack could cripple financial institutions or air traffic control systems or expose U.S. secrets to enemies. Chertoff said there are too many openings into government networks for criminals to explore and exploit with viruses or other malicious code. One of the homeland security department's goals is to winnow the number of Internet access points into government agencies from the thousands that exist today to about 50, Chertoff said. He gave no timetable or details on how the plan would be implemented. Chertoff's speech focused heavily on his pitch to recruit private-industry security researchers as the government beefs up its cybersecurity staffing. The government needs to recruit from private industry because many critical networks are operated by private companies and they need each others' expertise, he said. He did not say how many new cybersecurity jobs the agency wants to fill with private-industry professionals, but he said the initiative is a high priority because the power of the government alone is "insufficient" to fully combat the threat. "The federal government cannot promise to protect every system or every home computer from attack," he said. From rforno at infowarrior.org Wed Apr 9 13:46:02 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 Apr 2008 09:46:02 -0400 Subject: [Infowarrior] - Terror U Message-ID: Terror U What's behind the boom in homeland-security and emergency-management majors? By Jessica Portner Posted Friday, March 28, 2008, at 11:33 AM ET Article URL: http://www.slate.com/id/2187648/ The traditionally slow-moving education industry is churning out a slew of students with specialties in "mass catastrophe" and "international disaster." More than 200 colleges have created homeland-security degree and certificate programs since 9/11, and another 144 have added emergency management with a terrorism bent. Homeland security is outpacing most other majors in part because governments and corporations are hungry to hire professionals schooled in disaster. One-quarter of the top slots?from presidential appointments to high-level civil servants to scientific posts?at the Department of Homeland Security remained empty last year. And with one-third of posts at the Federal Emergency Management Agency vacant, thousands of graduates are landing lucrative government gigs before they've finished their weapons of mass destruction final. A student at the University of North Texas now works as an emergency planner in Florida when he's not tracking hurricanes for fun. A graduate of the University of Southern California's Center for Risk and Economic Analysis of Terrorism Events is using his dissertation, rooted in game theory, to help police at Los Angeles International Airport improve inspections. Others are security directors on ships or bomb specialists at luxury hotels. DHS has doled out more than $300 million since 9/11 to eight prestigious U.S. universities to open "centers of excellence" devoted to narrow topics like "the psyche of terrorists" or "microbial risk analysis." Though the funding is a pittance in federal-budget terms, the investment is a notable deposit into higher-education coffers and a forceful message to colleges: Build these degree programs and students will register. Universities, which recognize a good business venture and an admirable mission, have spent millions of dollars trying to enhance their offerings with electives on cybersecurity and agricultural terrorism. Thousands of military and law-enforcement experts have also enrolled in certificate programs to expand their expertise. Educators say terrorist training camps probably have rigorous curricula with hefty reading lists and hard-grading teachers. America could use an army of tech-savvy terror experts who have the smarts to thwart the next Chernobyl or to whip out an orderly evacuation plan when Katrina's sister arrives. It's fitting that the generation of American students that grew up with violent video games are the ones outsmarting the real villains. Rarely has an academic field swept through American campuses this quickly. When the Russians beat America into space in 1957 by launching Sputnik, the first unmanned spacecraft to orbit Earth, Washington helped universities respond. The federal bounty boosted college science and technology programs to counter the perceived intellectual threat from the Soviets during the Cold War. Physics and astronomy programs flourished. Products like ready-to-eat foods, no-fog ski goggles, and water-resistant clothing were born. The next time such a major academic shift whipped through university campuses, it was a product of rage rather than government investment. In the 1960s and '70s, students at colleges across the country rallied their schools to create African-American and women's studies majors to counter the prevailing white-male-dominated canon. The ballooning number of homeland-security and emergency-management majors must be making some campuses feel like Terror U. Homeland-security majors type out term papers on how to identify and outwit America's foes. The inevitability of disaster permeates every syllabus whether the threat is al-Qaida or avian flu. Students are learning lessons written by the same international security experts who also instruct ex-police-chiefs-turned-emergency-management consultants on how to respond to changing global threats. The Center for Homeland Defense and Security, funded by DHS and FEMA, offers a free, ready-made curriculum to more than 130 universities. Packed with critical expertise, the Naval Post Graduate School's curriculum has been a hit with university leaders. Most schools use bits and pieces to flesh out their existing courses. The University of Connecticut copied it almost exactly. Universities say they are vigilant in making sure courses in every major are written and taught to entertain all points of view, however unpopular. But homeland security, which is a young academic discipline still developing its faculty, tends to be especially welcome territory for disaffected Bush administration officials who talk openly about bureaucratic hurdles to preventing disasters. A respected doctor enlisted to lead major disaster-response teams vented in one seminar about the "inadequate" and "dangerous" decisions made by DHS leaders. Lecturers with real-world know-how are in demand across campus. Since 9/11, professors in more established disciplines like international relations and criminal justice are taking time away from teaching students how to negotiate treaties or win legal arguments to quiz them on genetically engineered pathogens and dirty bombs. Other majors, studying everything from genetics to linguistics, are checking out homeland-security courses, too. Not since the space race have so many different disciplines abandoned their academic fiefdoms to collaborate. Emergency-preparedness and disaster-management classes might have geography majors and biologists, language majors and economists all dreaming about rescue scenarios in a mock situation room. An anthropologist might look at how culture makes people susceptible to foreign influence, while engineers look at a building's vulnerability to attack. Hopefully, these future spies, corporate disaster planners, and biohazard specialists will continue this multidisciplinary communication well past graduation. The question is, Will federal-government bosses listen to these young advisers? Experts on counterterrorism and weapons of mass destruction were sidelined before the Iraq war. The President's Commission on Intelligence Capabilities of the United States Regarding Weapons of Mass Destruction reported to Congress in 2005 that former CIA Director George Tenet failed to pass along a senior intelligence officer's doubts about the presence of WMD to former Secretary of State Colin L. Powell before the Iraq invasion. The 2003 estimate on Iraq intelligence produced by then-CIA intelligence analyst Paul Pillar found that a U.S.-led war against and occupation of Iraq would increase popular sympathy for terrorist goals. The government is encouraging people to gain academic credentials even after the establishment ignored advice from the existing experts after 9/11. It's hopeful to think that by helping to create an elite squad of terrorism-savvy graduates, some government officials may be trying to correct that mistake. Listening to a fresh cadre of professional paranoids could help prevent an anemic response to a natural or manmade disaster. Not only could that save agency bosses from literal danger and the bad press that follows a botched operation?it could help them keep their jobs. Jessica Portner, a former education reporter for the San Jose Mercury News, has written for the Washington Post and the Christian Science Monitor. She is currently writing a book about science and bioterrorism. Article URL: http://www.slate.com/id/2187648/ Copyright 2008 Washingtonpost.Newsweek Interactive Co. LLC From rforno at infowarrior.org Wed Apr 9 14:22:09 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 Apr 2008 10:22:09 -0400 Subject: [Infowarrior] - FBI probe: Lieberman campaign to blame for crashing own Web site Message-ID: FBI probe: Lieberman campaign to blame for crashing own Web site By Brian Lockhart Staff Writer Article Launched: 04/09/2008 01:00:00 AM EDT http://www.stamfordadvocate.com/localnews/ci_8859029 A federal investigation has concluded that U.S. Sen. Joseph Lieberman's 2006 re-election campaign was to blame for the crash of its Web site the day before Connecticut's heated Aug. 8 Democratic primary. The FBI office in New Haven found no evidence supporting the Lieberman campaign's allegations that supporters of primary challenger Ned Lamont of Greenwich were to blame for the Web site crash. Lieberman, who was fighting for his political life against the anti-Iraq war candidate Lamont, implied that joe2006.com was hacked by Lamont supporters. "The server that hosted the joe2006.com Web site failed because it was overutilized and misconfigured. There was no evidence of (an) attack," according to the e-mail. A program that could have detected a legitimate attack was improperly configured, the e-mail states. "New Haven will be administratively closing this investigation," it concluded. The e-mail, dated Oct. 25, 2006, was included in a technical packet of information recently sent to The Advocate in response to requests under the Freedom of Information Act filed in late 2006 with the offices of state Attorney General Richard Blumenthal and U.S. Attorney Kevin O'Connor. The Advocate filed the requests after Blumenthal and O'Connor closed the case but declined to divulge details. They stated only that they found no evidence that Lamont supporters were to blame. Visitors who tried to access Lieberman's site at the time received a message calling on Advertisement Lamont to "make an unqualified statement denouncing this kind of dirty campaign trick and to demand whoever is responsible to cease and desist immediately." The Lieberman-Lamont race captured national and international attention. Blumenthal denied The Advocate's FOI request on the grounds it was a federal matter, and it took more than a year for the FBI and U.S. Department of Justice to respond. The Lieberman campaign alleged it was the target of a "denial of service attack," which can involve bombarding a Web site with external communications to slow it or render it useless. "Our Web site consultant assured us in the strongest terms possible that we had been attacked," former Lieberman campaign spokesman Dan Gerstein said in December 2006. According to the FBI memo, the site crashed because Lieberman officials continually exceeded a configured limit of 100 e-mails per hour the night before the primary. "The system administrator misinterpreted the root cause," the memo stated. "The system administrator finally declared the server was being attacked and the Lieberman campaign accused the Ned Lamont campaign. The news reported this on Aug. 8, 2006, causing additional Web traffic to visit the site. "The additional Web traffic then overwhelmed the Web server. . . . Web traffic pattern analysis reports and Web logging that was available did not demonstrate traffic that was indicative of a denial of service attack." From rforno at infowarrior.org Wed Apr 9 14:31:55 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 Apr 2008 10:31:55 -0400 Subject: [Infowarrior] - Microsoft Makes Office 2007 Protocols Available Message-ID: Microsoft Makes Office 2007 Protocols Available The documentation defines how high-volume Microsoft products communicate with other Microsoft products. Microsoft will make available the preliminary versions of technical documentation for the protocols built into Microsoft Office 2007, SharePoint Server 2007 and Exchange Server 2007. This documentation, which defines how these high-volume Microsoft products communicate with some of its other products, is 14,000 pages and is in addition to the 30,000 pages posted when the software giant first introduced its new Interoperability Principles last month. They will be made available April 8. ?There have been more than 100,000 downloads of the first 30,000-page documentation set posted on MSDN [Microsoft Developer Network],? Tom Robertson, Microsoft?s general manager for Interoperability and Standards, told eWEEK. The preliminary versions of the new documentation, which will also be posted to MSDN, contain the protocols between SharePoint Server 2007 and Office client applications; SharePoint Server 2007 and other Microsoft server products; Exchange Server 2007 and Outlook; and Office 2007 client applications and other Microsoft server products. While everyone will have access to this protocol documentation without having to sign a license or pay a royalty or other fee, there is a catch: Those protocols covered by a Microsoft patent will have to be licensed if they will be commercially distributed. However, the software company has pledged to make patent licenses available on reasonable and nondiscriminatory terms and at low royalty rates, Robertson said. Microsoft recently launched the Interoperability Forum. Click here to read more. In June, Microsoft will also publish a list of the protocols that are covered by patents, and will make available a patent map containing a list of the specific Microsoft patents and patent applications that cover each protocol, when the final version of the protocols are available, Robertson said. The company will also release the final patent pricing and licensing terms at that time. ?As we work over the coming months on feedback on the protocols themselves, we are also going to be completing the patent map for each of these protocols,? Robertson said. http://www.eweek.com/c/a/Windows/Microsoft-Makes-Office-2007-Protocols-Avail able/ From rforno at infowarrior.org Wed Apr 9 16:24:03 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 Apr 2008 12:24:03 -0400 Subject: [Infowarrior] - Sprint insecurity leads to account hijacking Message-ID: (c/o RSK) Flawed Security Lets Sprint Accounts Get Easily Hijacked http://consumerist.com/376845/flawed-security-lets-sprint-accounts-get-easil y-hijacked Flawed Sprint Security Worse Than We Thought http://consumerist.com/377617/flawed-sprint-security-worse-than-we-thought From rforno at infowarrior.org Wed Apr 9 16:25:06 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 Apr 2008 12:25:06 -0400 Subject: [Infowarrior] - Schneier: The Feeling and Reality of Security Message-ID: The Feeling and Reality of Security http://www.wired.com/politics/security/commentary/securitymatters/2008/04/se curitymatters_0403 Security is both a feeling and a reality, and they're different. You can feel secure even though you're not, and you can be secure even though you don't feel it. There are two different concepts mapped onto the same word -- the English language isn't working very well for us here -- and it can be hard to know which one we're talking about when we use the word. There is considerable value in separating out the two concepts: in explaining how the two are different, and understanding when we're referring to one and when the other. There is value as well in recognizing when the two converge, understanding why they diverge, and knowing how they can be made to converge again. Some fundamentals first. Viewed from the perspective of economics, security is a trade-off. There's no such thing as absolute security, and any security you get has some cost: in money, in convenience, in capabilities, in insecurities somewhere else, whatever. Every time someone makes a decision about security -- computer security, community security, national security -- he makes a trade-off. People make these trade-offs as individuals. We all get to decide, individually, if the expense and inconvenience of having a home burglar alarm is worth the security. We all get to decide if wearing a bulletproof vest is worth the cost and tacky appearance. We all get to decide if we're getting our money's worth from the billions of dollars we're spending combating terrorism, and if invading Iraq was the best use of our counterterrorism resources. We might not have the power to implement our opinion, but we get to decide if we think it's worth it. Now we may or may not have the expertise to make those trade-offs intelligently, but we make them anyway. All of us. People have a natural intuition about security trade-offs, and we make them, large and small, dozens of times throughout the day. We can't help it: It's part of being alive. Imagine a rabbit, sitting in a field eating grass. And he sees a fox. He's going to make a security trade-off: Should he stay or should he flee? Over time, the rabbits that are good at making that trade-off will tend to reproduce, while the rabbits that are bad at it will tend to get eaten or starve. So, as a successful species on the planet, you'd expect that human beings would be really good at making security trade-offs. Yet, at the same time, we can be hopelessly bad at it. We spend more money on terrorism than the data warrants. We fear flying and choose to drive instead. Why? The short answer is that people make most trade-offs based on the feeling of security and not the reality. I've written a lot about how people get security trade-offs wrong, and the cognitive biases that cause us to make mistakes. Humans have developed these biases because they make evolutionary sense. And most of the time, they work. Most of the time -- and this is important -- our feeling of security matches the reality of security. Certainly, this is true of prehistory. Modern times are harder. Blame technology, blame the media, blame whatever. Our brains are much better optimized for the security trade-offs endemic to living in small family groups in the East African highlands in 100,000 B.C. than to those endemic to living in 2008 New York. If we make security trade-offs based on the feeling of security rather than the reality, we choose security that makes us feel more secure over security that actually makes us more secure. And that's what governments, companies, family members and everyone else provide. Of course, there are two ways to make people feel more secure. The first is to make people actually more secure and hope they notice. The second is to make people feel more secure without making them actually more secure, and hope they don't notice. The key here is whether we notice. The feeling and reality of security tend to converge when we take notice, and diverge when we don't. People notice when 1) there are enough positive and negative examples to draw a conclusion, and 2) there isn't too much emotion clouding the issue. Both elements are important. If someone tries to convince us to spend money on a new type of home burglar alarm, we as society will know pretty quickly if he's got a clever security device or if he's a charlatan; we can monitor crime rates. But if that same person advocates a new national antiterrorism system, and there weren't any terrorist attacks before it was implemented, and there weren't any after it was implemented, how do we know if his system was effective? People are more likely to realistically assess these incidents if they don't contradict preconceived notions about how the world works. For example: It's obvious that a wall keeps people out, so arguing against building a wall across America's southern border to keep illegal immigrants out is harder to do. The other thing that matters is agenda. There are lots of people, politicians, companies and so on who deliberately try to manipulate your feeling of security for their own gain. They try to cause fear. They invent threats. They take minor threats and make them major. And when they talk about rare risks with only a few incidents to base an assessment on -- terrorism is the big example here -- they are more likely to succeed. Unfortunately, there's no obvious antidote. Information is important. We can't understand security unless we understand it. But that's not enough: Few of us really understand cancer, yet we regularly make security decisions based on its risk. What we do is accept that there are experts who understand the risks of cancer, and trust them to make the security trade-offs for us. There are some complex feedback loops going on here, between emotion and reason, between reality and our knowledge of it, between feeling and familiarity, and between the understanding of how we reason and feel about security and our analyses and feelings. We're never going to stop making security trade-offs based on the feeling of security, and we're never going to completely prevent those with specific agendas from trying to take care of us. But the more we know, the better trade-offs we'll make. This article originally appeared on Wired.com. From rforno at infowarrior.org Wed Apr 9 16:29:29 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 Apr 2008 12:29:29 -0400 Subject: [Infowarrior] - NZ rolls over on IP, implements own DMCA Message-ID: Wednesday, 09 April 2008200804090500 Copyright laws updated for digital world http://stuff.co.nz/print/4470672a28.html A bill that brings copyright laws into the digital age was passed by Parliament yesterday. The Copyright (New Technologies) Amendment Bill changes the Copyright Act 1994 to clarify its application in the digital environment and to take account of international developments. It does not change the balance between protection and access to copyright material, but makes sure the balance can continue to operate when new technologies are involved. It introduces an offence, carrying a sentence of a maximum fine of $150,000 or up to five years imprisonment, or both, for commercial dealings in devices, services or information designed to circumvent technological protection measures. The National Party supported the bill and it passed its third reading by 111 votes to 10. The Greens and the Maori Party opposed it. The Internet Society of New Zealand, InternetNZ, said the bill did not fully grasp the nature of the new technologies it dealt with. Executive director Keith Davidson said it failed to enshrine the right for consumers to format-shift all their digital media so they could listen or view it on the device of their choice. "The legalising of format-shifting of audio files - such as from a purchased CD to an iPod - is a very modest step in the right direction," he said. "It is a great pity...they have not extended format-shifting to other media such as video." From rforno at infowarrior.org Wed Apr 9 16:31:23 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 Apr 2008 12:31:23 -0400 Subject: [Infowarrior] - Universal: Throwing Promo CDs away is illegal Message-ID: ....you can't make this tripe up..... --rf http://www.eff.org/deeplinks/2008/04/umg-says-throwing-away-promo-cds-illega l April 8th, 2008 UMG Says Throwing Away Promo CDs is Illegal Posted by Fred von Lohmann In a brief filed in federal court yesterday, Universal Music Group (UMG) states that, when it comes to the millions of promotional CDs ("promo CDs") that it has sent out to music reviewers, radio stations, DJs, and other music industry insiders, throwing them away is "an unauthorized distribution" that violates copyright law. Yes, you read that right -- if you've ever received a promo CD from UMG, and you don't still have it, UMG thinks you're a pirate. This revelation came in a brief for summary judgment filed by UMG against Troy Augusto. Augusto (aka Roast Beast Music Collectibles, eBay handle roastbeastmusic) buys collectible promo CDs at used record stores around Los Angeles and resells them on eBay. UMG sued him last year, claiming that the "promotional use only" labels on the CDs mean that UMG owns them forever and that any resale infringes copyright. EFF took Augusto's case to fight for the proposition that a copyright owner can't take away a consumer's first sale rights just by putting a label on a CD (after all, the Supreme Court first recognized the first sale doctrine when a book publisher tried the same thing with a label stating "may not be sold for less than one dollar," and we've seen patent owners trying the same trick on printer cartridges). In other words, EFF believes that if you bought it, or if someone gave it to you, you own it. UMG seems to think that the "promotional use only" label somehow gives it "eternal ownership" over the CD. While this might make sense to a goblin living in Harry Potter's world, it's not the law under the Copyright Act. According to the first sale doctrine, once a copyright owner has parted with ownership of a CD, book, or DVD, whether by sale, gift, or other disposition, they may not control further dispositions of that particular copy (including throwing it away). It's thanks to the first sale doctrine that libraries can lend books, video rental stores can rent DVDs, and you can give a CD to a friend for their birthday. It's also the reason you can throw away any CD that you own. For EFF's view of the reality of "promo CDs," and why it's absurd for UMG to claim to still own them, years after they mailed them out and deleted all records of who they were sent to, read our summary judgment brief on behalf of Augusto, also filed yesterday. From rforno at infowarrior.org Wed Apr 9 18:52:11 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 Apr 2008 14:52:11 -0400 Subject: [Infowarrior] - Hubble: Monitoring Internet Reachability in Real-Time Message-ID: http://hubble.cs.washington.edu/ Having trouble accessing a favorite Web site? Perhaps the site was taken offline, or the computer hosting it is down for maintenance. However, the cause could be something more mysterious. At any given moment, a portion of Internet traffic ends up being routed into information "black holes." These are situations where advertised paths exist to the destination, but messages - a request to visit a Web site, an outgoing e-mail - get lost along the way. Hubble is a system that operates continuously to find persistent Internet black holes as they occur. Hubble has operated continuously since September 17, 2007. During that time, it identified 883,163 black holes and reachability problems. In the most recent quarter-hourly round, completed at 11:40 PDT, 04/09/2008, Hubble issued 87,413 traceroutes to 2,791 prefixes it identified as likely to be experiencing problems (of 78,772 total prefixes monitored by the system). Of these, it found 1,264 prefixes to be unreachable from all its vantage points and 1,133 to be reachable from some vantage points and not others. Below the following map, you'll find instructions on interpreting and navigating this page. You can go here for a more detailed description of the Hubble academic research project and its goals. Below, you can look up Hubble's current view of the reachability of the address of your choice. Feel free to send suggestions and other feedback to hubble-support. From rforno at infowarrior.org Wed Apr 9 18:52:55 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 Apr 2008 14:52:55 -0400 Subject: [Infowarrior] - HP ships USB sticks with malware Message-ID: HP ships USB sticks with malware By Liam Tung Staff Writer, CNET News.com Published: April 9, 2008 10:02 AM PDT http://www.news.com/HP-ships-USB-sticks-with-malware/2100-7349_3-6236976.htm l?part=rss&tag=2547-1_3-0-20&subj=news Hewlett-Packard has released a batch of USB keys for numerous Proliant server models which contain malware that could allow an attacker to take over an infected system. The worms contained on the 256KB and 1GB USB drives have been identified as W32.Fakerecy and W32.SillyFDC. The worms spread by copying themselves to removable or mapped drives and affect systems running Windows 98, Windows 95, Windows XP, Windows Me, Windows NT and Windows 2000, according to AusCERT. HP's Software Security Response Team issued a warning to AusCERT this week after discovering the worms on the USB drives and has also provided a list of affected servers to the security response organization. To find out whether a drive is infected, HP recommends inserting it into a system with up-to-date antivirus software. Systems with up-to-date antivirus should be protected from the threat, according to HP. John Bambenek, a researcher at the security organization Sans Internet Storm Center, has said that because the infected USBs only affect Proliant servers, a targeted attack cannot be ruled out. However, the threat risk from the worms is considered to be low. "This is probably not going to escalate into a widepread epidemic," Nishad Herath, senior research scientist at McAfee Avert Labs, told ZDNet.com.au. "But I would most definitely urge users to perform a virus scan of any media--including any new blank drives--you receive from vendors prior to installing/using them as slip-ups like this have been known to happen in the past." HP claims the worm-infected USBs will have only affected a small number of customers. "HP takes all quality issues very seriously. Because the keys involved are used to install optional floppy-disk drives, this only affects the USB Floppy Drive Key kit which is a very low volume option and impacts a very small percentage of our ProLiant customer base. We've determined root cause and are fully confident that we have resolved this event. To date, no customers have reported this issue," a spokesperson for HP told ZDNet.com.au. HP has provided an advisory page for customers with affected USB keys. To find out whether a drive is infected, HP recommends inserting it into a system with up-to-date antivirus software. Systems with up-to-date antivirus should be protected from the threat, according to HP. John Bambenek, a researcher at the security organization Sans Internet Storm Center, has said that because the infected USBs only affect Proliant servers, a targeted attack cannot be ruled out. Liam Tung of ZDNet Australia reported from Sydney. From rforno at infowarrior.org Wed Apr 9 20:17:01 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 Apr 2008 16:17:01 -0400 Subject: [Infowarrior] - Adobe Joins Content Fray With Media Player 1.0 And Adobe TV Message-ID: Adobe Joins Content Fray With Media Player 1.0 And Adobe TV Adobe believes it has an edge over rivals Windows Media Player, RealPlayer, and iTunes by not constraining users by platform or proprietary software. http://www.informationweek.com/news/personal_tech/TV_theater/showArticle.jht ml?articleID=207100692 By Paul McDougall InformationWeek April 9, 2008 02:35 PM Adobe (NSDQ: ADBE) on Wednesday entered the hotly contested markets for digital media content and playback software with the debut of Media Player 1.0 and Adobe TV. Media Player 1.0 is Adobe's answer to Microsoft's Windows Media Player, RealNetworks' RealPlayer, and Apple's iTunes applications. Adobe believes it has an edge in that its new media player lets consumers download digital content, such as movies, TV shows, and music, from the Internet without having to launch their Web browser. "We're bringing viewers and content owners closer together, with an experience that doesn't constrain them by platform or proprietary software application," said John Loiacono, Adobe senior VP for creative solutions, in a statement. Media Player 1.0 also lets users fetch high-definition content in video resolutions of 1080p, 720p, or 480i and it supports Adobe Flash-enabled programs. Closely related to Adobe's Media Player 1.0 debut is the launch of Adobe TV. Adobe TV is available from within Media Player 1.0 and offers consumers access to mainstream movies, television shows, and other content. Adobe has forged deals with CBS, MTV, PBS, Universal Music, and other companies to provide content for Adobe TV. The deals give Adobe the right to Netcast popular shows like CSI: Miami,The Hills, and The Twilight Zone. Still, it could be difficult for Adobe, as a newcomer, to make inroads in the hotly competitive digital content market. Microsoft's Windows Media Player counted about 75 million users as of December 2008 December 2007, while RealPlayer boasted about 27.5 million, according to Nielsen Online. Apple's iTunes player had 35.6 million users as of December and is also the fastest growing media player application, Nielsen said. Overcoming its rivals' installed-base advantage won't be easy for Adobe. While RealNetworks may be vulnerable as a standalone vendor, iTunes is closely linked to Apple's hot selling iPod MP3 player and Windows Media Player is bundled withMicrosoft (NSDQ: MSFT)'s ubiquitous Windows operating system. Adobe officials appear undaunted. Loiacono called Media Player 1.0 and Adobe TV "a merger of TV Guide and DVR for Internet video content." Media Player 1.0 is available as a free download from Adobe's Web site. From rforno at infowarrior.org Wed Apr 9 20:18:14 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 Apr 2008 16:18:14 -0400 Subject: [Infowarrior] - Researchers Flesh Out Parkinson's Treatment Using Skin Cells Message-ID: http://www.sciam.com/article.cfm?id=researchers-flesh-out-par&print=true News - April 9, 2008 Researchers Flesh Out Parkinson's Treatment Using Skin Cells New study shows that adult skin cells made to differentiate like embryonic stem cells may reverse neurological damage By Nikhil Swaminathan Scientists at the Massachusetts Institute of Technology (M.I.T.) report that they silenced symptoms of Parkinson's disease in rats using skin cells from an adult mouse that they reprogrammed to act like embryonic stem cells. The M.I.T. group was one of three teams that last year created embryoniclike stem cells by introducing four genes into adult mouse skin cells. They then used the so-called induced pluripotent stem cells (IPS cells) to reverse a mouse version of the genetic disorder sickle-cell anemia, which causes normally circular red blood cells to form sickle-shaped, thereby impeding blood flow. The key is that embryonic stem cells are able to differentiate into other types of tissue in the body, whereas adult stem cells can only generate they type of tissue from which they hail. Study co-author Marius Wernig, a postdoctoral biologist at M.I.T., reports in Proceedings of the National Academy of Sciences USA, that this is the first time scientists have successfully manipulated such cells to integrate into brain tissue and reverse damage caused by a neurodegenerative disease. The team initially prepared the IPS cells in the lab and then injected them into the brain cavities of a developing mouse in the womb. Nine weeks after receiving the injections, long after the animal was born, the scientists examined its brain to see where the cells, which they'd labeled with a fluorescent marker, had gone. "They were all over the place and they were electrically integrated," says team leader Rudolf Jaenisch, a biology professor at M.I.T.'s Whitehead Institute for Biomedical Research and study co-author. "They looked like they were really functional cells." Next, the group injected a toxin called 6-hydroxydopamine, which preferentially kills neurons that produce the neurotransmitter dopamine, into one side of the brains of adult rats. The solution was targeted to each animal's striatum, a brain region involved in motor control; it is the dopamine-producing nerve cells in this area that die during Parkinson's disease. As a result, the rats began having trouble balancing. "They rotate like hell" when they try to walk, Jaenisch says, because one side of their body has disrupted movement control. After treating the IPS cells in a petri dish to set them on a path to mature into dopaminergic neurons, the cells were grafted into the dopamine-deficient hemispheres of the parkinsonian rats' brains. Four weeks after the transplant, the researchers noted less circling behavior in eight of nine treated rats. One even showed greater dopamine activity in the injured side of the brain than on the normal side, indicating, says Jaenisch, that "these IPS cells could be used also for generating function of dopaminergic neurons that could have therapeutic value." But, Jaenisch notes, "there are many issues that need to be resolved" before the procedure can be adapted for use in humans. For one, scientists have yet to mimic the exact effects of Parkinson's in mice and rats, because the disease?which strikes an estimated 60,000 Americans per year?is so complex. But perhaps the biggest stumbling block is that the technique can also cause cancer. The reason: a carcinogenic gene is among those used to nudge adult skin cells to morph into embryoniclike stem cells. (The reprogramming process has been done without that gene but it yields far fewer IPS cells.) In addition, the retroviruses used to ferry the genes into the cells (where they copy their genes into cells they infect) may also be cancerous. Scientists are searching for a smaller molecule to replace them. From rforno at infowarrior.org Wed Apr 9 20:19:08 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 Apr 2008 16:19:08 -0400 Subject: [Infowarrior] - Cancer Stem Cells Created in Lab Message-ID: Cancer Stem Cells Created in Lab 04.08.08, 8:00 PM ET http://www.forbes.com/forbeslife/health/feeds/hscout/2008/04/09/hscout614381 .html WEDNESDAY, April 9 (HealthDay News) -- Researchers at Stanford University have succeeded in transforming skin cells into what appear to be cancer stem cells, in a feat that could propel cancer research forward. Cancer stem cells are thought to start the unhindered proliferation of cells which ultimately results in cancer. "This has the potential for unlocking some of the secrets of cancer," said Dr. Len Lichtenfeld, deputy chief medical officer of the American Cancer Society, which supported the study. "This means that now you have a good way to study cancer cells and the mechanisms involved versus getting a piece of the tumor," added Paul Sanberg, distinguished professor of neurosurgery and director of the University of South Florida Center for Aging and Brain Repair in Tampa. "Here, you have more control, more ability to look at genetic consequences and the effects of developing new therapies." "This might allow you to identify cancers that are going to be more aggressive earlier on and allow you to tailor therapies," noted Dr. Fabrice Roegiers, co-director of the Keystone Program for Epigenetics and Progenitor Cells at Fox Chase Cancer Center in Philadelphia. "In the future, being able to identify which cancers are really being driven by the stem cell population will allow us to target those sooner." The work, published in the April 10 issue of Cell Stem Cell, also noted that cancer stem cells are closer to embryonic stem cells (which can develop into all tissue types) than adult stem cells (which are more limited in what types of tissue they can become). This discovery could shed light on how tumors originate. Thus far, however, researchers have been hindered in their efforts to understand this type of cell, because they are rare and difficult to grow in the lab. And, added Roegiers, there is still some controversy as to whether this type of cell actually exists in tumors. For this study, researchers reviewed existing data on gene expression patterns in various stem cell populations and ultimately came up with two different groups: one that is closer to most adult stem cells and one that's closer to embryonic stem cells. They were also able to detect the "signature" of the embryonic stem cells in certain tumor samples and to note that these tumors tended to be more aggressive. The findings have implications for future therapies that might be derived from stem cells. The researchers found that one oncogene, "Myc," seems to be a key regulator in converting skin cells to stem cells. But when overexpressed, this gene can induce tumors. If stem cells are created with Myc, then put back into a patient for therapy, there is also the possibility that it will stimulate cancer growth. "As they're clearly showing, Myc is capable of reprogramming cells into stem cells, but it does that in tumors as well," Roegiers said. "It will be really important to see what Myc is doing and whether it's possible to create these types of stem cells in the lab in a way that will not threaten people when you introduce these cells." From rforno at infowarrior.org Wed Apr 9 20:21:51 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 Apr 2008 16:21:51 -0400 Subject: [Infowarrior] - Detailed NSA article on Engima and cryptanalysis Message-ID: (c/o Schneierblog) About the Enigma As the German military grew in the late 1920s, it began looking for a better way to secure its communications. It found the answer in a new cryptographic machine called "Enigma." The Germans believed the encryption generated by the machine to be unbreakable. With a theoretical number of ciphering possibilities of 3 X 10114, their belief was not unjustified.1 However, they never reached that theoretical level of security. Nor did they count on the cryptanalytic abilities of their adversaries. < - > http://www.nsa.gov/publications/publi00016.cfm From rforno at infowarrior.org Wed Apr 9 20:25:11 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 Apr 2008 16:25:11 -0400 Subject: [Infowarrior] - 2008 National Freedom of Information Conference Message-ID: http://nfoic.org/2008_summit/ Introduction The National Freedom of Information Coalition and the Pennsylvania Freedom of Information Coalition bring you the 2008 FOI Summit from Philadelphia, Pennsylvania. Let freedom of information ring! serves as an apt slogan for this year's conference, but for that slogan to reflect reality an active and informed citizenry is required. The FOI Summit helps promote that, and your participation is vital. Join us for two days of freedom of information gathering and sharing. * Friday's keynote address will be delivered by Ted Gup, former investigative reporter, author, and Shirley Wormser Professor of Journalism at Case Western Reserve University, while * Saturday, we're proud to present Toni Locy, Shott Chair of Journalism at West Virginia University Perley Isaac Reed School of Journalism. Locy recently has been in the news for her refusal to reveal her sources in stories about the 2001 anthrax attacks. http://nfoic.org/2008_summit/ From rforno at infowarrior.org Wed Apr 9 20:38:08 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 Apr 2008 16:38:08 -0400 Subject: [Infowarrior] - Professors have access to student financial records Message-ID: Professors have access to student financial records Wednesday, April 09 2008 @ 12:05 PM EDT Contributed by: PrivacyNews News Section: Minors & Students When Kyle Jepson walked into her playwriting class last year, she expected the usual syllabus-and-roll-call first day. She did not expect the professor to announce her unpaid fees to the entire class. "It was the first day, he was calling roll and when he got to my name he announced that my fees were unpaid," said Jepson, a junior in theatre. "I didn't know what to do." In Ohio State classes, professors can access rosters online through the university registrar Web site and find out students have unpaid fees. According to the Family Educational Rights and Privacy Act (FERPA) Web site, there is no specific guideline pertaining to the privacy of a student's financial records. < - > http://www.pogowasright.org/article.php?story=20080409120547201 From rforno at infowarrior.org Thu Apr 10 01:18:23 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 Apr 2008 21:18:23 -0400 Subject: [Infowarrior] - Industrial Control Systems Killed Once and Will Again, Experts Warn Message-ID: Industrial Control Systems Killed Once and Will Again, Experts Warn By Ryan Singel EmailApril 09, 2008 | 4:18:53 PMCategories: RSA Conference http://blog.wired.com/27bstroke6/2008/04/industrial-cont.html On June 10th, 1999 a 16-inch diameter steel pipeline operated by the now-defunct Olympic Pipeline Co. ruptured near Bellingham, Washington, flooding two local creeks with 237,000 gallons of gasoline. The gas ignited into a mile-and-a-half river of fire that claimed the lives of two 10-year-old boys and an 18-year-old man, and injured eight others. Wednesday, computer-security experts who recently re-examined the Bellingham incident called its victims the first verified human causalities of a control-system computer incident. They argue that government cybersecurity standards currently under debate might have prevented the tragedy. "I've logged over 90 incidents in all industries worldwide," said Joe Weiss, managing partner at Applied Control Solutions, speaking at the RSA Conference in San Francisco. "The damage ranges from significant equipment failure to deaths." Following the 1999 incident, a nearly three-year investigation by the National Transportation Safety Board concluded that multiple causes contributed to the deadly conflagration, including pipeline damage inflicted by construction workers years earlier, and a misconfigured valve. But the factor that intrigues Weiss and fellow researcher Marshall Abrams, a scientist at MITRE, is a still largely unexplained computer failure that began less than 30 minutes before the accident and paralyzed the central control room operating the pipeline, preventing workers from releasing pressure in the line before it hemorrhaged. With support from the U.S. National Institute of Standards and Technology, Weiss and Abrams pored over public government records on the incident, looking at it through the lens of a pending cybersecurity standard called NIST 800-53. The duo concluded that the requirements in the standard would have prevented the explosion from occurring. "The NTSB concluded that if the SCADA system computers had remained responsive to the commands of the Olympic controllers, the controller operating the pipeline probably would have been able to initiate actions that would have prevented the pressure increase that ruptured the pipeline," reads the NIST report. "These are the first fatalities from a control-system cyberevent that I can document, and for a fact say that this really occurred," Weiss said in an earlier interview with Wired.com. Security experts and government investigators have long warned that the complex networks controlling critical infrastructures like the power grid, and gas and oil pipelines, were not built with security in mind -- a point driven home by several incidents of the systems failing. In January 2003, the Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant and disabled a safety-monitoring system for nearly five hours. Later that year, a software bug in a General Electric energy-management system contributed to a cascading power failure that cut off electricity to 50 million people in eight states and a Canadian province. Piecing together the computer failure at Olympic is difficult. A system administrator, two control room operators and their supervisor all refused to testify in the resulting investigation, citing their Fifth Amendment right against self-incrimination. Several key system logs from the VAX VMS minicomputer from the time of the accident were missing or deleted, for reasons that have never been determined. But the NTSB's original report faulted an unnamed computer operator for adding records to a database that was running on the pipeline monitoring system. The board also noted that the overall system had security design defects, since it had connections to the larger company network that was itself internet connected and had dial-up lines. The board found no evidence of a computer attack from the outside, though. But Weiss, an outspoken evangelist for tighter control-system security standards, said he's suspicious of the NTSB's finding that the computer operator was at fault. "The NTSB said he was doing database updates on the live system," Weiss said Wednesday. "What did he do on this day that he didn't do everyday?" Abrams seems less convinced, suggesting the explosion was "probably" a combination of human error and a badly designed computer system, with a dose of bad luck thrown in for good measure. Regardless, Abrams said the point is the same, and the casualties at Bellingham still count as victims of a cyber-incident. "Control systems are just a special case of information technology," he said Wednesday. The NIST 800-53 standard, which is due to be issued this year, will only be binding on federal agencies, but might be voluntarily adopted by critical infrastructure providers in the private sector. Included in the standard are immutable audit logs, individualized passwords, and user accounts that have only the permissions the person needs. Bellingham had none of those precautions in 1999. Weiss said little has changed in the industry since then "Until eight years ago, my whole life was making control systems usable and efficient, and, by the way, very vulnerable," Weiss said. "It is exactly what you will find today in many, many industrial applications. This isn't just 1999. No, this is June 2008." --- (Kevin Poulsen contributed to this report) From rforno at infowarrior.org Thu Apr 10 12:20:04 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 10 Apr 2008 08:20:04 -0400 Subject: [Infowarrior] - Text Alerts to Cellphones in Emergency Are Approved Message-ID: Does anyone know if customers, not carriers, can chose whether or not to receive some or all of these messages? --rf April 10, 2008 Text Alerts to Cellphones in Emergency Are Approved By THE ASSOCIATED PRESS http://www.nytimes.com/2008/04/10/washington/10alert.html?pagewanted=print WASHINGTON (AP) ? Federal regulators approved a plan on Wednesday to create a nationwide emergency alert system using text messages delivered to cellphones. Text messages have exploded in popularity, particularly among young people. The trade group for the wireless industry, CTIA, estimates more than 48 billion text messages are sent each month. The plan stems from the Warning Alert and Response Network Act, a 2006 federal law that requires upgrades to the emergency alert system. The act requires the Federal Communications Commission to develop ways to alert the public about emergencies. ?The ability to deliver accurate and timely warnings and alerts through cellphones and other mobile services is an important next step in our efforts to help ensure that the American public has the information they need to take action to protect themselves and their families prior to, and during, disasters and other emergencies,? the commission chairman, Kevin J. Martin, said after the plan was approved. Carriers? participation in the system, which has strong support from the industry, is voluntary. Cellphone customers would be able to opt out of the program. They also may not be charged for receiving alerts. There would be three types of messages, according to the rules. The first would be a national alert from the president, probably involving a terrorist attack or natural disaster. The second would involve ?imminent threats? that could include natural disasters like hurricanes, tornadoes or university shootings. The third would be reserved for child abductions, so-called Amber alerts. The alerts would be delivered with a unique audio signature or ?vibration cadence.? The service could be in place by 2010. From rforno at infowarrior.org Thu Apr 10 12:21:44 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 10 Apr 2008 08:21:44 -0400 Subject: [Infowarrior] - Text Alerts to Cellphones in Emergency Are Approved Message-ID: Yes, customers can opt-out of messages. Decaffinated me didn't strip the question from my note before posting it. It's right there in the article. Nevermind. :( Need....caffeine....now. -rf From rforno at infowarrior.org Thu Apr 10 12:26:01 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 10 Apr 2008 08:26:01 -0400 Subject: [Infowarrior] - HCI - Blogging meets literary analysis: why people read blogs Message-ID: First picked up via MSM article: Blogging meets literary analysis: why people read blogs By John Timmer | Published: April 09, 2008 - 10:20PM CT The rise of blogging clearly represents a significant social phenomenon, but studying it poses a challenge in part because defining a blog is not a simple thing. There have been a number of attempts to do so at the technical level, where the presence of material organized by time stamp or the existence of RSS feeds have been suggested as defining features. A group at the University of California-Irvine, however, decided to approach the question from the perspective of human-computer interactions, where the humans involved were blog readers. Mixing in a dose of literary theory provided some interesting insights into how readers view and define blogs. < - > MSM article continues: http://arstechnica.com/news.ars/post/20080409-blogging-meets-literary-theory -in-new-analysis.html The study's authors kindly provided Ars with a copy. It was presented at the Association for Computing Machinery's CHI Conference, and is available through their website. The ACM link (reg' reqd) http://portal.acm.org/citation.cfm?doid=1357054.1357228 From rforno at infowarrior.org Thu Apr 10 18:59:34 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 10 Apr 2008 14:59:34 -0400 Subject: [Infowarrior] - DHS invokes nukes, Bush quietly links cybersecurity program to NSA In-Reply-To: <8C024389F75A074CB176E5B5EBFFA719ED2340@petencnm371.nc.ds.mil> Message-ID: http://rawstory.com/news/2008/Chertoff_invokes_nuclear_bomb_to_seek_0409.htm l Homeland Security invokes nuclear bomb, as Bush quietly links cybersecurity program to NSA 04/09/2008 @ 8:29 am Filed by John Byrne Department of Homeland Security Michael Chertoff has dropped the bomb. At a speech to hundreds of security professionals Wednesday, Chertoff declared that the federal government has created a cyber security "Mahattan Project," referencing the 1941-1946 project led by the Army Corps of Engineers to develop American's first atomic bomb. According to Wired's Ryan Singel , Chertoff gave few details of what the government actually plans to do. He cites a little-noticed presidential order: "In January, President Bush signed a presidential order expanding the role of DHS and the NSA in government computer security," Singel writes. "Its contents are classified, but the U.S. Director of National Intelligence has said he wants the NSA to monitor America's internet traffic and Google searches for signs of cyber attack." The National Security Agency was the key player in President Bush's warrantless wiretapping program, which was revealed by the New York Times in 2005. Sound familiar? Yesterday, documents acquired by the Electronic Frontier Foundation under the Freedom of Information act showed the FBI has engaged in a massive cyber surveillance project that targets terror suspects emails, telephone calls and instant messages -- and is able to get some information without a court order. Last week, the ACLU revealed documents showing that the Pentagon was using the FBI to spy on Americans. The military is using the FBI to skirt legal restrictions on domestic surveillance to obtain private records of Americans' Internet service providers, financial institutions and telephone companies, according to Pentagon documents. Chertoff sought to calm those who worry that Homeland Security will begin t take an invasive Internet role. "We don't have to sit on the internet and prevent things from coming in or going out," Chertoff said, which Singel says refers to China and other countries that censor what web sites their citizens can see. "That's not what we are going to do." Bush wants $42 million more for program But Chertoff may have had another reason for hyping threats of cyber terrorism. Money. Congress appropriated $150 million in funding for the program this year, Singel notes. The administration has sought $192 million for 2009. Speaking of threats, Chertoff remarked: "Imagine, if you will, a sophisticated attack on our financial systems that caused them to be paralyzed. It would shake the foundation of trust on which our financial system works." Remarked Singel wryly, "That digital mushroom cloud scenario means the government's role in computer security must extend beyond federal networks, and reach to shared responsibility for financial, telecommunication and transportation infrastructure, Chertoff said. "The failure of any single system has cascading effects across our country." Which recalls another quote by a senior administration official. Speaking of the alleged threat of Saddam Hussein in 2003, then National Security Adviser Condoleezza Rice remarked, "We don't want the smoking gun to be a mushroom cloud ." From rforno at infowarrior.org Thu Apr 10 20:18:13 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 10 Apr 2008 16:18:13 -0400 Subject: [Infowarrior] - US intel folks rethink classification policy Message-ID: (c/o Secrecynews) U.S. INTELLIGENCE AGENCIES RETHINK CLASSIFICATION POLICY U.S. intelligence agencies have embarked upon a process to develop a uniform classification policy and a single classification guide that could be used by the entire U.S. intelligence community, according to a newly obtained report from the Office of the Director of National Intelligence. The way that intelligence agencies classify information is not only frustrating to outsiders, as it is intended to be, but it has also impeded interagency cooperation and degraded agency performance. In order to promote improved information sharing and intelligence community integration, the ODNI undertook a review of classification policies as a prelude towards establishing a new Intelligence Community Classification Guide that would replace numerous individual agency classification policy guides. The initial ODNI review, completed in January 2008, identified fundamental defects in current intelligence classification policy. "The definitions of 'national security' and what constitutes 'intelligence' -- and thus what must be classified -- are unclear," the review team found. "Many interpretations exist concerning what constitutes harm or the degree of harm that might result from improper disclosure of the information, often leading to inconsistent or contradictory guidelines from different agencies." "There appears to be no common understanding of classification levels among the classification guides reviewed by the team, nor any consistent guidance as to what constitutes 'damage,' 'serious damage,' or 'exceptionally grave damage' to national security... There is wide variance in application of classification levels." Among the recommendations presented in the initial review were that original classification authorities should specify clearly the basis for classifying information, e.g. whether the sensitivity derives from the content of the information, or the source of the information, or the method by which it is analyzed, the date or location it was acquired, etc. Current policy requires that the classifier be "able" to describe the basis for classification but not that he or she in fact do so. A copy of the unreleased ODNI report on classification policy was obtained by Secrecy News. See "Intelligence Community Classification Guidance: Findings and Recommendations Report," January 2008: http://www.fas.org/sgp/othergov/intel/class.pdf From rforno at infowarrior.org Fri Apr 11 00:21:05 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 10 Apr 2008 20:21:05 -0400 Subject: [Infowarrior] - BusinessWeek Cover: The New E-Spionage Threat In-Reply-To: Message-ID: The New E-spionage Threat A BusinessWeek probe of rising attacks on America's most sensitive computer networks uncovers startling security gaps by Brian Grow, Keith Epstein and Chi-Chu Tschang The e-mail message addressed to a Booz Allen Hamilton executive was mundane?a shopping list sent over by the Pentagon of weaponry India wanted to buy. But the missive turned out to be a brilliant fake. Lurking beneath the description of aircraft, engines, and radar equipment was an insidious piece of computer code known as "Poison Ivy" designed to suck sensitive data out of the $4 billion consulting firm's computer network. The Pentagon hadn't sent the e-mail at all. Its origin is unknown, but the message traveled through Korea on its way to Booz Allen. Its authors knew enough about the "sender" and "recipient" to craft a message unlikely to arouse suspicion. Had the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a mysterious master at the Internet address cybersyndrome.3322.org, which is registered through an obscure company headquartered on the banks of China's Yangtze River. The U.S. government, and its sprawl of defense contractors, have been the victims of an unprecedented rash of similar cyber attacks over the last two years, say current and former U.S. government officials. "It's espionage on a massive scale," says Paul B. Kurtz, a former high-ranking national security official. Government agencies reported 12,986 cyber security incidents to the U.S. Homeland Security Dept. last fiscal year, triple the number from two years earlier. Incursions on the military's networks were up 55% last year, says Lieutenant General Charles E. Croom, head of the Pentagon's Joint Task Force for Global Network Operations. Private targets like Booz Allen are just as vulnerable and pose just as much potential security risk. "They have our information on their networks. They're building our weapon systems. You wouldn't want that in enemy hands," Croom says. Cyber attackers "are not denying, disrupting, or destroying operations?yet. But that doesn't mean they don't have the capability." A MONSTER When the deluge began in 2006, officials scurried to come up with software "patches," "wraps," and other bits of triage. The effort got serious last summer when top military brass discreetly summoned the chief executives or their representatives from the 20 largest U.S. defense contractors to the Pentagon for a "threat briefing." BusinessWeek has learned the U.S. government has launched a classified operation called Byzantine Foothold to detect, track, and disarm intrusions on the government's most critical networks. And President George W. Bush on Jan. 8 quietly signed an order known as the Cyber Initiative to overhaul U.S. cyber defenses, at an eventual cost in the tens of billions of dollars, and establishing 12 distinct goals, according to people briefed on its contents. One goal in particular illustrates the urgency and scope of the problem: By June all government agencies must cut the number of communication channels, or ports, through which their networks connect to the Internet from more than 4,000 to fewer than 100. On Apr. 8, Homeland Security Dept. Secretary Michael Chertoff called the President's order a cyber security "Manhattan Project." http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm From rforno at infowarrior.org Fri Apr 11 04:51:34 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Apr 2008 00:51:34 -0400 Subject: [Infowarrior] - FW: [Dataloss] [FIN] This is the end... In-Reply-To: Message-ID: Can't say I blame them one bit here...... -rf ------ Forwarded Message From: lyger Date: Fri, 11 Apr 2008 04:46:14 +0000 (UTC) To: "dataloss at attrition.org" http://attrition.org/news/content/end.html This is the end... April 11, 2008 Lyger Since July 5 2005, Attrition.org has tracked events involving large-scale thefts and loss of personally identifying information (PII). In the months and years since then, we, as well as dozens of volunteers, enthusiasts, and well-wishers have spent literally thousands of hours gathering data, discussing matters related to data breaches, creating web pages and databases, and promoting the idea of security and privacy for personal information. We feel that our combined efforts have been valuable to the security and privacy communities alike, and we hope that efforts like ours will continue to promote awareness, and maybe, some day in the future, actually make a difference. With that said, we're done. Much like Attrition.org's past defacement mirror, the time has come for us to say "no mas". In the past few weeks, it has come to our attention that too many people are more concerned with making a profit off of our work without any offer of acknowledgement or compensation. For those who aren't familiar with Attrition, we're a non-profit hobby site that takes on "projects" as we see fit, when we want to, and when we have time. For those who *are* familiar with Attrition, you probably know that we don't take kindly to being dealt with unfairly. Commercial entities, including "identity-theft prevention" upstarts and book authors, will gladly contact us, ask for information and advice, and then not even offer us the equivalent of a reach-around when selling their materials. We don't pimp our resources to others; they come to us. Unfortunately, more often than not, they won't even send us a "thank you". We've mentioned it in the past, but we're not going to mention it in the future. This is the last mention. [...] http://attrition.org/news/content/end.html From rforno at infowarrior.org Fri Apr 11 04:59:18 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Apr 2008 00:59:18 -0400 Subject: [Infowarrior] - Windows is 'collapsing,' Gartner analysts warn Message-ID: Windows is 'collapsing,' Gartner analysts warn Gregg Keizer http://www.computerworld.com/action/article.do?command=viewArticleBasic&art icleId=9076698 April 10, 2008 (Computerworld) Calling the situation "untenable" and describing Windows as "collapsing," a pair of Gartner analysts yesterday said Microsoft Corp. must make radical changes to its operating system or risk becoming a has-been. In a presentation at a Gartner-sponsored conference in Las Vegas, analysts Michael Silver and Neil MacDonald said Microsoft has not responded to the market, is overburdened by nearly two decades of legacy code and decisions, and faces serious competition on a whole host of fronts that will make Windows moot unless the software developer acts. "For Microsoft, its ecosystem and its customers, the situation is untenable," said Silver and MacDonald in their prepared presentation, titled "Windows Is Collapsing: How What Comes Next Will Improve." Among Microsoft's problems, the pair said, is Windows' rapidly-expanding code base, which makes it virtually impossible to quickly craft a new version with meaningful changes. That was proved by Vista, they said, when Microsoft -- frustrated by lack of progress during the five-year development effort on the new operating -- hit the "reset" button and dropped back to the more stable code of Windows Server 2003 as the foundation of Vista. "This is a large part of the reason [why] Windows Vista delivered primarily incremental improvements," they said. In turn, that became one of the reasons why businesses pushed back Vista deployment plans. "Most users do not understand the benefits of Windows Vista or do not see Vista as being better enough than Windows XP to make incurring the cost and pain of migration worthwhile." Other analysts, including those at Gartner rival Forrester Research Inc., have highlighted the slow move toward Vista. Last month, Forrester said that by the end of 2007 only 6.3% of 50,000 enterprise computer users it surveyed were working with Vista. What gains Vista made during its first year, added Forrester, appeared to be at the expense of Windows 2000; Windows XP's share hardly budged. The monolithic nature of Windows -- although Microsoft talks about Vista's modularity, Silver and MacDonald said it doesn't go nearly far enough -- not only makes it tough to deliver a worthwhile upgrade, but threatens Microsoft in the mid- and long-term. Users want a smaller Windows that can run on low-priced -- and low-powered -- hardware. And increasingly, users work with "OS-agnostic applications," the two analysts said in their presentation. It takes too long for Microsoft to build the next version, the company is being beaten by others in the innovation arena, and in the future -- perhaps as soon as the next three years -- it's going to have trouble competing with Web applications and small, specialized devices. "Apple introduced its iPhone running OS X, but Microsoft requires a different product on handhelds because Windows Vista is too large, which makes application development, support and the user experience all more difficult," according to Silver and MacDonald. "Windows as we know it must be replaced," they said in their presentation. Their advice to Microsoft took several forms, but one road they urged the software giant to take was virtualization. "We envision a very modular and virtualized world," said the researchers, who spelled out a future where virtualization -- specifically a hypervisor -- is standard on client as well as server versions of Windows. "An OS, in this case Windows, will ride atop the hypervisor, but it will be much thinner, smaller and modular than it is today. Even the Win32 API set should be a module that can be deployed to maintain support for traditional Windows applications on some devices, but other[s] may not have that module installed." Backward compatibility with older applications should also be supported via virtualization. "Backward compatibility is a losing proposition for Microsoft; while it keeps people locked into Windows, it also often keeps them from upgrading," said the analysts. "[But] using built-in virtualization, compatibility modules could be layered atop Win32, or not, as needed." Silver and MacDonald also called on Microsoft to make it easier to move to newer versions of Windows, re-think how it licenses Windows and come up with a truly modular operating system that can grow or shrink as needed. Microsoft has taken some new steps with Windows, although they don't necessarily match what the Gartner analysts recommended. For instance, the company recently granted Windows XP Home a reprieve from its June 30 OEM cut-off, saying it would let computer makers install the older, smaller operating system on ultra-cheap laptops through the middle of 2010. It will also add a hypervisor to Windows -- albeit the server version -- in August, and there are signs that it will launch Windows 7, the follow-on to Vista, late next year rather than early 2010. From rforno at infowarrior.org Fri Apr 11 04:59:54 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Apr 2008 00:59:54 -0400 Subject: [Infowarrior] - FBI nudges state 'fusion centers' into the shadows Message-ID: FBI nudges state 'fusion centers' into the shadows Posted by Declan McCullagh | 2 comments http://www.news.com/8301-13578_3-9916599-38.html WASHINGTON -- The FBI is pressuring states to become more secretive and limit even routine oversight of the bureau's data-sharing arrangements with local police, a new document shows. A memorandum of understanding written by the FBI and signed by the state of Virginia in February 2008 aims to curb congressional and press oversight of a joint venture called a Fusion Center. Here's more on Fusion Centers. The memorandum, obtained by the Electronic Privacy Information Center and released on Friday, says that any "disclosure" to Congress of information shared with the Fusion Center can happen only "after consultation with the FBI." It also says that requests from media organizations even for non-classified material made under Virginia's open government laws will be referred to the FBI and then strongly opposed. It also indicates that the FBI is responsible for a Virginia state bill called HB1007 -- introduced two days after the FBI signed the memorandum on January 6 -- that would exempt the Fusion Center from open government laws. That bill is worrisome. It rewrites open government laws to say that even non-classified statistics about the total number of investigations targeting "an individual who or organization which is reasonably suspected of involvement in criminal activity" will be exempt from disclosure to news organizations and the public. Nobody wants truly confidential or classified information to be disclosed (except, perhaps, to the historians of the next generation). But the Virginia proposal goes too far, and exempts even reports and statistics that could show overzealous surveillance and other possible misbehavior by Fusion Center staff. In reality, there's no need to amend Virginia's open government law; it already includes a slew of can't-disclose-these exemptions including "public safety" records, anti-terrorist plans, and reports given to "state and local law enforcement agencies." This hasn't stopped police from misrepresenting what's going on. "Federal agencies aren't going to share with us classified information if they think we're going to share that information," Capt. Tom Martin, commander of the Virginia State Police Criminal Intelligence Division and the administrative head of the Fusion Center, told the Virginian-Pilot. "We're going to protect it." If Martin and the other Fusion Center honchos want a narrow state law reiterating that classified information can't be disclosed, perhaps it makes sense to enact one. But that's a far cry from HB1007's broad exceptions, and not an argument that the currently-proposed law is either wise or necessary. From rforno at infowarrior.org Fri Apr 11 05:01:06 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Apr 2008 01:01:06 -0400 Subject: [Infowarrior] - Europe rejects plan to criminalize file-sharing Message-ID: Europe rejects plan to criminalize file-sharing In a close vote, the European Parliament rejected attempts to criminalize the sharing of files by private individuals and to ban copyright abusers from the Internet http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/0 4/10/Europe-rejects-plan-to-criminalize-file-sharing_1.html By Paul Meller, IDG News Service April 10, 2008 The European Parliament rejected attempts to criminalize the sharing of files by private individuals and threw out the idea of banning copyright abusers from the Internet, in a plenary vote Thursday. The vote was close, with 314 MEPs (Members of the European Parliament) voting in favor of an amendment to scrap what many consider draconian and disproportionate measures to protect copyright over the internet, and 297 voting against the amendment. "The vote shows that MEPs want to strike a balance between the interests of rights holders and those of consumers, and that big measures like cutting off Internet access shouldn't be used," said Malene Folke Chaucheprat, a European Parliament spokeswoman, shortly after the vote. The report isn't legally binding, but it could help thwart efforts by France, which has already adopted such measures, to push the issue at a European political level. France's so-called Oliviennes strategy to combat copyright abuse includes a "three strikes and you are out" approach: Offenders lose the right to an Internet account after being caught sharing copyright-protected music over the Internet for a third time. France takes over the six-month rotating presidency of the European Union in the second half of this year and many observers, including the U.K.-based Open Rights Group, expect it to push for E.U.-wide rules similar to its own. The report is significant because it "signifies resistance among MEPs to measures currently being implemented in France to disconnect suspected illicit filesharers," the Open Rights Group said in a statement. The record industry was disappointed with the vote. "One badly drafted, rushed through amendment was adopted which is in contradiction to the rest of the text," said Frances Moore, executive vice president of the International Federation of the Phonographic Industry (IFPI), in a statement. "If the aim of the report is to protect creative content, including in the online environment, we should be looking at all options available in the fight against copyright theft. Instead, this amendment suggested discarding certain options before there is even a proper debate," the IFPI said. But the Open Rights Group argued that criminalizing copyright abuse by individuals eager to build their media library and not profit from copyright-protected material is draconian and inefficient at tackling illegal file sharing. "As the European Parliament have recognized today, [the measures] are disproportionate, they lack consumer safeguards and they won't stop illicit filesharing," the Open Rights Group said. From rforno at infowarrior.org Fri Apr 11 14:47:42 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Apr 2008 10:47:42 -0400 Subject: [Infowarrior] - Satellite to be junked because lunar flyby is patented Message-ID: Satellite to be junked because lunar flyby is patented http://www.boingboing.net/2008/04/11/satellite-to-be-junk.html A satellite is being abandoned in orbit because its position can't be corrected without violating a Boeing patent on lunar flyby: The AMC-14 commercial geostationary satellite was launched in March by a Proton launch vehicle into space just short of its minimum geostationary transfer orbit (GTO)... However, SpaceDaily has now learned that a plan to salvage AMC-14 was abandoned a week ago when SES gave up in the face of patent issues relating to the lunar flyby process used to bring wayward GEO birds back to GEO Earth orbit. Sources have told SpaceDaily that it was possible to bring AMC-14 back via the moon to a stable GEO orbit where the high powered satellite would have been able to operate for at four years and probably longer. Industry sources have told SpaceDaily that the patent is regarded as legal "trite", as basic physics has been rebranded as a "process", and that the patent wouldn't stand up to any significant level of court scrutiny and was only registered at the time as "the patent office was incompetent when it came to space matters". From rforno at infowarrior.org Fri Apr 11 14:50:36 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Apr 2008 10:50:36 -0400 Subject: [Infowarrior] - Schneier's Third Annual Movie Plot Threat Contest Message-ID: (I wonder how many of these ideas DHS actually tries to work with........rf) Third Annual Movie-Plot Threat Contest I can't believe I let April 1 come and go without posting the rules to the Third Annual Movie-Plot Threat Contest. Well, better late than never. For this contest, the goal is to create fear. Not just any fear, but a fear that you can alleviate through the sale of your new product idea. There are lots of risks out there, some of them serious, some of them so unlikely that we shouldn't worry about them, and some of them completely made up. And there are lots of products out there that provide security against those risks. Your job is to invent one. First, find a risk or create one. It can be a terrorism risk, a criminal risk, a natural-disaster risk, a common household risk -- whatever. The weirder the better. Then, create a product that everyone simply has to buy to protect him- or herself from that risk. And finally, write a catalog ad for that product. < - > http://www.schneier.com/blog/archives/2008/04/third_annual_mo.html From rforno at infowarrior.org Fri Apr 11 17:12:11 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Apr 2008 13:12:11 -0400 Subject: [Infowarrior] - OT: Red Shirt Deaths Message-ID: In my seminars, I enjoy teaching analytics because the fun is in finding effective and memorable methods to help people understand the concepts. One of my favorites is an analysis of the Red-Shirt Phenomenon in Star Trek. What? You don't know about the Red Shirt Phenomenon? Well, as any die-hard Trekkie knows, if you are wearing a red shirt and beam to the planet with Captain Kirk, you're gonna die. That's the common thinking, but I decided to put this to the test. After all, I hadn't seen any definitive proof; it's just what people said. (Remind you of your current web analytics strategy?) So, let's set our phasers on 'stun' and see what we find... < - > http://tinyurl.com/2flwq6 From rforno at infowarrior.org Fri Apr 11 18:47:25 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Apr 2008 14:47:25 -0400 Subject: [Infowarrior] - Microsoft Exec: UAC Designed To 'Annoy Users' Message-ID: Microsoft Exec: UAC Designed To 'Annoy Users' By Kevin McLaughlin, ChannelWeb 3:12 PM EDT Thu. Apr. 10, 2008 http://www.crn.com/software/207100934?cid=CRNFeed The User Account Control in Windows Vista improves security by reducing application privileges from administrative to standard levels, but UAC has been widely criticized for the nagging alerts it generates. According to oneMicrosoft (NSDQ: MSFT) executive, the annoyance factor was actually part of the plan. In a Thursday presentation at RSA 2008 in San Francisco, David Cross, a product unit manager at Microsoft who was part of the team that developed UAC, admitted that Microsoft's strategy with UAC was to irritate users and ISVs in order to get them to change their behavior. "The reason we put UAC into the platform was to annoy users. I'm serious," said Cross. Microsoft not only wanted to get users to stop running as administrators, which exacerbates the effects of attacks, but also wanted to convince ISVs to stop building applications that require administrative privileges to install and run, Cross explained. "We needed to change the ecosystem, and we needed a heavy hammer to do it," Cross said. Keith Meisner, senior systems engineer at AppTech, a Tacoma, Wash.-based solution provider, says UAC has helped Microsoft improve end users' overall security posture. "Many of the situations we deal with have to do with users being uninformed about threats on the Internet," said Meisner. "Are there some annoyances with UAC? Yes, but advanced users know how to get around them." But while UAC is good for overall security, it does present logistical issues, said Steve Snider, president of Cadre Information Security, a Cincinnati-based solution provider. "For people working in an office, close to IT, it's not a problem, but when you have a very mobile workforce, and you have to load and update applications, that's when it becomes more of an issue," he said. As a result of UAC, software vendors have changed their approach to developing software, to the point where fewer applications and tasks are triggering alerts, said Cross. "Most users, on a daily basis, actually have zero UAC prompts," he said. Cross also disputed the popular notion that many frustrated users have decided to shut off UAC alerts entirely. He cited internal Microsoft research that shows 88 percent of all Vista users operate with UAC turned on, and 66 percent of sessions have no prompts, and number he says will continue to grow over time. "UAC is not a perfect security boundary, but it [has helped us] move from 'zero click' exploits to 'one click' defense," said Cross. From rforno at infowarrior.org Sat Apr 12 01:31:53 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Apr 2008 21:31:53 -0400 Subject: [Infowarrior] - Network Solutions hijacking sub-domains In-Reply-To: <20080411161551.GA10778@gsp.org> Message-ID: (c/o RSK) [ It appears to me that this is quite similar to the spammer/SEO scammer tactic of creating link farms. ---Rsk ] Noted via Slashdot: Network Solutions Advertises On Your Sub-Domains http://tech.slashdot.org/article.pl?sid=08/04/11/1326235 Which says "The Register reports that customers have found that their defunct or forgotten-about sub-domains have been taken over by Network Solutions to send users to ad pages. By digging through a 59K-word user agreement, you can find the following text: 'You also agree that any domain name directory, sub-directory, file name or path (e.g.) that does not resolve to an active web page on your Web site being hosted by Network Solutions, may be used by Network Solutions to place a "parking" page, "under construction" page, or other temporary page that may include promotions and advertisements for, and links to, Network Solutions' Web site...'" The Register's coverage: Network Solutions hijacks customer sub-domains for ad fest http://www.theregister.co.uk/2008/04/11/network_solutions_sub_domain_parkin g/ Techcrunch's reporting: Network Solutions Hijacking Unassigned Sub-Domains http://www.techcrunch.com/2008/04/08/network-solutions-hijacking-unassigned -sub-domains/ From rforno at infowarrior.org Sat Apr 12 01:41:37 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Apr 2008 21:41:37 -0400 Subject: [Infowarrior] - Six US cities tamper with traffic cameras for profit Message-ID: http://www.leftlanenews.com/six-us-cities-tamper-with-traffic-cameras-for-pr ofit.html Six U.S. cities have been found guilty of shortening the amber cycles below what is allowed by law on intersections equipped with cameras meant to catch red-light runners. The local governments in question have ignored the safety benefit of increasing the yellow light time and decided to install red-light cameras, shorten the yellow light duration, and collect the profits instead. The cities in question include Union City, CA, Dallas and Lubbock, TX, Nashville and Chattanooga, TN, Springfield, MO, according to Motorists.org, which collected information from reports from around the country. This isn't the first time traffic cameras have been questioned as to their effectiveness in preventing accidents. In one case, the local government was forced to issue refunds by more than $1 million to motorists who were issued tickets for running red lights. The report goes on to note these are just instances that have been identified, and there may be more out there, and urges visitors to send in their own findings. From rforno at infowarrior.org Sat Apr 12 03:28:12 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Apr 2008 23:28:12 -0400 Subject: [Infowarrior] - Scientology threatens Wikileaks Message-ID: Those Scientologists......so predictable, so delerious, so....so......so pathetically amusing! -rf Scientology threatens Wikileaks over secret cult bibles >From Wikileaks http://wikileaks.org/wiki/Scientology_threatens_Wikileaks_over_secret_cult_b ibles WIKILEAKS PRESS RELEASE Monday April 7, 2008 The Scientology cult, of which Hollywood actors Tom Cruise and John Travolta are the most familiar public followers, has threatened transparency group Wikileaks, demanding that it remove "unpublished, copyrighted" Scientology documents. The Scientology documents, which were released by Wikileaks last month, are restricted from the public and low ranking cult members. The March 27 letter, from the cult's Los Angeles lawyers, Moxon & Kobrin also asked, in an apparent attempt to trace the source of the materials, that Wikileaks preserve any related records, "..not limited to, logs, data entry sheets, applications -- electronic or otherwise, registrations forms, billings statements or invoices, computer print-outs, disks, hard drives, etc.". However, the Wikileaks site, by design, keeps no logs of its submissions, or even of its readers. The cult's lawyers presented Wikileaks with a list of copyright registrations for its secret "religious technology" made with the United States Copyright Office and some examples of international court cases related to previous Scientology legal attacks on publishers. These examples reveal part of a long history of reported Scientology abuse of the legal system and are clearly aimed at putting pressure on Wikileaks to remove the content. The documents, according to the legal letter, are owned by a Scientology holding company, the Religious Technology Center (RTC), which claims ownership of the "confidential Advanced Technology of the Scientology religion" ? the secret "bibles" of the cult. The content, consisting of typed as well as hand-written pages by the cult founder, the late science fiction writer and con-man L. Ron Hubbard, describes OT "levels" I-VIII as well as related "NOTs" and other aspects of cult dogma and operations. The public is usually introduced to the cult through its "free stess test" stalls, L. Ron Hubbard's book 1950's pseudo-science book "Dianetics", or fronts such as Narconon, Criminon and the Citizens Commission on Human Rights. Cult members are normally thoroughly indoctrinated before they are introduced to higher level Scientology "bibles", such as "OT-III", which describe all human problems as having being originated by the evil galactic overlord, Xenu, some 75 million years ago. While parts of the material have appeared previously, if briefly due to legal action, others parts appear to be original to the Wikileaks release. Wikileaks will not comply with legally abusive requests from Scientology any more than Wikileaks has complied with similar demands from Swiss banks, London Banks, Russian off-shore stem cell centers, former African Kleptocrats, or the Pentagon. Wikileaks will remain a place where people of the world may safely expose injustice and corruption. Indeed, in response to the attempted suppression, Wikileaks will release several thousand pages of additional Scientology materials next week. * To pledge support to the Wikileaks defense fund, see Pledgebank or this link. From rforno at infowarrior.org Sat Apr 12 03:40:24 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Apr 2008 23:40:24 -0400 Subject: [Infowarrior] - Dataloss: A New Beginning Message-ID: (of course not to be confused with 'Star Wars IV: A New Hope' ... Besides Isn't April such a fun month on the Interweb? -rf) http://www.attrition.org/news/content/nottheend.html A new beginning Fri Apr 11 23:04:01 EST 2008 Lyger First off, we would like to thank everyone who emailed us messages of support about our decision to discontinue our Data Loss resources. So far, we have received over 50 emails expressing gratitude, concern, and interest in helping continue the project. To be perfectly honest, the overwhelming offers of support have been, well, touching. We never intended for our resources to be so widely held in regard and respected by security and privacy professionals world-wide, and we are quite thankful for your messages. < - > So, with that in mind, the staff members of Attrition.org have decided to continue on with the Data Loss project. The Data Loss mail list, web page, and database (DLDOS) will continue to be updated on a regular basis as new events, information, and data come our way. We will continue looking through news and RSS feeds every day, responding to requests for information, and posting all of our findings to the mail list, web page, and DLDOS. From about 6AM until midnight, Sunday through Saturday, we'll continue to provide the most accurate and most updated information available anywhere. Going forward, we would like to announce that we have a new partnership with Identity-Love-Sock, a trusted provider of identity theft prevention services. Not only can Identity-Love-Sock protect YOU from IDENTITY THEFT, it also provides several guarantees for your PROTECTION should YOU be affected by IDENTITY THEFT. With the services provided by Identity-Love-Sock , YOU will NEVER have to WORRY about your IDENTITY being STOLEN, MISUSED, or otherwise COMPROMISED. For more details on how YOU can be COVERED and PROTECTED, please visit Identity-Love-Sock . You'll be glad you did. Really. < - > http://www.attrition.org/news/content/nottheend.html From rforno at infowarrior.org Sat Apr 12 14:48:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 12 Apr 2008 10:48:46 -0400 Subject: [Infowarrior] - Administration Set to Use New Spy Program in U.S. Message-ID: Administration Set to Use New Spy Program in U.S. Congressional Critics Want More Assurances of Legality http://www.washingtonpost.com/wp-dyn/content/article/2008/04/11/AR2008041103 655_pf.html By Spencer S. Hsu Washington Post Staff Writer Saturday, April 12, 2008; A03 The Bush administration said yesterday that it plans to start using the nation's most advanced spy technology for domestic purposes soon, rebuffing challenges by House Democrats over the idea's legal authority. Homeland Security Secretary Michael Chertoff said his department will activate his department's new domestic satellite surveillance office in stages, starting as soon as possible with traditional scientific and homeland security activities -- such as tracking hurricane damage, monitoring climate change and creating terrain maps. Sophisticated overhead sensor data will be used for law enforcement once privacy and civil rights concerns are resolved, he said. The department has previously said the program will not intercept communications. "There is no basis to suggest that this process is in any way insufficient to protect the privacy and civil liberties of Americans," Chertoff wrote to Reps. Bennie G. Thompson (D-Miss.) and Jane Harman (D-Calif.), chairmen of the House Homeland Security Committee and its intelligence subcommittee, respectively, in letters released yesterday. "I think we've fully addressed anybody's concerns," Chertoff added in remarks last week to bloggers. "I think the way is now clear to stand it up and go warm on it." His statements marked a fresh determination to operate the department's new National Applications Office as part of its counterterrorism efforts. The administration in May 2007 gave DHS authority to coordinate requests for satellite imagery, radar, electronic-signal information, chemical detection and other monitoring capabilities that have been used for decades within U.S. borders for mapping and disaster response. But Congress delayed launch of the new office last October. Critics cited its potential to expand the role of military assets in domestic law enforcement, to turn new or as-yet-undeveloped technologies against Americans without adequate public debate, and to divert the existing civilian and scientific focus of some satellite work to security uses. Democrats say Chertoff has not spelled out what federal laws govern the NAO, whose funding and size are classified. Congress barred Homeland Security from funding the office until its investigators could review the office's operating procedures and safeguards. The department submitted answers on Thursday, but some lawmakers promptly said the response was inadequate. "I have had a firsthand experience with the trust-me theory of law from this administration," said Harman, citing the 2005 disclosure of the National Security Agency's domestic spying program, which included warrantless eavesdropping on calls and e-mails between people in the United States and overseas. "I won't make the same mistake. . . . I want to see the legal underpinnings for the whole program." Thompson called DHS's release Thursday of the office's procedures and a civil liberties impact assessment "a good start." But, he said, "We still don't know whether the NAO will pass constitutional muster since no legal framework has been provided." DHS officials said the demands are unwarranted. "The legal framework that governs the National Applications Office . . . is reflected in the Constitution, the U.S. Code and all other U.S. laws," said DHS spokeswoman Laura Keehner. She said its operations will be subject to "robust," structured legal scrutiny by multiple agencies. From rforno at infowarrior.org Sat Apr 12 14:55:39 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 12 Apr 2008 10:55:39 -0400 Subject: [Infowarrior] - Court ruling regarding TSA databreech In-Reply-To: <48007D74.8080808@knology.net> Message-ID: (c/o dataloss) ------ Forwarded Message From: Henry Brown From Lauren Gelman's blog Court holds Privacy Act "actual damages requirement" does not require pecuniary harm http://cyberlaw.stanford.edu/node/5734 I'm breaking blog silence to report on an amazing decision out of the DC Circuit holding that the federal Privacy Act's requirement that Plaintiffs show actual damages does not require pecuniary harm but can be met by a showing of emotional distress. Am. Fed'n of Gov't Employees v. Hawley, D.D.C., No. 07-00855, 3/31/08. [T]he plaintiffs' alleged injury is not speculative nor dependent on any future event, such as a third party's misuse of the data, the court said. The court finds that plaintiffs have standing to bring their Privacy Act claim. This follows the Supreme Court's holding in Doe v. Chao, 540 U.S. 614 (2004) that a plaintiff must prove actual damages to succeed on an alleged Privacy Act violation, however in that case, the court never defined "actual damages." I think this is a great decision that supports the belief that people's harm from a privacy loss is not just another's use of that information to cause financial loss (i.e. identity theft), but that emotional damages and embarrassment are cognizable harms of privacy violations. [...] The Actual court document... https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2007cv0855-6 Summary provided by Saqib Ali from the FDE newsgroup.. In the recent American Federation Of Government Employees (plaintiff) v.s. Kip Hawley, in his official capacity as Administrator for TSA, the plaintiffs alleged that defendants violated the Aviation and Transportation Security Act ("ATSA") and the Privacy Act by failing to establish appropriate safeguards to insure the security and confidentiality of personnel records which resulted in unintended disclosure of Personally Identifiable Information (PII) of 100,000 TSA employees. The defendants argued that "that the individual plaintiffs should be dismissed for lack of standing for failing to demonstrate an injury-in-fact. Mot. Dismiss at 13.11 According to defendants, plaintiffs' concerns about future harm are speculative and dependent upon the criminal actions of third parties. Mot. Dismiss at 13?15" The court, however, disagrees: "Plaintiffs allege that because TSA violated ? 552a(e)(10) by failing to establish safeguards to secure the missing hard drive, they have suffered an injury in the form of embarrassment, inconvenience, mental distress, concern for identity theft, concern for damage to credit report, concern for damage to financial suitability requirements in employment, and future substantial financial harm, [and] mental distress due to the possibility of security breach at airports." Compl. 41?42. As such, plaintiffs' alleged injury is not speculative nor dependent on any future event, such as a third party's misuse of the data.12 The court finds that plaintiffs have standing to bring their Privacy Act claim." [...] From rforno at infowarrior.org Sat Apr 12 16:20:31 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 12 Apr 2008 12:20:31 -0400 Subject: [Infowarrior] - Free Range Kids Message-ID: A parent's got the right idea here.......reminds me of what I wrote in 2003's "Weapons of Mass Delusion" and referred to in the chapter called 'Cloistered Kids Syndrome.' http://freerangekids.wordpress.com/ From rforno at infowarrior.org Sun Apr 13 16:55:01 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 13 Apr 2008 12:55:01 -0400 Subject: [Infowarrior] - Youtorrent changes? Message-ID: http://www.youtorrent.com/ Interestingly, it seems in the past 24 hours the increasingly popular YouTorrent site changed its searchable list of torrent directories. There used to be others like piratebay listed, but now it's showing these instead Mininova.org bt.etree.org Vuze.com BitTorrent.com WorthArchiving LegitTorrents.info LegalTorrents.com IIRC recently (past month) the YouTorrent owner/founder/admin did a few MSM interviews -- I wonder if as a result of his 'going public' he was pressured by the CopyWrong Kooks into making his site less "pirate-friendly"? -rick Infowarrior.org From rforno at infowarrior.org Sun Apr 13 20:34:19 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 13 Apr 2008 16:34:19 -0400 Subject: [Infowarrior] - Craigslist and eBay: Terrorist arms bazaars of DEATH Message-ID: Craigslist and eBay: Terrorist arms bazaars of DEATH Federal beancounters launch Operation Barrelscrape By Lewis Page ? More by this author Published Sunday 13th April 2008 08:02 GMT http://www.theregister.co.uk/2008/04/13/craigslist_ebay_terror_arms_bazaars/ Analysis American government investigators believe that eBay and Craigslist are becoming international arms bazaars, facilitating the sale of "sensitive and stolen US military items" to the agents of sinister foreign powers - or even (gasp) terrorists. However, they have produced very little evidence to back this up. In a newly-released report (pdf) entitled Undercover Purchases on eBay and Craigslist Reveal a Market for Sensitive and Stolen U.S. Military Items, the beancounters of the Government Accountability Office (GAO) lay out the shocking facts. It turns out that GAO agents operating "undercover" (on the internet) in recent months were able to purchase the following items on the named webmarts: * An Army Combat Uniform (ACU) and uniform accessories that could be used by a terrorist to pose as a US service member. * Body armor vests and... plates that are currently used by our troops in Iraq and Afghanistan... terrorist organizations or other countries could use reverse engineering on this body armor to develop countermeasures, equivalent technology, or both. Body armor could also be used domestically by a violent felon to commit crime. * Night vision goggles... Although night vision goggles are commercially available to the public, the milspec tube in the pair of goggles we purchased on eBay is a sensitive component that allows US service members on the battlefield to identify friendly fighters wearing infrared (IR) tabs. We also purchased IR tabs... * Nuclear biological chemical [protective] gear... that could be reverse engineered to develop countermeasures or produce equivalent technology. So far, so bullshit. The US government does make efforts to restrict sales of the very latest nightvision kit and body armour to US customers - or in some cases, to military and cops only - but it's merely a delaying action. What was cutting-edge gear five or ten years ago is now unrestricted access; today's military-grade gear in these classes is anyone's tomorrow. Felons already wear body armour quite capable of defeating the pistol rounds typically fired by armed police (or, more commonly, the villains' business competitors). Terrorist snipers have long had access to specialist weapons and ammo able to defeat the heaviest body armour - and this kit is often from America. Sure, US troops use IR-reflective tags to identify themselves to one another at night - but this is a technology with dozens of civilian applications. It's used in VR game controllers, for goodness' sake. Gasmasks and NBC suits? Available in army surplus stores worldwide. As for the idea that one might panic about military-surplus uniforms being on sale... well. Indeed, so thin were the pickings that the GAO undercover operatives had to list some frankly rather embarrassing finds. * We also investigated sales of military meals, ready-to-eat (MRE) and found a robust market for stolen military MREs on eBay and Craigslist. Both civilians and service members sold us numerous cases of new/unused military MREs despite the fact that they were marked ?US Government Property, Commercial Resale Is Unlawful.? Come on. This is petty theft at best. (Indeed, if the dreaded MREs are really ending up in terrorist hands, this could be a blow for democracy. US troops have often found their MREs so disgusting that they will swap most of their personal equipment for other nations' relatively palatable combat rations.) The only items of any significance whatever were some spare parts for helicopters and aircraft. This has long been something of an issue in the States, largely because the Iranian armed forces still have a lot of kit originally supplied to the Shah's regime. In particular, the Iranians are believed still to have some airworthy (if perhaps not very combat-worthy) F-14 "Tomcat" fighters (of the type formerly used by the US Navy, most famously by Tom Cruise in Top Gun). Iran also has a number of US-designed Chinook heavy-lift choppers, Hercules transport planes etc. As a result, Iranian buyers have been trying to get hold of F-14, Chinook and other aircraft parts under US embargo for decades with varying degrees of success. (For a while they were in clover, when Oliver North's Iran-Contra scheme was in operation.) But the GAO probe seems to indicate that in fact the trade has been fairly effectively suppressed. After weeks of trawling, they could find nothing for sale but two lonely antenna assemblies, one for F-14s and one useable in a range of helicopters including the Chinook. In the past, rogue US colonels used to sell missiles and aircraft parts directly to Iran by the ton. Up until last year, the US military's surplus-sales arm was still flogging off F-14 bits to anyone who fancied them - often enough, people acting for the Iranian government. Entire Chinooks have been manufactured in Italy under licence, and sold both from there and the US (along with parts) to at least 20 nations for both military and civilian use. Hercules transports have been just as widely distributed. But now, all the GAO's elite undercover investigators can find is a couple of antennae? Either a) they weren't trying very hard, b) they don't really know what they're talking about, or c) eBay and Craigslist aren't actually terrorist weapons markets in any meaningful sense. Or all of the above. In an equally valid bit of cutting edge "undercover" arms-bazaar investigation, the Reg defence desk has in the past five minutes located sensitive military parts for sale on eBay UK which could easily fall into the hands of a sinister foreign power and be used to boost military capability. Look: a part for a Rolls-Royce Avon jet engine, as used in the Canberra bomber - which was only retired from RAF service in 2006, the very same year as the F-14 stood down in the US Navy. And - my god - the Canberra was supplied to the Venezuelan air force, among others, which is nowadays directed by sinister dictator Hugo Chavez! And the traitor selling it says "overseas bidders welcome"!* Etc, etc. Yawn. The GAO probably ought to stick to looking at cost overruns and the like, rather than this sort of foolish scaremongering. ? Bootnote *Note for those with irony detectors switched off: The Canberra was a flying antique, introduced in 1950. The Venezuelans did fly it a long time ago, but don't any more; you'd have to be barmy to keep operating Canberras into the 21st century. Like the RAF, god bless them, who are prone to keep operating lovely old vintage planes long past the point where they're any use. From rforno at infowarrior.org Mon Apr 14 05:36:47 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 14 Apr 2008 01:36:47 -0400 Subject: [Infowarrior] - The Government Is Trying to Wrap Its Mind Around Yours Message-ID: The Government Is Trying to Wrap Its Mind Around Yours By Nita Farahany Sunday, April 13, 2008; B03 http://www.washingtonpost.com/wp-dyn/content/article/2008/04/11/AR2008041103 296_pf.html Imagine a world of streets lined with video cameras that alert authorities to any suspicious activity. A world where police officers can read the minds of potential criminals and arrest them before they commit any crimes. A world in which a suspect who lies under questioning gets nabbed immediately because his brain has given him away. Though that may sound a lot like the plot of the 2002 movie "Minority Report," starring Tom Cruise and based on a Philip K. Dick novel, I'm not talking about science fiction here; it turns out we're not so far away from that world. But does it sound like a very safe place, or a very scary one? It's a question I think we should be asking as the federal government invests millions of dollars in emerging technology aimed at detecting and decoding brain activity. And though government funding focuses on military uses for these new gizmos, they can and do end up in the hands of civilian law enforcement and in commercial applications. As spending continues and neurotechnology advances, that imagined world is no longer the stuff of science fiction or futuristic movies, and we postpone at our peril confronting the ethical and legal dilemmas it poses for a society that values not just personal safety but civil liberty as well. Consider Cernium Corp.'s "Perceptrak" video surveillance and monitoring system, recently installed by Johns Hopkins University, among others. This technology grew out of a project funded by the Defense Advanced Research Projects Agency -- the central research and development organization for the Department of Defense -- to develop intelligent video analytics systems. Unlike simple video cameras monitored by security guards, Perceptrak integrates video cameras with an intelligent computer video. It uses algorithms to analyze streaming video and detect suspicious activities, such as people loitering in a secure area, a group converging or someone leaving a package unattended. Since installing Perceptrak, Johns Hopkins has reported a 25 percent reduction in crime. But that's only the beginning. Police may soon be able to monitor suspicious brain activity from a distance as well. New neurotechnology soon may be able to detect a person who is particularly nervous, in possession of guilty knowledge or, in the more distant future, to detect a person thinking, "Only one hour until the bomb explodes." Today, the science of detecting and decoding brain activity is in its infancy. But various government agencies are funding the development of technology to detect brain activity remotely and are hoping to eventually decode what someone is thinking. Scientists, however, wildly disagree about the accuracy of brain imaging technology, what brain activity may mean and especially whether brain activity can be detected from afar. Yet as the experts argue about the scientific limitations of remote brain detection, this chilling science fiction may already be a reality. In 2002, the Electronic Privacy Information Center reported that NASA was developing brain monitoring devices for airports and was seeking to use noninvasive sensors in passenger gates to collect the electronic signals emitted by passengers' brains. Scientists scoffed at the reports, arguing that to do what NASA was proposing required that an electroencephalogram (EEG) be physically attached to the scalp. But that same year, scientists at the University of Sussex in England adapted the same technology they had been using to detect heart rates at distances of up to 1 meter, or a little more than three feet, to remotely detect changes in the brain. And while scientific limitations to remote EEG detection still exist, clearly the question is when, not if, these issues will be resolved. Meanwhile, another remote brain-activity detector, which uses light beamed through the skull to measure changes in oxygen levels in the brain, may be on the way. Together with the EEG, it would enhance the power of brain scanning. Today the technology consists of a headband sensor worn by the subject, a control box to capture the data and a computer to analyze it. With the help of government funding, however, that is all becoming increasingly compact and portable, paving the way for more specific remote detection of brain activity. But don't panic: The government can't read our minds -- yet. So far, these tools simply measure changes in the brain; they don't detect thoughts and intentions. Scientists, though, are hard at work trying to decode how those signals relate to mental states such as perception and intention. Different EEG frequencies, for example, have been associated with fear, anger, joy and sorrow and different cognitive states such as a person's level of alertness. So when you're stopped for speeding and terrified because you're carrying illegal drugs in the trunk of your car, EEG technology might enable the police to detect your fear or increased alertness. This is not so far-fetched: Some scientists already are able to tell from brain images in the lab whether a test subject was envisioning a tool such as a hammer or a screwdriver or a dwelling, and to predict whether the subject intended to add or subtract numbers. Just last month, scientists announced a new study aimed at decoding visual imagery in the brain. Although brain-based lie-detection technology has been quite controversial and has only been tested on a limited basis, early researchers have claimed high accuracy at detecting deception. But there's a problem: Most brain-based lie-detection tests assume that lying should result in more brain activity than truth-telling because lying involves more cognition. So these lie-detection methods may fail in sociopaths or in individuals who believe in the falsehood they're telling. Whether such technology will be effective outside the laboratory remains to be seen, but the very fact that the government is banking on its future potential raises myriad questions. Imagine, for example, a police officer approaching a suspect based on Perceptrak's "unusual activity" detection. Equipped with remote neural-detection technology, the officer asks her a few questions, and the detection device deems her responses to be deceptive. Will this be enough evidence for an arrest? Can it be used to convict a person of intent to commit a crime? Significant scientific hurdles remain before neurotechnology can be used that way, but given how fast it's developing, I think we must pause now to ask how it may affect the fundamental precepts of our criminal justice system. Americans have been willing to tolerate significant new security measures and greater encroachments on civil liberties after the terrorist attacks of Sept. 11, 2001. Could reports of significant crime reduction such as that seen by Johns Hopkins, or incidents such as the student shootings last year at Virginia Tech or more recently at Northern Illinois University, be enough to justify the use of pre-crime technology? Could remote neural monitoring together with intelligent video analytics have prevented those tragedies? And if they could, should they be allowed to? These are just some of the questions we must ask as we balance scientific advances and the promise of enhanced safety against a loss of liberty. And we must do it now, while our voices still matter. In a world where private thoughts are no longer private, what will our protections be? nita.farahany at vanderbilt.edu Nita Farahany, an assistant professor of law and philosophy at Vanderbilt University, is the editor of the forthcoming "Genes and Justice: The Impact of Behavioral Genetics and Neuroscience on Criminal Law." From rforno at infowarrior.org Mon Apr 14 13:04:28 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 14 Apr 2008 09:04:28 -0400 Subject: [Infowarrior] - Update on Internet Cable Cut incident Message-ID: UAE releases one of the ships impounded for cable damage 12 Apr, 2008, 1740 hrs IST, PTI http://economictimes.indiatimes.com/Infotech/Internet_/UAE_releases_one_of_t he_ships_impounded_for_cable_damage/articleshow/2947325.cms DUBAI: The UAE authorities have released one of the two ships allegedly responsible for causing damage to an undersea cable network of Flag Telecom that had resulted in disruption of Internet services across India for two weeks. The ship was released after a Korean shipping company, which owns it, paid huge compensation to Flag Telecom, a subsidiary of Reliance Globalcom, as damage, a newspaper reported on Saturday. The two ships -- MV Hounslow and MT Ann -- were impounded on February 19 when they reached Dubai shores for allegedly damaging the cable network in February. The action was taken after Reliance Globalcom provided details of the ships by studying the satellite images of the ship movements around the area of undersea cable damage off the northern coast of Egypt and the UAE. Abdul Jaleel Mahdi, Deputy Director of CID of Dubai Police, told the daily that one of the impounded ships, belonging to a Korean shipping company, was released after payment of huge compensation to Flag Telecom. During police interrogation, an official of the Korean ship admitted that the vessel was passing through the area and agreed to pay USD 60,000 as damages, the report said. The second ship, which belongs to an Iraqi company, is still in the custody of Dubai Police and the Coast Guards, a police source was quoted as saying by the daily. The two sailors who were on board the vessel were arrested and would be referred to the Dubai Public Prosecution next week, it said. From rforno at infowarrior.org Mon Apr 14 13:05:50 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 14 Apr 2008 09:05:50 -0400 Subject: [Infowarrior] - Liberate the B-24 Liberator! Message-ID: http://www.eff.org/deeplinks/2008/04/liberate-b-24-liberator April 9th, 2008 Liberate the B-24 Liberator! Posted by Corynne McSherry Who owns the B-24, the bomber that helped win World War II? U.S. taxpayers paid for it, Consolidated Aircraft built it, U.S. military pilots flew it, but Lockheed Martin says it owns the bomber?or at least it owns the name. Some readers may already be familiar with the case of John MacNeill, the respected graphic artist and illustrator who had several digital images of classic military aircraft removed from TurboSquid, a stock images site, after Lockheed Martin claimed the images infringed its trademarks. The central mark at issue? The term ?B-24,? which Lockheed managed to register as a mark for use in connection with scale models of airplanes. That?s right, Lockheed Martin claims the right to control use of the term ?B-24? in connection with models of, um, B-24s. It is perplexing that this mark was granted in the first place, given that the term ?B-24? is nothing more than a U.S. military model number used to describe the plane itself (descriptiveness is a traditional basis for rejection; that?s why you can?t register a trademark on the use of the term ?cyberlaw? in connection with the practice of technology law). MacNeill?s situation is a perfect example of why we need that rule. If Lockheed had its way, no one could create 3-D images (or anything else that could be construed as a ?model?) of famous military aircraft?from the B-24 to the F-117 Nighthawk, also known as the Stealth fighter. But Lockheed should not have its way, because MacNeill?s images are protected by the nominative fair use doctrine. Nominative fair use means, in a nutshell, that it is OK to use a mark to accurately identify a product if using the trademark is necessary to identify the products, services, or company you're talking about, and you don't use the mark to suggest the company endorses you. Unfortunately, the practicalities of the Internet make it all too easy for trademark owners like Lockheed to ignore fair use and shut down legitimate content. That is because online communication and commerce often depends on intermediaries like TurboSquid, who may not have the resources or the inclination to investigate trademark infringement claims. And, unlike the copyright context, there?s usually no counter-notice procedure. If targets of overreaching trademark claims can?t find counsel, they may have little or no recourse against a determined trademark owner. Trademark owners?and the service providers they try to intimidate?need to learn that a trademark registration doesn?t give you a right to control everyday use of regular descriptive terms. Hoping to provide a little of that necessary education, we?ve sent an open letter to Lockheed?s licensing agency, demanding that they withdraw their improper objections so that Mr. MacNeill can go about his perfectly legitimate business. From rforno at infowarrior.org Mon Apr 14 13:17:28 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 14 Apr 2008 09:17:28 -0400 Subject: [Infowarrior] - RFI: Magicjack Message-ID: Had a few readers email me questions about a VOIP USB-based dongle called 'MagicJack' that apparently is the subject of a cable-network advertising blitz. Anyone using this device and care to comment? In other news, I wonder if George Lucas finally 'sold out' to cable TV -- traditionally, those rare times when his Star Wars movies ran on TV they did so with limited, if no, commercial interruptions and was one of the few times you didn't have a program/movie's visuals affected by the channel bug or pop-ups. Yet this weekend I noticed Spike-TV is running all the Star Wars movies these days (and plans to do so frequently in the coming months) both with commercials and channel bugs. Lucas is richer than Avarice already, so I wonder what influenced him to change how his movies are run on TV? (Yes, I have 'em on DVD......) -rick From rforno at infowarrior.org Mon Apr 14 13:22:35 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 14 Apr 2008 09:22:35 -0400 Subject: [Infowarrior] - The Happy Dumbing Of America Message-ID: Speaking of the dumbing-down of America........an oldie but goodie. :( (c/o longtime reader AP) The Happy Dumbing Of America By LENORE SKENAZY January 22, 2007 http://www2.nysun.com/article/47126?page_no=1 Maybe we've been pointing to the wrong culprits when we attempt to assign blame for the dumbing down of America. (What is it this week ? too much testing in the schools? Working mothers? Fox TV? It's hard to keep track.) It is quite possible that people are growing dumber than dog biscuits for the simple reason that they are being treated this way by the world in which they shop. Here's the sign on a hanger at K-Mart: "Standard, full-size hanger holds everything from wash and wear to outwear!" Yes, that complex and daunting device dangling there in home furnishings can be used with every confidence to hang your clothes ? and not just certain, very specific clothes: wash and wear AND outerwear, which usually demand such very different hardware. Hurrah. Of course, it's not just hangers out there hitting you over the head. It's food: "Croissant swirls ? ideal for snacking!" (They are? Could that be why they're sold in the grocery store?) And clothing: "Choose your favorites!" suggests the sign at Children's Place. (Gee, may I?) Even once-reticent office supplies have taken to yammering. This ballpoint pen, says a Pentel package, is "for notes and general writing." RoseArt assures buyers that its erasers are fully ready to "erase and erase and erase." Paper Mate boasts of a pencil: "Ideal for school work and general writing." It's less than ideal for broiling with lime and garlic, I'm guessing. Not to be used as a giant toothpick? Cannot, in a pinch, serve as a very narrow snowshoe? "I'm looking at a package of Crayola crayons right now," the author of "Punk Marketing," Richard Laermer, a student of the advertising absurd, said. "It says, ?Good for children.'" When it's reached the point that the folks at Crayola see fit to tell you that the quintessential childhood item is the quintessential childhood item, something 's wrong. The problem can be partly traced back to that most American of fears: litigation. This has, admittedly, led to some great moments in labeling. Not just the old, "Contents may be hot because it's a CUP OF COFFEE," but also more baroque missives, such as the one I found on the box of a little electric heater. Among its 17 instructions (including, first and foremost, "Read all instructions") was the advice: "To disconnect, turn to ?off,' then grip plug and pull from wall outlet." That way, when you happen to assume the best way to disconnect the heater is actually to turn it to "high," submerge it in the tub, and lower your naked body ? and your cat ? in after it, you cannot blame the company for any discomfort you (or your pet) may feel. Fear of lawsuits alone cannot explain the painfully obvious explanations on painfully obvious objects, however. When a duster says, "For removing dust" ? and I just saw one that does ? it's not because the company is worried someone may use it in lieu of a tibia transplant. It's because we really are becoming a nation of idiots and dummies. Just like the book titles tell us. Americans have not only come to expect absolutely everything to be spelled out for them ? they appreciate it, a consultant with the marketing firm Group 1066, Todd Merriman, says. "It may make a difference in their purchase," he said when I asked him why the maker of a rain poncho felt compelled to note on its hang tag, "Made of waterproof vinyl." Added Mr. Merriman: "You've taken away some of the guesswork for your customer." So, next time you go to the store and you see the umbrella that, according to its manufacturer, "Opens full size"; or you find a set of Dixie cups that promise to be usable "for all occasions" and not just, say, wakes, or you learn from the package of Halls cough drops that you are supposed to "dissolve one drop slowly in the mouth" and not use them as suppositories, be grateful for one thing: You have a standard, full-size hanger waiting for you at home. With a little practice and maybe a glance at the manual, you can probably figure out how to hang up your coat and then enjoy what's left of your evening. And brain. From rforno at infowarrior.org Mon Apr 14 14:33:34 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 14 Apr 2008 10:33:34 -0400 Subject: [Infowarrior] - Computer Network Exploitation Course Message-ID: (Yes, here's a rare piece of commercial self-promotion........-rick) Computer Network Exploitation Course https://www.myaoc.org/EWEB/dynamicpage.aspx?webcode=05_06_08_Comp Alexandria, VA Dates: May 6-9, 2008 Classification: Unclassified Instructors: Richard Forno and Rob Floodeen Location: AOC Headquarters, Alexandria, VA Registration Fee: Members $1,650; Non-Members $1,735 Course Description Today, Electronic Warfare via CNE, can operate in the dimension of Cyberspace conducting many of the traditional EP, ES, and EA functions associated with Electronic Warfare, and at the same time, reduce the risk to human life and equipment and conduct operations at greater speeds. The goal of this course is to introduce topics and theory that can be built upon for actual implementation of CNE in support of an EW role for Information Operations (IO). Attendees will learn what IO and specifically CNE is and examples of it at work. They will spend time with exercises and role play activities geared towards team management of CNE technicians. They will be exposed to EW concepts and overlapping points of interest with CNE. The Attendees will also learn best practices for management of CNE Teams, building an operations center, and creating an operations methodology. The instructor will also lead the class though a development exercise where they develop a web-front end with database backend to fully examine concepts behind storing and managing assets, and setting up formal and informal information exchanges by using covert and encrypted tunnels. Who Should Attend Government and contract EW, analysts, operators, project managers, and executives who work in any way with IO, CNO, or supporting elements, or those persons recently or about to be thrust into a supporting position. Course Outline Day 1: Intro to CNE ? Introduction to Information Operations ? Introduction to Computer Network Exploitation o Collect, Monitor, Falsify, Deconfliction o Virtual verses Physical capabilities o Introduction to LANs, WANs, and System Networking o Battlespace ? Preparing ? Shaping ? Executing ? Common Tools used to conduct CNE o Covert C2 Mechanisms and Examples ? Ingress ? Exfiltration ? Manipulation o Social engineering verses virtual or electronic data exploitation ? Exercises in Deploying the tool set Day 2: Electronic Warfare correlation with Network Exploitation ? Mapping EW to CNE ? Exercise in determining when to Monitor versus jam ? Enabling EW with Computer Network Exploitation techniques ? Lab working with wireless communications ? Identifying Targets and Target Acquisition o Applying high-cost/value assets verses low-cost high-speed electrons Day 3: Management of Network Exploitation Operations ? How does the Internet Really work ? Formalizing Operations Methodology ? Building an Operation Center o Internal Resource Prioritization o Developing the team o Developing the tools ? Data management - operations, reuse, and recovery ? Exercise: Instructor lead development of a database for collections management ? Implement Operations Course Materials Course materials include the text developed by instructors at the JC2IW School of the U.S. Joint Forces Staff College and IO experts from several countries (IO: Warfare and the Hard Reality of Soft Power - ISBN 1574886991), hardcopy of course slides and soft pdfs, and over xxx pages of handouts (list of products used during the course, DataBase and Front-end designed during the course to capture, store, and process received information, CNE Planning and Management checklists, and more). From rforno at infowarrior.org Tue Apr 15 03:41:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 14 Apr 2008 23:41:46 -0400 Subject: [Infowarrior] - Bush's Cyber Secrets Dilemma Message-ID: Security Bush's Cyber Secrets Dilemma Andy Greenberg, 04.10.08, 7:40 PM ET SAN FRANCISCO, CALIF. - http://www.forbes.com/2008/04/10/cyber-security-initiative-cx_tech_security_ cx_ag_0410cyber_print.html There's a problem facing the Bush administration: It has $30 billion to spend over the next five to seven years to keep the U.S. safe from hackers and cyberspies. But to extend that protection to the nation's critical infrastructure--including banks, telecommunications and transportation--it needs the cooperation of the private sector. And among corporate executives, even those who want to help are wary: How can the business world participate in the government's cyber initiative, they ask, if the government remains intensely secretive? "There's very little transparency as to the government's plans," says Bruce McConnell, a former information technology policy director for the White House's Office of Management and Budget who now works as a private consultant. "To protect critical infrastructure, we need to create trustworthy mechanisms for sharing information. That can't happen when one side's position is secret." That call for transparency was a common refrain this past week at the security industry's biggest gathering, the annual RSA conference held in San Francisco. The government has plenty of money tagged to the Bush administration's classified Presidential Directive 54, the plan for shoring up the cyber defenses of the U.S. government. But any extension to key parts of the private sector, according to former officials and security professionals, could be hamstringed by the government's own secrecy. The need for private sector partnership was a new wrinkle in Department of Homeland Security (DHS) Secretary Michael Chertoff's speech on the cyber initiative at the conference--one of the first public discussions of the classified program. Chertoff asked the audience to imagine a situation in which hackers took control of the nation's air traffic control system, comparing the threat to the Sept. 11th attacks. "So many of our national assets are in the hands of the private business," he said. "We can't be serious about national security or national cyber security without engaging with the private sector, and not just those in IT, but power plants, financial systems and transportation." But given that much of the cyber initiative remains classified--including key details like the anatomy of the government's new networking monitoring technology and the degree to which it will be deployed on private sector networks--building trust with the private sector will be difficult, McConnell argues. The problem, he says, is the little-discussed role of the National Security Agency in the project, in partnership with the DHS and the Office of the Director of National Intelligence. "The intelligence community, which is leading this effort, has a tradition of overclassifying information," McConnell says. "So it's not surprising that there's an inappropriate level of classification in an area, which deserves broad public debate." The Bush administration's cyber initiative, signed by the president in early January, aims to increase surveillance of government networks, which have suffered multiple major intrusions in recent years. But the vulnerability of critical infrastructure systems, mostly owned by the private sector, has slowly emerged as a real threat to national security. Over the past two years, cybercriminals extorted hundreds of millions of dollars from critical infrastructure companies, according to Alan Paller, director of the SANS Institute, an organization that hosts a crisis center for hacked companies. (See: America's Hackable Backbone). In January, a CIA official told a conference of cybersecurity professionals that power outages affecting multiple non-U.S. cities had been the work of hackers. (See: Hackers Cut Cities' Power). Marcus Sachs, the executive director of national security policy at Verizon, was hopeful that Chertoff's appeal to the private sector at RSA might mean more information sharing with those critical infrastructure systems. But so far, he says, details on the cyber initiative have been held closely within the government. "They're acting like they have a family problem that they can't tell the neighbors about," he says. "We feel like we're absolutely ready to help out, but the family in distress doesn't want our help." Last May, the DHS released a National Infrastructure Protection Plan (NIPP) designed to create channels for security collaboration between the government and business. Those channels, says Sachs, aren't being used. In March, Forbes.com obtained a document revealing a piece of the cyber initiative known as Project 12, which former officials say is designed to create channels for sharing classified information between government and critical infrastructure. But Project 12 is only a small piece, says Sachs. (See: Show Me Your Cyberspies, I"ll Show You Mine). "At the very least, there are eleven other projects, and we don't know anything about those," Sachs says. "I think we'd all like to learn a little more." Laura Sweeney, a DHS spokesperson, countered that it's still too early to judge how the cyber initiative deals with the private sector--the project is still focused on securing government networks, she argued. But she pointed to NIPP as evidence that the government can successfully work with private industry, even when trading in classified data. "For now we're focused on getting our own house in order," she said. "But we've realized that the private sector will be an incredibly important partner moving forward." But the disconnect between the private sector and government is a familiar problem, says Howard Schmidt, a former Air Force and DHS official who has also held jobs at eBay and Microsoft. "When I was working with a corporation, I would hear from the government about a new attack pattern, and because it was classified, I wouldn't be able to share it with my IT people," he says. "It's a very real problem." Despite Chertoff's comments about private sector partnership and Project 12's initial attempt to open communication, that old problem of overclassification still afflicts the cyber initiative, says Schmidt. "When I think about what I would do to secure government networks--things like intrusion protection, strong authentication, event correlation and data analysis--none of it would be classified," he says. "This decision about what to classify is a very big deal, and it's something that the government has got to fix." From rforno at infowarrior.org Tue Apr 15 03:45:45 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 14 Apr 2008 23:45:45 -0400 Subject: [Infowarrior] - E-Passport Hacker Designs RFID Security Tool Message-ID: E-Passport Hacker Designs RFID Security Tool By Kim Zetter EmailApril 14, 2008 | 1:13:55 PMCategories: Hacks and Cracks Product_tag_with_sql_injection http://blog.wired.com/27bstroke6/2008/04/e-passport-hack.html The team that produced the RFDump research/hacker tool for cloning and altering data stored on radio-frequency ID tags has now come out with a product to thwart RFID hackers. German security researcher Lukas Grunwald, who made headlines two years ago for uncovering security vulnerabilities in new electronic passports being adopted by the U.S. and other countries, created RFDump with colleague Boris Wolf in 2004. Now the two have created RF-Wall (shown on the lower shelf in the picture at right) to help thwart RFID fraud and attacks against e-passports, electronic access cards and payment cards -- such as the Mifare Classic card that is used in the London Underground and which security researchers recently cracked. The device, which Grunwald and Wolf are producing for their new California-based company NeoCatena, is a hybrid firewall and intrusion-detection system that sits between an RFID reader and its back-end system. It's designed to detect counterfeit and cloned RFID chips and prevent an attacker from injecting malware into a back-end system with a rogue RFID chip. They'll be debuting the device this week at the RFID Journal Live conference in Las Vegas but gave me a demonstration of it this weekend. Rfwall_5 The box can be loaded with virus signatures to detect known types of attacks and uses heuristics to detect other malicious activity, such as generic SQL-injection attacks (such as the one that appears in the screenshot above right). The device can be restricted to read only RFID cards that have specific serial numbers and reject all others. It also can be used to digitally sign chips so that any chips that are altered after being issued are rejected by the RFID reader. The system uses the HMAC algorithm for the digital signature. Grunwald and Wolf hold a patent on the use of HMAC with RFID technology. Last year Grunwald revealed that he'd been able to sabotage the e-passport readers of two unnamed manufacturers by embedding a buffer overrun exploit in the JPEG2000 file of a cloned passport chip. The JPEG file contains a digital photo of the passport holder. Recently other researchers cracked the encryption used in Mifare Classic chips that are used in door access systems around the world as well as in the London Underground's Oyster card. It's long been known that RFID readers and chips are insecure, but trying to fix systems that have already been widely deployed has its challenges, particularly since there are a number of different types of chips and readers on the market, which work at different frequencies. "A lot of people are thinking about on-tag security -- putting cryptography on the tag," Wolf says. "But those tags are limited in their computational power or even if you can get that worked out the more encryption technology you have on the tag, the more expensive it is. We're saying you don't have to worry about what's happening with your tag if you can verify whether there's data integrity or not." Grunwald says they've shown the tool to a large pharmaceutical company based in Switzerland that is interested in using it to authenticate drugs and equipment -- such as dialysis machines -- from counterfeit products. He says an Asian country is also interested in using RF-Wall with its electronic passport system. During a demonstration for me, Grunwald and Wolf used RFDump to alter the value on a digitally signed transportation card from $10 to $99. On a first pass without RF-Wall in place, the RFID reader accepted the card. After they connected the device, however, the system rejected the tag. The system also rejected a tag that was embedded with SQL injection code. The screenshot at right shows the backend of an RFID inventory system after malware on a rogue chip has crashed it. Inventory_backend_hacked They currently only have a prototype, but the system, when produced, is expected to market at $25,000 to $60,000. Paul Roberts, a security analyst with the 451 Group, says the approach Grunwald and Wolf are using -- to have a device sitting inline between the reader and the backend, rather than try to secure the reader and chips themselves -- is smart. He also sees value in watermarking RFID for products. But he wonders if companies would invest in a device like this to prevent intruders from gaining unauthorized access to buildings that use RFID cards or to prevent malicious attacks against back-end systems. "The bottom line is cost," he says. "Unless you open the newspaper to find your company or your competitor on the pages -- like Hannaford -- companies aren't likely to put out the cost for a solution like this." Roberts notes that even companies with sensitive security facilities, such as ones that deal with critical infrastructures, have been reluctant to upgrade RFID access systems to more secure ones due to cost. From rforno at infowarrior.org Tue Apr 15 03:54:12 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 14 Apr 2008 23:54:12 -0400 Subject: [Infowarrior] - More on RFI: MagicJack Message-ID: MagicJack's EULA says it will spy on you and force you into arbitration Posted by Rob Beschizza, April 14, 2008 8:09 AM | permalink http://gadgets.boingboing.net/2008/04/14/magicjacks-eula-says.html MagicJack, a cheapie $20-a-year internet phone service, comes with a shriveled and shaking devil EULA. "You also understand and agree that use of the magicJack device and Software will include advertisements and that these advertisements are necessary for the magicJack device to work ... Our computers may analyze the phone numbers you call in order to improve the relevance of the ads" ... Any claims, legal proceeding or litigation arising in connection with the magicJack device or Software will be resolved by binding arbitration ... in Palm Beach, Florida." Oh God, not Palm Beach! In short, it not only has one agree to ads with its paid-for system, but claims that the ads are necessary for it to work. It will also snoop on your calls to target ads more accurately, and has you sign away your legal right to take it to court if it defrauds or otherwise harms you. Delightful. Neither the EULA itself, nor any other privacy or legal information, can be easily found at its homepage. It's not even provided at the point of sale, where one enters credit card info, email and street addresses as such, so as to gain access to the service and have your MagicJack dongle delivered. I found the EULA's URL through Google. It gets sexier. When you access MajicJack's instant web help page, a bizarre series of "compatibility tests" take place first, reporting lies like "Your MagicJack is functioning properly" even if you don't have one installed. Even the "look how many people came for a free trial" counter on the homepage is a fake, a javascript applet that increments itself automatically: // the interval (ms) between new visitors var interval = Math.round(86400000/perday); As if targeted advertising, systematic privacy invasion and the signing away of your legal rights wasn't evil enough! From rforno at infowarrior.org Tue Apr 15 16:04:00 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 Apr 2008 12:04:00 -0400 Subject: [Infowarrior] - Wal-Mart starts strictly tracking/taping gun sales Message-ID: Wal-Mart starts strictly tracking gun sales Posted Apr 15th 2008 11:30AM by Brian White Filed under: Products and services, Wal-Mart (WMT) http://www.bloggingstocks.com/2008/04/15/wal-mart-starts-strictly-tracking-g un-sales/ Wal-Mart Stores, Inc. (NYSE: WMT) will soon be employing a new method to track gun sales in its stores. As part of a new measure in concert with the "Mayors Against Illegal Guns" group, Wal-Mart's chief compliance officer J.P. Suarez went to D.C. with New York City Mayor Michael Bloomberg to explain details on a new "10-point code" that will apparently thwart weapons from Wal-Mart from falling into criminal hands. Wal-Mart will soon be video recording gun sales in its stores and then archiving the footage as part of being included in the "Responsible Firearms Retailer Partnership." In addition, the world's largest retailer will create a computer system to notify the company of a gun purchased in one of its stores is indeed used in a crime. If workers think they can get at guns from the inside, Wal-Mart will now perform screening and background checks on employees that will be handling and selling firearms in its stores. The National Rifle Association said that these moves wouldn't do a thing to reduce crime, calling out Bloomberg from his "bully pulpit". Will videotaping gun purchases lead to any less crimes being committed, or is this a PR move by the retailer? Hard to say, but Wal-Mart did indicate that it hopes "other retailers will join us in adopting the code." From rforno at infowarrior.org Tue Apr 15 16:22:10 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 Apr 2008 12:22:10 -0400 Subject: [Infowarrior] - Lawmakers Want FBI Access to Data Curbed Message-ID: Lawmakers Want FBI Access to Data Curbed By Carrie Johnson Washington Post Staff Writer Tuesday, April 15, 2008; A04 http://www.washingtonpost.com/wp-dyn/content/article/2008/04/14/AR2008041402 664_pf.html Bipartisan groups in Congress are pressing to place new controls on the FBI's ability to demand troves of sensitive personal information from telephone providers and credit card companies, over the opposition of agency officials who say they deserve more time to clean up past abuses. Proposals to rein in the use of secret "national security letters" will be discussed over the next week at hearings in both chambers. The hearings stem from disclosures that the FBI had clandestinely gathered telephone, e-mail and financial records "sought for" or "relevant to" terrorism or intelligence activities without following appropriate procedures. The Justice Department's inspector general issued reports in 2007 and earlier this year citing repeated breaches. They included shoddy FBI paperwork, improper claims about nonexistent emergencies and an insufficient link between the data requests and ongoing national security probes. "It is clear that the NSL authority is too overbroad and operates unchecked," said Rep. Jerrold Nadler (D-N.Y.), a co-sponsor of the House bill. "We must give our law enforcement the tools they need to protect us, but any such powers must be consistent with the rule of law." The House bill, sponsored by Nadler, Rep. Bill Delahunt (D-Mass.), Rep. Jeff Flake (R-Ariz.) and Rep. Ron Paul (R-Tex.), would tighten the language governing when national security letters could be used, by requiring that they clearly pertain to investigations of a foreign power or an agent instead of just being considered "relevant" to such investigations. The House bill would also force the FBI to destroy information that had been illegally obtained -- something that existing rules do not require -- and it would allow the recipient of a letter to file a civil lawsuit if the missive is found to be illegal or without sufficient factual justification. A Senate bill, sponsored by Russell Feingold (D-Wis.), Richard J. Durbin (D-Ill.), Lisa Murkowski (R-Alaska) and John E. Sununu (R-N.H.), would require the FBI to track its use of the letters more carefully and would narrow the types of records that can be obtained with a letter, and therefore without judicial approval, to those that are least sensitive. Three supporters of the legislation are slated to appear at Nadler's hearing this afternoon: David Kris, an expert in national security law who worked in the Clinton and Bush administrations; Bruce Fein, a Justice Department official in the Reagan era; and Jameel Jaffer, director of the national security project at the American Civil Liberties Union. "It's a bipartisan issue," Fein said in an interview. "It's not trusting the goodwill or the angelic disposition of the government to preserve our rights. . . . We ought to learn from our experience since 9/11 and restore checks and balances. Congress can't just rely on the FBI to fix the problem." Officials at the Justice Department's National Security Division and the FBI have acknowledged problems with the past use of national security letters. But they say they have stepped up training programs, instituted internal reviews, and developed new databases to improve the accuracy of internal tracking and accounting. Valerie E. Caproni, the FBI's top lawyer, is expected to testify today that the bureau needs more time to overhaul its internal systems, according to a government source familiar with her position who was not authorized to speak in advance of the hearing. "We are committed to using [the letters] in ways that maximize their national security value while providing the highest level of privacy and protection," FBI Assistant Director John Miller said. From rforno at infowarrior.org Tue Apr 15 16:25:32 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 Apr 2008 12:25:32 -0400 Subject: [Infowarrior] - Russia Requires Wi-Fi Registration Message-ID: ussia Requires Wi-Fi Registration By Glenn Fleishman Russian regulator requires registration: The folks at the Rossvyazokhrankultura (Russian Mass Media, Communications and Cultural Protection Service) have decided that every device with Wi-Fi inside requires registration for use by an individual user without a transferrable license, according to The Other Russia, which picked the story up from Russian-language site Fontanka.ru. While Wi-Fi wasn?t as broadly unlicensed in Russia as it is in most other industrialized nations, a state regulator exempted indoor use in certain bands from registration. The Mass Media agency apparently believes that it has the authority to compel this, although there?s some doubt by observers as to whether it really falls in their purview. Setting up a home Wi-Fi network or a hotspot would require what sounds like vast amounts of paperwork, akin to putting a cell tower. Posted by Glennf at April 14, 2008 8:04 PM Categories: Hot Spot, International, Regulation Trackback Pings TrackBack URL for this entry: https://db.isbn.nu/mt3/mt-tb.pl/5053 From rforno at infowarrior.org Tue Apr 15 17:09:09 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 Apr 2008 13:09:09 -0400 Subject: [Infowarrior] - GAO sells legislative history archive to Thomson Message-ID: General Accounting Office has sold exclusive access to legislative history down the river to Thomson West http://www.boingboing.net/2008/04/14/general-accounting-o.html Readers may remember a previous Boing Boing post Did the US gov't sell exclusive access to its legislative history to Thomson West? Well, the answer is now a definitive yes, that data has been sold down the river and is out to sea. Public.Resource.Org sent in a FOIA request to GAO on this topic seeking access to the scanned data. Today's letter answering our FOIA request spells out the bad news. Turns out the GAO doesn't even get the data, they simply are given an account on Thomson's service. The rest of the government doesn't get access to this data, and the public is invited to stop by the GAO headquarters and pay 20 cents per page to copy paper. This is one of those deals where the public domain got sold off ... GAO gets a bit of convenience by having their stuff scanned for them, but they gave up way more than they got in the deal, and the public (including government workers and public interest groups who need to consult this data) lost big-time. Link to the Scribd group with the full paper trail on this issue, Link to the today's letter (Thanks, Carl!) From rforno at infowarrior.org Tue Apr 15 18:21:41 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 Apr 2008 14:21:41 -0400 Subject: [Infowarrior] - Richard Clarke on the Next Cyber Pearl Harbor Message-ID: Seven Questions: Richard Clarke on the Next Cyber Pearl Harbor http://www.foreignpolicy.com/story/cms.php?story_id=4241 Posted April 2008 Former U.S. counterterrorism chief Richard A. Clarke reveals his fears about the ?massive espionage? being conducted against the Pentagon by Chinese hackers. Cyberwarrior: The real cyberthreat, Richard A. Clarke warns, is that ?all of our information is being stolen.? Foreign Policy: Last year, a Pentagon computer network serving Defense Secretary Robert M. Gates was hacked into, allegedly by the Chinese military. Do you think the Chinese military was behind the attacks, and if so, what was it trying to accomplish with these attacks? Richard A. Clarke: I think the Chinese government has been behind many, many attacks?penetrations. ?Attacks? sounds like they?re destroying something. They?re penetrations; they?re unauthorized penetrations. And what they are trying to do is espionage. They?re engaged in massive espionage, not only in the U.S. government, in the U.S. private sector as well, but also around the world. The British security service, MI5, sent a note to the 300 largest corporations in England a few months ago, telling them that the Chinese government had probably penetrated their networks. FP: How vulnerable do you think the U.S. government is to a cyberattack or cyberpenetration? How seriously should this threat be taken? RC: Well, I think it?s being taken very seriously. President Bush signed a National Security Presidential Directive on the 8th of January redirecting billions of dollars into protection against it. I think it should be taken very seriously. The United States government and private corporations are quite vulnerable even though they think they?re not. FP: What?s the worst-case scenario from a cyberpenetration of the U.S. government?s computer network? Are we talking about things like remotely attacking nuclear power plants and things on that scale? RC: Well, people tend to think about, sort of, attacks that change things?turn off power grids, or whatever. And while that?s possible, what is happening every day is quite devastating, even though it doesn?t have a kinetic impact and there are no body bags. What?s happening every day is that all of our information is being stolen. So, we pay billions of dollars for research and development, both in the government and the private sector, for engineering, for pharmaceuticals, for bioengineering, genetic stuff?all sorts of proprietary, valuable information that is the result of spending a lot of money on R&D?and all that information gets stolen for one one-thousandth of the cost that it took to develop it. FP: Both China and Russia have received attention as cyberthreats. Which country do you think is more of a threat, and are there other countries, or nonstate actors, to be worried about also? RC: I think nonstate actors could develop capabilities rivaling that of nation-states because this is the classic case of asymmetrical warfare where small numbers of highly skilled people could have the same effect as could a nation-state. FP: What do you expect the capabilities of the new Air Force Cyber Command to be? RC: I think they?re probably both offensive and defensive. But on the defensive side, all they can do is defend the Air Force or perhaps other DOD [U.S. Department of Defense], or maybe even other federal government, entities. And the problem is that much of what we need to protect is not in the U.S. government; it?s in our private companies and our private networks. There should be a White House senior person who has oversight of all government programs in the area of cyberdefense. There hasn?t really been someone since I left, and I think they need to re-create that position. FP: You mentioned both the defensive and offensive capabilities of the Air Force Cyber Command. What kind of offensive cybercapabilities should the United States ideally have? RC: Highly classified ones. FP: You mentioned earlier in discussing the Air Force Cyber Command that it?s not just cyberpenetrations of government computers that we should be concerned about, but also private industry. So, are you concerned about cyberpenetrations by foreign governments against U.S.-based defense contractors? RC: Well, yeah. I?m also concerned about penetrations of U.S. research-and-development firms, everything from pharmaceuticals to genetics to aerospace engineering?all the things we have to sell in our knowledge-based economy. We are a post-industrial, knowledge-based society. That?s what we sell to the world. If other people can steal it readily, then we won?t have much of a margin. There?s been a lot of talk about a cyber Pearl Harbor. People say that I coined the phrase, and I?m afraid I actually didn?t. But, if we wait for that?just as we waited for 9/11 to do something about al Qaeda?if we wait for a cyber Pearl Harbor to do something about cyber[security], it may never come. But we will, nonetheless, be losing huge amounts of valuable information to our competitors and to cybercriminals who cost our society billions of dollars a year. Just because we haven?t had the big attack doesn?t mean that we should wait to act. Richard Clarke is chairman of Good Harbor Consulting. He was formerly the principal counterterrorism advisor on the U.S. National Security Council under presidents Bill Clinton and George W. Bush. From rforno at infowarrior.org Tue Apr 15 23:46:52 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 Apr 2008 19:46:52 -0400 Subject: [Infowarrior] - Vmyths skewers USAF CyberCommand PR image Message-ID: What's wrong with this picture? You call this "information assurance"? I can't wait to see "information superiority" http://securitycritics.org/column/1/1/2008/2/3/ ....security critic Rob Rosenberger dissects "the" popular USAF Cyber Command photo.....dunno how I missed it when he first posted this piece! I'm reminded of my 1999 article regarding horrible OPSEC displayed by some DoD IT folks entitled "OPSEC in Danger: The Need For Common Sense" located at http://infowarrior.org/articles/opsec.pdf. I guess the more things change the more they stay the same......the one constant is PEOPLE. :( -rick From rforno at infowarrior.org Tue Apr 15 23:47:54 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 Apr 2008 19:47:54 -0400 Subject: [Infowarrior] - USN loves blogs! Message-ID: Navy Hearts Blogs By David Axe EmailApril 15, 2008 | 12:00:00 PMCategories: Info War http://blog.wired.com/defense/2008/04/navy-hearts-blo.html It's no accident that of all the military services, the Navy's got one of the best unofficial blogs: The Destroyermen, edited by an officer aboard the USS Russell (which was a back-up ship in the notorious satellite shoot two months ago). In stark contrast to the Air Force's cyberspace clamp-down and the Coast Guard's shady 'net dealings, Navy policy explicitly encourages blogging. A DR reader sends us this regulation: >From SECNAVINST 5720.47B: (pdf!) a. DON commands may not operate unmoderated news groups, bulletin boards, or any other unrestricted access posting services. This specifically prohibits a publicly accessible, interactive site that supports automatic posting of information submitted by personnel other than those authorized by the command to post information. Some Web logs (blogs) may fall into this category. This does not, however, prohibit the command from posting frequent messages from the commanding officer or messages from the command?s constituents. There is also no prohibition on blogs operated by individual members as private citizens. The DON recognizes the value of this communication channel in posting current information and supporting the morale of personnel, their family and friends. As long as personnel adhere to specific restrictions on content, the DON encourages the use of blogs and recognizes this free flow of information contributes to legitimate transparency of the DON to the American public whom we serve. From rforno at infowarrior.org Tue Apr 15 23:50:20 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 Apr 2008 19:50:20 -0400 Subject: [Infowarrior] - DNS lords expose netizens to 'poisoning' Message-ID: DNS lords expose netizens to 'poisoning' 'A dumbfounding mystery' By Dan Goodin in San Francisco ? More by this author Published Tuesday 15th April 2008 19:50 GMT http://www.theregister.co.uk/2008/04/15/dns_cache_poisoning/ More than a decade after serious holes were discovered in the internet's address lookup system, end users remain vulnerable to so-called domain name system cache poisoning, a security researcher has warned. Developers of the software that handles DNS lookups have scrambled to patch buggy code that could allow the attacks, but not to the satisfaction of Amit Klein, CTO of security firm Trusteer, who over the past year has uncovered serious new vulnerabilities in multiple DNS products. Last July, he exposed flaws in Berkeley Internet Name Domain (BIND), the mostly widely used DNS server. The flaws allowed attackers to predict the pseudo-random number transaction number that the software uses when providing the numeric IP address of a requested web page. That, in turn, could allow the attacker to supply a fraudulent address that leads to a malicious destination. "I'm not too comfortable with the quality of the solution from the security and predictability standpoint," Klein said during a session at last week's RSA security conference in San Francisco. DNS lookups are one of the most basic and common tasks on the internet. They translate human-friendly names such as theregister.co.uk with machine-readable IP addresses like 212.100.234.54. DNS cache poisoning first came to light in 1997, when researchers discovered that an attacker could infect the DNS resolvers of internet service providers and large organizations with spoofed IP addresses. The servers store the incorrect information for hours or days at a time, so the attack has the potential to send large numbers of end users to websites that install malware or masquerade as a bank or other trusted destination and steal sensitive account information. In 1998, Eugene E. Kashpureff admitted to federal US authorities that on two occasions the previous year he interrupted service for tens of thousands of Internet users worldwide. By corrupting DNS caches, he was able to divert traffic intended for InterNIC to AlterNIC, a competing domain name registration site that he owned. Makers of DNS products, which in addition to BIND's Internet System Consortium, include Microsoft, PowerDNS and OpenBSD, responded to the discovery by requiring look-up requests and responses to include pseudo-random transaction ID numbers. Because attackers can't predict them, DNS cache servers automatically ignore any attempts to send spoofed responses. But over the past year, Klein has found defects in the randomization processes of many of these products that allow him to accurately predict the ID numbers. That has prompted a new round of patches that include more robust algorithms. Just last week, for instance, Microsoft pushed out a Windows update that did just that. Klein hasn't had time to examine that patch, but he's still not confident the transaction ID in others can't be predicted. Asked how such a wide range of developers could deploy weak randomization features into software so critical to the functioning of the net, Klein said: "It's a mystery to me. None of them probably consulted a real cryptography expert. There are DNS server implementations which use real crypto, so it is not that they didn't have any counter examples. I'm as dumbfounded by this as you are." ? From rforno at infowarrior.org Wed Apr 16 01:14:36 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 Apr 2008 21:14:36 -0400 Subject: [Infowarrior] - Spambot cracks Live Hotmail CAPTCHA Message-ID: Gone in 60 seconds: Spambot cracks Live Hotmail CAPTCHA By Emil Protalinski | Published: April 15, 2008 - 09:13AM CT http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cra cks-livehotmail-captcha.html Internet users are quite familiar with the Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), a quick method that verifies whether or not the user trying to sign up is a person or a bot. A picture with swirled, mangled, or otherwise distorted characters is displayed and the user then types in the correct letters or numbers. Thus far, the system has worked well to slow down malicious bots, but recently the groups behind such software have made significant strides. A security firm is now reporting that the CAPTCHA used for Windows Live Mail can now be cracked in as little as 60 seconds. Back in early February, a group cracked Windows Live Hotmail's CAPTCHA. A few weeks later, Gmail's version followed suit. In just over a month's time, some anti-spam vendors were forced to completely block the domain for the popular service as bots signed up for thousands of bogus accounts and began to flood the tubes with e-mail advertisements for lottery tickets and watches. The close proximity of the two cracks has done everything but sealed CAPTCHA's fate. To make matters worse, Websense Security Labs is now reporting that the method for getting around Windows Live Mail's CAPTCHA has been improved to the point that a bot can decipher the text and make a guess in less than six seconds, on average. Windows Live Hotmail's Anti-CAPTCHA automatic bot, which hooks itself into Internet Explorer on a victim's machine, has a success rate of about 10-15 percent. That means that it takes up to one minute for a single bot to create a new account. Windows Live Hotmail's CAPTCHA In one day, the bot can amass at least 1,440 accounts. And that's just one bot. This same bot can then send spam to multiple e-mail addresses (using both CC and BCC lists) continuously, switching between accounts (both in the from: and to: fields) in order to lower the chance of being spotted. Spammers love getting their hands on live.com and hotmail.com addresses since the chance of such popular domain names being blacklisted are slim to none. Because of how large the Windows Live account system is, in terms of both users and the wide array of services the account is tied to, anti-spam vendors should not be the only ones worried. However, the problem for Microsoft is much bigger than simply tracking down the spamming accounts. Microsoft, Google, and all other websites that currently use CAPTCHA, need to find a solution that puts them a step ahead of the spammers. Using better images and improving CAPTCHA will simply prolong the arms race. Spammers will make the proper adjustments to their bots, then make them even faster. Hopefully a workable solution can be found that doesn't make onerous demands on the sincere user. Finding, testing, and implementing a CAPTCHA alternative will of course take time, and while we wait, the spam just comes flooding in. From rforno at infowarrior.org Wed Apr 16 03:10:17 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 Apr 2008 23:10:17 -0400 Subject: [Infowarrior] - Call it the No Child Left Unsurveilled Act Message-ID: Lawmakers Proposing Millions for Elementary School Surveillance Cams By Ryan Singel EmailApril 15, 2008 | 6:06:07 PMCategories: Surveillance http://blog.wired.com/27bstroke6/2008/04/lawmakers-propo.html Call it the No Child Left Unsurveilled Act. On Thursday, federal lawmakers will hold a hearing on a proposal to let public schools use millions in federal grants to blanket the halls of learning with surveillance cameras. Those grants have typically been used to install metal detectors, lights and locks, as well as paying for security training for students and employees. The bill adds closed circuit surveillance cameras to the list of items eligible for Justice Department Safe School grants, ups the funding to from $30 million annually to $50 million and increases the feds share of any outlays to 80%, up from the current 50-50 split. In what seems a plain attempt to arise the ire of Bruce Schneier, the bill would bar schools from using the money for actually assessing what the threats and weaknesses to the school are. That eligible item is replaced in the bill by tip lines for reporting dangerous students. New Jersey congressman Steve Rothman (D) introduced the School Safety Enhancements Act last May, and the measure has 53 co-sponsors. The House Judiciary committee's Crime, Terrorism and Homeland Security subcommittee will hold a hearing on the school surveillance bill and two other bills Thursday at 10 a.m. EST. A spokeswoman for Rep. Rothman was not immediately available for comment. From rforno at infowarrior.org Wed Apr 16 13:24:27 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 16 Apr 2008 09:24:27 -0400 Subject: [Infowarrior] - Schoolboy debunks NASA estimate of asteroid threat Message-ID: Schoolboy debunks NASA estimate of asteroid threat By Karen Barlow http://www.abc.net.au/news/stories/2008/04/16/2218782.htm Posted 8 hours 17 minutes ago Updated 6 hours 29 minutes ago An artist's conception of an asteroid crashing into Earth [file photo]. An artist's conception of an asteroid crashing into Earth [file photo]. (Reuters: NASA) * Audio: Schoolboy debunks NASA estimate of asteroid threat (The World Today) The space boffins do not always get it right - a 13-year-old schoolboy has successfully challenged NASA, correcting the US space agency's calculations of a possible killer asteroid strike on the Earth in 30 years. NASA had estimated there was a one in 45,000 chance that the asteroid Apophis will collide with the Earth. But a young German schoolboy, Nico Marquardt, corrected it to a one in 450 chance and therefore changed the date the asteroid might hit. The work has impressed the head astronomer at the Anglo-Australian Observatory, Professor Fred Watson. "That 13-year-old German schoolboy has done a marvellous job because it's one of those things that perhaps if you look back 100 years, people used logarithms for this process to work out asteroid orbits and hand-calculators and slide rules and things like that," he said. "The process took days and days, but it says a lot for the world that we live in that now a 13-year-old schoolboy can download the right software to do the job and actually find out errors in NASA's work. It's quite extraordinary." 'Great brains' Professor Watson says it proves even the great brains of NASA can get it wrong. "Honestly, it's very hard to overstate just how good NASA is at this kind of thing, even though they sometimes get their imperial units and their metric units mixed up," he said. "But it's very hard to think of everything and that's what has happened in this case. "The schoolboy has thought of something that would actually elude most people, and that's the possibility of the asteroid Apophis when it makes its close path to the Earth, interacting with one of the Earth's geostationary satellites. "These are our communication satellites which exist in many thousands in a band about 36,000 kilometres above the Earth's surface. "That is something - once you see that it sticks out as plain as the nose on your face - but it's one of those things that you really have to think about." Professor Watson says he suspects the only thing that would really make any difference would be a collision, because Apophis weighs infinitely more than a satellite. "It's on a trajectory which has a speed rather greater than these satellites, so a collision could make a microscopic but nevertheless tangible change to its orbit," he said. He says with this new calculation of a one in 450 chance of the asteroid hitting the Earth, the critical time is actually 2036, not 2029. "2029 is when it makes a close approach and 2036 is when the big uncertainty is," he said. "We don't know what the Earth's gravity will do until we pass the asteroid in 2029, in terms of where it will be a few years later." From rforno at infowarrior.org Wed Apr 16 19:04:07 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 16 Apr 2008 15:04:07 -0400 Subject: [Infowarrior] - Oregon: our laws are copyrighted and you can't publish them Message-ID: Oregon: our laws are copyrighted and you can't publish them Posted by Cory Doctorow, April 15, 2008 10:26 PM | permalink http://www.boingboing.net/2008/04/15/oregon-our-laws-are.html Rogue archivist Carl Malamud sez, The State of Oregon is sending out cease and desist letters to sites like Justia and Public.Resource.Org that have been posting copies of Oregon laws, known as the Oregon Revised Statutes. We've sent Oregon back two letters. The first reviews the law and explains to the Legislative Counsel why their assertion of copyright over the state statutes is particularly weak, from both a common law perspective and from their own enabling legislation. The position of the Legislative Counsel is that their public access obligations have been fulfilled by their web site. However, their web site has over 500,000 HTML errors, does not meet Section 508 accessibility requirements, has no metadata, as our second letter points out. Particularly galling is the fact that Thomson West has also made a copy of these statutes and has done so without a commercial license, but the Legislative Counsel explicitly told Tim Stanley of Justia that they weren't going to send cease and desist letters to West. Evidently, it is much easier to pick on the little guys. Oregon is not unique in asserting copyright over state law, but they are definitely one of the more aggressive in this kind of FUD campaign. Justia and Public.Resource.Org have decided this is an important issue to resolve and we're going to hold firm on this. Anybody else who is making a mirror of the Oregon law should drop me a line and let me know. From rforno at infowarrior.org Wed Apr 16 20:12:27 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 16 Apr 2008 16:12:27 -0400 Subject: [Infowarrior] - Security is No Match for Chocolate and Good Looking Women Message-ID: Security is No Match for Chocolate and Good Looking Women Posted by Ben Worthen People are too trusting, especially when there?s chocolate on the line. http://blogs.wsj.com/biztech/2008/04/16/security-is-no-match-for-chocolate-a nd-good-looking-women/?mod=WSJBlog A survey out today by the organizers of the tech-security conference Infosecurity Europe found that 21% of 576 London office workers stopped on the street were willing to share their computer passwords with a good looking woman holding a clipboard. People were offered a chocolate bar in exchange for the information. More than half of the people surveyed said they used the same password for everything. As depressing as the survey may be for the security pros whose job it is to keep corporate networks safe, the results are a substantial improvement over last year. That was when 64% of people were willing to give away their passwords. But there were other disturbing signs this year: 61% of workers surveyed shared their birthdates and a similar number ? 60% of men and 62% of women ? shared their names and telephone numbers. This doesn?t sound particularly damaging, but cyber criminals could use this information to craft so-called phishing emails that install malicious computer code when opened or try to convince people to cough up more damaging information like a bank account number. It?s easy to dismiss this kind of threat as more imagined than real, but consider that this week, around 20,000 corporate executives received phishing emails that purported to be a subpoena. The emails seemed authentic because they addressed the execs by name and included their phone numbers, the Washington Post reports. By clicking on the link in the email and following the directions supposedly required to view the subpoena, the executives installed software on their computers that can steal usernames and passwords. So far, the scam has netted around 2,000 victims, according to the Post. Permalink From rforno at infowarrior.org Wed Apr 16 20:14:34 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 16 Apr 2008 16:14:34 -0400 Subject: [Infowarrior] - The New Perverted Reverse Value Theory of Copyright Message-ID: The New Perverted Reverse Value Theory of Copyright http://williampatry.blogspot.com/2008/04/new-perverted-reverse-value-theory- of.html Candidates for a unified theory justifying copyright in all its manifestations include the value of the copyright owner?s efforts in creating the work. This value can take a natural rights form ? the value of genius ? but it can also take the more mundane Lockean agricultural form ? copyright owners are the sowers of their intellectual labor. The value theory of copyright rightfully has considerable appeal. One can even correlate the value theory to fundamental concepts of copyright like originality: where the copyrighted owner has added expression, that expression is protectible; when expression hasn?t been added, there is no protection. The correlation breaks down in areas like ideas, which while perhaps the most innovative and valuable part of a given work will nevertheless remain unprotected; the value theory has to rely on other theories to explain the exclusion of protection for ideas. And the pure value of labor also leads to protection for sweat of the brow. The value theory is both over- and underinclusive and therefore cannot play the role of a unified theory. There is also a reverse value theory, one that has been invoked sketchily in the past, but has now been officially launched on a grand scale in the UK. The reverse theory is the subject of this post. In the past, courts have on occasion found infringement based merely on the fact of copying: if defendant went to the trouble to copy something from plaintiff, then the copied material had value to defendant, and defendant should lay claim to recovering the lost value. This was approach represented a negation of the originality requirement and of the requirement that what is taken be a substantial amount of expression; but for those judges who preferred moral simplicity to substantive law, the copied=value=infringement approach proved irresistible. Note that the value spoken of was the value to defendant, not plaintiff. The portion taken could have been quite insignificant to plaintiff?s work, another reason the approach conflicted with general principles of copyright law, which bases infringement on the importance of the portion taken to plaintiff?s, not defendant?s work. The new reverse value approach does to consumers what the infringement approach did to defendants, and then some. On January 8th of this year, the British UKIPO launched a consultation process as a follow-up to the December 6, 2006 Gowers report. One of the recommendations in the report (see page 2, paragraph 6) was this: It is proposed to create a new exception that would allow consumers to make a copy of a work that they legally own, so that they can make it accessible in another format for playback on a device in their lawful possession. The exception would apply to personal or private use. The owner would not be permitted to share it more widely (for example in a file sharing system or on the internet). Multiple copying would not be allowed. The proposed exception is very narrow. The consumer would have to own a legal copy. The format (and perhaps space)-shifting would have to a one-off and for personal use, and the copy would have to made for a device the consumer legally possesses. There are certainly more liberal approaches to format-shifting one could propose, but as approaches go, if personal use means anything it has to fall within this modest proposal. Comments on this process of the consultation closed last Tuesday. One of those submitting comments was the Music Business Group (MBG), a coalition of UK music publishers, record labels, and licensing organizations. Here is the link. The MBG takes a negative view of the proposed exception, that is unless its members get a license fee. But how to justify such a license fee for consumers making a single copy from a lawfully owned copy on to a lawfully possessed device for personal use? Here is the MBG?s introductory bulletin points on this effort: ? Unquestionably, there is value produced by the ability to format shift for both consumers and commercial enterprises which directly arises from the transferability of music ? It is imperative that creators and performers should benefit from this value; ultimately it is their creativity which underpins the entire value chain ?The only solution which achieves this goal is a flexible and market-led approach based upon a business-to-business relationship. (page 3). At this point, some readers might be confused: what is the value produced by consumers? Aren?t those who use copyrighted works without permission or payment usually described as parasites, pirates, or thieves, and hardly as value-creators? And haven?t we been told for years that it is consumers, especially via P2P file sharing, that is the cause of the record industry?s decline? Behind the MBG?s new approach is a plan to pervert language in order to achieve an otherwise politically unacceptable result. The plan began in the summer of 2007, with what was called the Value Recognition Strategy (referred to in MBG?s submission to the UKIPO). The strategy was prepared by Capgemini consultants (no surprise there: copyright, like political campaigns, is now the province of focus group generated slogans and messaging), and is designed to examine the ?value gap,? which is defined as the amount of decline in UK record sales since 2004. A private study conducted by Capgemini for copyright owners, and discussed here at the UK Register website is said to have revealed that ?format changes and price pressure from discounted CDs on sale in supermarkets, are most to blame for this ?value gap.? Format changes here refers to the unbundling of albums into per song sales, and not to the format shifting proposed in the UKIPO exception, although as we shall see the two are very much related in the MBG?s view. The article in the Register states: Capgemini calculates that of ?480m lost to the industry since 2004, ?368m was the result of format changes: principally the unbundling of the CD into an "a la carte" selection of digital songs. Of the remainder, 18 per cent was lost to piracy. And that suggests that simply going after illegal downloaders won't save the British music business. So what is the Value Recognition Strategy, then? To go after iTunes as the Register article notes, but that means not shutting it down ? since the site is licensed -- but instead getting a cut of the revenue iTunes generates. There have been efforts to do this in the past, under the same value approach. For example, there have been efforts to obtain a cut of the profits from the sale of iPods. One head of a U.S. music company was quoted as saying with respect to this effort, ?We felt that any business that?s built on the bedrock of music we should share in.? This statement is indicative of why the corporate music industry is on its death bed: after the industry insisted in preserving a business model that consumers didn?t want (album sales), it fought the business model consumers do want (per song downloads) resulting in a flight to unauthorized services that gave consumers what they wanted (P2P), and then when someone else came along and saved the industry from itself by creating an authorized way to get consumers to pay (iTunes), the industry now insists that it is being ripped off, that it is being deprived of ?value? that belongs to it. Apple?s iTunes business was built from scratch by a technology company, not by an entertainment company, not a consumer electronics company (or a hybrid like Sony), and not by a traditional retailer ? indeed, it bears noting that the traditional record store chains in the United States ? based on the sale of albums -- are out of business, and the few foreign ones (e.g., Virgin) that remain, remain because they sell video DVDs and clothing. In February 2008, a mere five years after the launch of iTunes, Apple has become the word?s largest source of music purchases (surpassing Wal-Mart), and it did so by sinking its own money and creativity into hardware and software, none of which any copyright owner contributed to, and by developing a business model that copyright owners had fought tooth-and-nail. Nor apparently is it enough for copyright owners that they reportedly get 70% of all iTunes sales with no development costs, no overhead costs, no server costs, and without bearing any of the expenses of Apple?s technical work. Even more: on the record labels? side of production, the 70% of iTunes revenue they are receiving is made off of a product that requires no packaging, warehousing, shipping or other associated costs. So, back to the value recognition strategy and the MBG?s submission to the UKIPO. That submission is the public face of what has previously been private, and it is not a pretty sight: faced with its own consultant?s conclusion that only 18% of the songs on iPods and other such devices are ?pirated,? the industry wants to save it self from its own failures by getting a second license fee; recall that the UKIPO?s proposal was limited to making one copy from a lawfully owned copy for personal use. The industry got paid once for sale of the lawful copy and now wants a second bite at the same apple (pun intended). And why? Why because the market for iTunes and the ability to transfer DRM-free copies demonstrates that consumers ?value? getting what they want; because they ?value? getting what they want, that value belongs to the music industry. What am I talking about, you may ask? The MBG states on page 13, paragraph 20, ?Consumers enjoy and value the transferability of music.? Note the word value here. But what does the word mean? The MBG submission explains on the next two pages, paragraphs 28-30: 28. Another way of approaching the question is to ask how much less value would consumers attach to devices ? MP3 players, computer hard drives, CD and DVD burners ? if music were not transferable? 29. In 2003 Sony introduced digital music versions of its Walkman player, called the ?Network? Walkman. Sony?s players were initially compatible only with Sony?s proprietary music format. In order to move tracks from CD to the Sony ATRAC3 players, customers were forced to use specific Sony software. 30. Purchasers of Sony Network Walkman players were not easily able to play podcasts, tracks copied from friends? hard drives, tracks downloaded from filesharing networks and so on. Eventually, in August 2007, Sony responded to the business failure and announced that future players would support the more common Windows Media and MP3 formats as well as AAC which is used in the iTunes store and jukebox. ?By going open-standard, Sony will increase customer choice and make its audio players more versatile,? said [a Sony representative]. ?We did something perfectly simple. We listened to what our customers want.? Of course, it took Sony four years to listen to what it customers wanted, a period of time in which iTunes was developed and came to dominate the field. But the conclusion the MBG draws from this experience is not what you would think: Sony?s failure to listen its customers shows that customers valued something different than what Sony valued, and therefore, as a direct result of Sony listening to its customers, Sony?s customers now possess value that Sony should recapture. I am not exaggerating, which is why I quoted all of paragraphs 28-30. Most people, and hopefully government policy makers, would think the existing situation is a win-win: Sony sells more machines and Sony music, and consumers get what they want. But that is not how the MBG sees things. They see the Sony experience as an example of what is wrong with the music industry: now that consumers have what they want, through lawful sales from Sony, Sony is losing value to its customers. This ?imbalance? as MBG describes it can only be corrected through a new levy on customers for having the audacity of forcing Sony to give them what they want. In short, the ?value? the MBG is demanding that the UK government recognize through the imposition of a new levy is the market place value that Sony willingly gave to its customers, and which it trumpeted as an example of listening to those customers. From customers? perspective, this is surely an unusual way to lose through winning. The new levy approach, the MBG concludes ?provides a future proof, yet easy to manage system that is responsive to market realities ? .? (page 17, paragraph 42). The imposition of a levy for the making of one personal copy of a lawfully purchased work for format-shifting is not even remotely a market reality, much less responsive to one. Instead, the MBG?s proposal seeks to create an obligation that doesn?t and should never exist: even counter-reformation opponents of limitations and exceptions have to acknowledge that in the drafting of Article 9(2) of the Berne Convention in 1967, private use exceptions were common in national laws. The MBG?s proposed levy is to create value for copyright owners where none exists: in the past, the industry made money by reselling consumers the same product over and over again: 78s to 45s; 45s to tape; tape to CD, and most importantly all of them in album format, a proven bad value to consumers. The incredible amounts of ink spilled about and suits filed over the Mp3 format have little to do its with digital format, and everything to do with breaking down the single business model that has sustained the music industry for many decades, album sales. It is the decline in album sales that the industry?s own Value Recognition Strategy acknowledges is responsible the principal decline in the industry?s income, not file sharing and certainly not format shifting. What this means to me is not that consumers have captured value that belongs to the industry, but rather that consumers have long been deprived of the value of their money, and are finally beginning to get something close to the true value of the product being sold. It is that market reality that scares the you-know-what out of the MBG, and that forced it to turn to a consultant to come up with a theory to sell to government policy makers as an example of the sky is falling from yet another effort to blame consumers for the industry?s own shortcomings. The proposed solution by MBG is an attempt to obtain a government-mandated subsidy by consumers of an industry that is finally being forced to give consumers what they want. There is no value for policy makers in mandating such an undeserved subsidy. And, as a policy matter, the theory on which it is based, namely that every unauthorized use by consumers is the misappropriation of value properly owned by copyright owners, has no limit; it applies to book reviews, news stories, quotations, parodies, the first sale doctrine, and a limitless term of protection (note the connection between the value theory and the concurrent effort at term extension for sound recordings in the UK and Europe). Even Blackstone?s view of property as the sole, despotic dominion of the owner never reached this far. Hopefully the UKIPO will reject the proposed levy and the theory out of hand. Rejection would be a valuable lesson. From rforno at infowarrior.org Thu Apr 17 01:58:51 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 16 Apr 2008 21:58:51 -0400 Subject: [Infowarrior] - Cross an Al Qaeda boss? Get a nasty memo Message-ID: Penalty for crossing an Al Qaeda boss? A nasty memo http://www.latimes.com/news/printedition/front/la-fg-qaedaculture16apr16,1,2 897775.story In two pages mixing flowery religious terms with itemized complaints, the Egyptian boss accused the militant of misappropriating cash, a car, sick leave, research papers and an air conditioner during "an austerity situation" for the network. He demanded a detailed letter of explanation. "I was very upset by what you did," Atef wrote. "I obtained 75,000 rupees for you and your family's trip to Egypt. I learned that you did not submit the voucher to the accountant, and that you made reservations for 40,000 rupees and kept the remainder claiming you have a right to do so. . . . Also with respect to the air-conditioning unit, . . . furniture used by brothers in Al Qaeda is not considered private property. . . . I would like to remind you and myself of the punishment for any violation." The memo by Atef, who later died in the U.S.-led assault on Osama bin Laden's Afghan refuge in 2001, is among recently declassified documents that reveal a little-known side of the network. Although Al Qaeda has endured thanks to a loose and flexible structure, its internal culture has nonetheless been surprisingly bureaucratic and persistently fractious, investigators and experts say. The documents were captured in Afghanistan and Iraq and date from the early 1990s to the present. They depict an organization obsessed with paperwork and penny-pinching and afflicted with a damaging propensity for feuds. "The picture of internal strife that emerges from the documents highlights not only Al Qaeda's past failures but also -- and more importantly -- it offers insight into its present weaknesses," concludes a study of the documents issued in September by the Combating Terrorism Center at West Point. "Al Qaeda today is beset by challenges that surfaced in leadership disputes at the beginning of the organization's history." In the years after 2001, anti-terrorism officials worked to understand a foe that defied a Western mind-set. In contrast to state-sponsored extremist groups, Al Qaeda was a decentralized alliance of networks. Recruits in Afghanistan had access to Bin Laden and other bosses. Operatives were often given great autonomy. But the egalitarian veneer coexisted with the bureaucratic mentality of the chiefs, mostly Egyptians with experience in the military and highly structured extremist groups. "They may have imposed the blindingly obdurate nature of Egyptian bureaucracy," said a senior British anti-terrorism official who asked to remain anonymous for security reasons. "You see that in the retirement packages they offered, the lists of members in Iraq, the insecure attitude about their membership, the rifts among leaders and factions." Like newly arrived fighters in Iraq today, recruits in the 1990s filled out applications that were kept in meticulous rosters. The shaggy, battle-scarred holy warriors of Afghanistan were micromanagers. They scrupulously documented logistical details -- one memo accounts for a mislaid Kalashnikov rifle and 125 rounds of ammunition. They groused and nagged about money. In a brief letter from the late 1990s, a militant wished Atef "Peace and God's mercy and blessings" and "praise to the Lord and salvation to his prophet." Then he got down to business: "I have not received my salary in three months and I am six months behind in paying my rent. . . . You also told me to remind you, and this is a reminder." A stern Egyptian bean-counter set the austere policies. Mustafa Ahmed Al Yahzid, a 52-year-old trained as an accountant, ran the network's finance committee between 1995 and 2007, said Rohan Gunaratna, author of "Inside Al Qaeda." "He is known as being a very stringent administrator, who keeps tight control of Al Qaeda's finances," Gunaratna said. Committees and titles proliferated. And for years, schisms pitted Bin Laden's inner circle against factions who saw him as a chaotic commander prone to military miscalculation. They also faulted him and his deputies for disdain toward non-Arabs, a persistent point of conflict, according to the West Point study. Dissent was loud. Two influential Syrians scolded Bin Laden "like a disobedient child" in an e-mail in 1999, the study says. They urged him to end tensions with Mullah Omar, the Taliban chief. "I think our brother [Bin Laden] has caught the disease of screens, flashes, fans and applause," the Syrians wrote. "You should apologize for any inconvenience or pressure you have caused." The documents also suggest a vexing struggle to retain operational control in recent years. Iraq is the best example. The rise of Al Qaeda in Iraq under Abu Musab Zarqawi attracted new fighters and funds. But the fiery Jordanian had kept his distance even when he ran his own Afghan training camp. As he gained the spotlight in Iraq, he feuded with the core leadership in Pakistan, who worried that his onslaught of bombings and beheadings would backfire. Their efforts to rein in Zarqawi are documented by a letter from a Libyan chief known only as Atiyah. U.S. troops found the 13-page letter in the safe house where an airstrike killed Zarqawi in 2006. Atiyah sounds like a sage veteran alternately chiding and praising a rookie hothead as he urges Zarqawi to mend fences with Bin Laden and refrain from indiscriminate violence. "My dear brother, today you are a man of the public," Atiyah wrote from Pakistan on July 9, 2005. "Your actions, decisions and behavior result in gains and losses that are not yours alone, but rather they are for Islam." As predicted, Zarqawi's rampage had weakened Al Qaeda in Iraq by the time he died. In the aftermath, the leadership in Pakistan lost a chief who was captured en route to Iraq on a mission to take charge there. Atiyah's advice describing the fall of Algerian Islamic movements a decade ago remains relevant, experts said. "They destroyed themselves with their own hands," Atiyah wrote to Zarqawi. "Their enemy did not defeat them, but rather they defeated themselves." rotella at latimes.com From rforno at infowarrior.org Thu Apr 17 02:00:12 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 16 Apr 2008 22:00:12 -0400 Subject: [Infowarrior] - Group releases credit-card software standard Message-ID: Group releases credit-card software standard Published: 2008-04-16 http://www.securityfocus.com/brief/724?ref=rss The PCI Security Standards Council announced on Tuesday an updated version of its security standards for applications that process credit-card transactions, aiming to prevent data breaches such as those at Hannaford Bros. and the TJX Companies. Known as the Payment Application Data Security Standard (PA-DSS), the compliance effort will allow the Council to become a "one-stop shop" for merchants who want to search for applications and services that will not increase their exposure to attacks, a PCI Security Standards Council spokesperson said. Version 1.1 of the standard (pdf) will make certain that payment applications do not store sensitive data, such as the information typically stored on the magnetic stripe on the back of credit and debit cards "Having a single source of information on approved payment applications and security assessors provides business value to merchants and service providers and allows them to make informed choices regarding the security of their payment application," Bob Russo, general manager for the PCI Security Standards Council, said in a statement announcing the new standard. The latest version of the application-security standard follows the revelation that online data thieves managed to make off with millions of credit- and debit-card numbers from grocery store chain Hannaford Bros. In 2007, retail giant TJX Companies also announced a large data breach, and by the end of the year, estimates of the size of the loss surpassed 100 million credit- and debit-card numbers. While TJX Companies had not complied with the PCI Data Security Standard, it is currently not known whether Hannaford Bros. had remained in compliance. According to Visa, about three-quarters of large companies and two-thirds of medium-sized firms had complied with the PCI's payment security standards by the end of 2007. The PCI Security Standards Council plans to certify companies over the next year to be Payment Application Qualified Security Assessors (PA-QSAs). The application standard is based on Visa's Payment Applications Best Practices (PABP) requirements for its merchants. From rforno at infowarrior.org Thu Apr 17 02:02:48 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 16 Apr 2008 22:02:48 -0400 Subject: [Infowarrior] - Feds to collect DNA from every person they arrest Message-ID: Feds to collect DNA from every person they arrest By EILEEN SULLIVAN, Associated Press Writer Wed Apr 16, 6:18 PM ET http://news.yahoo.com/s/ap/20080416/ap_on_go_ca_st_pe/dna_collection_4 WASHINGTON - The government plans to begin collecting DNA samples from anyone arrested by a federal law enforcement agency ? a move intended to prevent violent crime but which also is raising concerns about the privacy of innocent people. Using authority granted by Congress, the government also plans to collect DNA samples from foreigners who are detained, whether they have been charged or not. The DNA would be collected through a cheek swab, Justice Department spokesman Erik Ablin said Wednesday. That would be a departure from current practice, which limits DNA collection to convicted felons. Expanding the DNA database, known as CODIS, raises civil liberties questions about the potential for misuse of such personal information, such as family ties and genetic conditions. Ablin said the DNA collection would be subject to the same privacy laws applied to current DNA sampling. That means none of it would be used for identifying genetic traits, diseases or disorders. Congress gave the Justice Department the authority to expand DNA collection in two different laws passed in 2005 and 2006. There are dozens of federal law enforcement agencies, ranging from the FBI to the Library of Congress Police. The federal government estimates it makes about 140,000 arrests each year. Those who support the expanded collection believe that DNA sampling could get violent criminals off the streets and prevent them from committing more crimes. A Chicago study in 2005 found that 53 murders and rapes could have been prevented if a DNA sample had been collected upon arrest. "Many innocent lives could have been saved had the government began this kind of DNA sampling in the 1990s when the technology to do so first became available," Sen. Jon Kyl, R-Ariz., said. Kyl sponsored the 2005 law that gave the Justice Department this authority. Thirteen states have similar laws: Alaska, Arizona, California, Kansas, Louisiana, Maryland, Minnesota, New Mexico, North Dakota, South Dakota, Tennessee, Texas and Virginia. The new regulation would mean that the federal government could store DNA samples of people who are not guilty of any crime, said Jesselyn McCurdy, legislative counsel for the American Civil Liberties Union. "Now innocent people's DNA will be put into this huge CODIS database, and it will be very difficult for them to get it out if they are not charged or convicted of a crime," McCurdy said. If a person is arrested but not convicted, he or she can ask the Justice Department to destroy the sample. The Homeland Security Department ? the federal agency charged with policing immigration ? supports the new rule. "DNA is a proven law-enforcement tool," DHS spokesman Russ Knocke said. The rule would not allow for DNA samples to be collected from immigrants who are legally in the United States or those being processed for admission, unless the person was arrested. The proposed rule is being published in the Federal Register. That will be followed by a 30-day comment period. ___ On the Net: State Laws on DNA Data Banks: http://www.ncsl.org/programs/cj/dnadatabanks.htm http://www.dnaresource.com/documents/2008DNAExpansionLegislation.pdf From rforno at infowarrior.org Thu Apr 17 12:47:22 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 17 Apr 2008 08:47:22 -0400 Subject: [Infowarrior] - GSM Researcher stopped at Heathrow Airport by UK government officials In-Reply-To: Message-ID: From: security curmudgeon http://blog.thc.org/index.php?/archives/1-GSM-Researcher-stopped-at-Heathrow -Airport-by-UK-government-officials.html I was leaving today from the United Kingdom/Heathrow airport. I am about to speak at the HITB IT security conference about GSM security and the USRP (gnu-radio project). I was searched by the UK government while waiting at the Gate and reading a newspaper. A UK Government employee flipped his badge and said "Let's talk. Come over here". They detained my USRP (Software Defined Radio), my mobile phone and my personal SIM card. They did their homework. They knew who I am, where i live, which day I speak at the conference and who I work for. I'm involved in the GSM software project where we also developed a new attack against the GSM encryption A51. We published our research in February at the Blackhat security conference in Washington DC. I understand that the government wanted to make sure that I'm not exporting any cryptanalytic device. I did not. I will not. The USRP is a radio. My mobile phone is a normal nokia 3310 phone and my SIM card is a sim card. They said they do not know what the USRP is and that I can not take it until they have checked it in the lab. This can take 14 days (1/2 month). So be it. They have it for 14 days. Guys, enjoy the device! It's fun playing around with it! I'm uneasy that they took my mobile phone and my sim card. Having a pregnant wife at home and not being reachable complicates my situation. Is this common practice? Are they allowed to do this? Any tips how I can get my mobile phone and my sim card back quicker? Our project: http://wiki.thc.org/gsm The USRP is available from http://www.ettus.com The GNU RADIO project: http://www.gnu.org/software/gnuradio stunning, THC --- Appendix: Surprisingly they did not detain my laptop or my paperwork which would be the most likely place to store any information related to cracking A51. They were also not interested in my 160GB harddrive which would have been the obvious place for storing the rainbow tables. Neither were they interested in the high performance FPGA chip. Instead they took all equipment that could have been used for demonstrating that GSM signals can be received with publicly available hardware for 700 USD. It does not appear that they were after cryptanalytic information. I received a yellow paper about my detained goods. They left the field blank that reads "The goods specified below are detained for the following reason:". What reason? They also crossed out the field "Agent" of the officer who was in charge of the operation. From rforno at infowarrior.org Thu Apr 17 12:58:35 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 17 Apr 2008 08:58:35 -0400 Subject: [Infowarrior] - Pirate Bay Launches Uncensored Blogging Service Message-ID: The Pirate Bay Launches Uncensored Blogging Service Written by Ernesto on April 16, 2008 http://torrentfreak.com/baywords-pirate-bay-blog-080416/ In their ever continuing battle to free the Internet, The Pirate Bay has now launched an uncensored blogging service, called Baywords. The service is intended to be a safe haven for bloggers who want to be able to write whatever they want, without being afraid to get shut down by their blog host. The Pirate Bay is known for defending people?s right to freedom of speech on the Internet, and this is exactly what motivated them to start this new blogging service. Brokep, one of the co-founders of the site, told TorrentFreak that the idea to start a blogging service came up when the weblog of one of his friends was taken down from Wordpress recently, for linking to copyrighted material. This, of course, goes against the ?uncensored web? philosophy of The Pirate Bay team, and they didn?t hesitate to start their own blogging service, Baywords, using Wordpress as their blogging engine. On the frontpage of the newly launched service Brokep writes: ?Many blogs are being shut down for uncomfortable thoughts and ideas. We will not do that. Our goal is to protect freedom of speech and your thoughts. As long as you don?t break any Swedish laws in your blog, we will defend it?. In a response, Matt Mullenweg from WordPress told TorrentFreak that he supports Pirate Bay?s Baywords, but he assured us that Wordpress.com would never take down a blog for posting deviating thoughts or ideas. ?WordPress.com supports free speech and doesn?t shut people down for ?uncomfortable thoughts and ideas?, in fact we?re blocked in several countries because of that. However as a US-based companies we must comply with US laws, which means if the primary purpose of a blog is distributing illegal material it?s not a good fit for WordPress.com,? Matt said. Baywords is currently working on expanding the feature list to include support for domain redirects and improved stats. The service is ad-free for now, but Brokep told TorrentFreak that there will be ads blended into the blog design later, to cover the expenses. This is not the first time The Pirate Bay has started a service where people can publish whatever they want, without being censored. They already created an image hosting service for this reason, and a YouTube competitor is about to follow soon. For people who are considering moving their Wordpress or Blogger account over to Baywords, importing is pretty straightforward and compatible with all the popular blog platforms. Don?t forget to add TorrentFreak to your blogroll! Update: Matt Mullenweg?s response was added to the article after publication Saved in: Hot Off The Press | Tagged with: Tags: baywords, bloging, the pirate bay, wordpress Previously: Hip-Hop Artist Refuses To Stand Against The Pirate Bay From rforno at infowarrior.org Thu Apr 17 13:09:40 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 17 Apr 2008 09:09:40 -0400 Subject: [Infowarrior] - NORAD 9/11 tape trove released Message-ID: http://www.governmentattic.org/ NEW NORAD-USNORTHCOM 9-11 audio recordings ? Over 100 hours of audio recordings of various military communications channels on September 11, 2001. Made available in multiple mp3 files. From rforno at infowarrior.org Thu Apr 17 16:06:29 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 17 Apr 2008 12:06:29 -0400 Subject: [Infowarrior] - Senator: Let's monitor all P2P for illegal files Message-ID: Senator: Let's monitor P2P for illegal files Posted by Anne Broache | 13 comments http://www.news.com/8301-10784_3-9920665-7.html WASHINGTON--A prominent Senate Democrat on Wednesday said federal and local police should use custom software to monitor peer-to-peer networks for illegal activity, and he wants to spend $1 billion in tax dollars to help make that happen. At an afternoon Senate Judiciary subcommittee hearing about child exploitation on the Internet, Sen. Joe Biden (D-Del.) said he was under the impression it's "pretty easy to pick out the person engaged in either transmitting or downloading violent scenes of rape, molestation" simply by looking at file names. He urged use of those techniques by investigators to help nab the most egregious offenders. The software, dubbed "Operation Fairplay," was developed two years ago by Special Agent Flint Waters in the Wyoming Attorney General's Office, who, by Biden's description, is considered an expert in the field. The application is currently being used by all of the regional Internet Crimes Against Children (ICAC) task forces nationwide and internationally, Waters told the panel. Waters describes the system as a "comprehensive computer infrastructure," housed in Wyoming, that grants law enforcement officers a "big picture" of what sort of child pornography file transfers are going on across the country. It's able to help investigators conduct undercover operations involving peer-to-peer file-sharing applications, chat rooms, Web sites, and mobile telephones, Waters said. No one's trying to demonize those technologies, Waters said. "Blaming this problem on peer-to-peer innovation is like blaming the interstate highway system when someone uses it to transport drugs," he said. But in 2008 alone, investigators using Fairplay have "seen" more than 1,400 IP addresses tied to swapping child pornography files on at least 100 different occasions, Waters said. He didn't say how he identified what he viewed as child pornography, which can include photographs of fully-clothed teenagers taken with their parents' consent. In addition, as critiques of a 1995 law review article pointed out, trying to guess the contents of a file based on its name can be a problematic process. Based on Waters' statements to the committee, the system appears to work like this: Investigators log onto peer-to-peer file-sharing networks as any other person would and search for files containing certain keywords that are likely to indicate child pornography is involved. Then they download the files--frequently videos, sometimes as long as 20 to 30 minutes, with names like "children kiddy underage illegal.mpg" and much more obscene--to their own machines. They're able to use the Fairplay software to obtain the IP address of the file's sender and, in some cases, display its geographic location in map form. Once armed with an IP address and date and time of the download, investigators can subpoena the Internet service provider for more information, such as name and address of the subscriber who was assigned it at that moment. "It's not necessarily the suspect but it tells us the physical location to start," Waters said. (He didn't say whether any wiretaps were conducted to monitor ongoing file swapping.) Investigators use the IP addresses to keep track of offenders on a "daily" basis, Waters told CNET News.com during a break at the hearing. But in about half its cases, for purposes of longer-term tracking, the software captures "unique serial numbers" from the person's computer and keeps a tally of how many allegedly illicit files that particular user is trading. Waters provided the committee with a chart that said, for example, law enforcement had "seen" one user in Pennsylvania exchanging those files 2,792 times, one New Jersey user swapping them 1,182 times, and so on. It wasn't clear whether the so-called serial number corresponded to IP address, P2P username, or something else, and Waters wouldn't elaborate. "It's unique to the computer, that's as far as I'll go," Waters added, saying he didn't want to divulge more details that suspects could use to circumvent detection. "We're able to get it when they're transferring child pornography." So far, investigators have recorded more than 642,000 "unique serial numbers" that can be traced to the United States and another 650,000 of them that cannot be traced to a particular country, with the number of unique serial numbers rising steadily each month since "widespread capturing" of the details began in October 2005. In addition to tracking the senders of the files, investigators use Fairplay to track the files themselves through their hash values or digital signatures. In one case, investigators found that an image of a toddler who'd been "horribly abused" was available in more than 1 million places around the world, Waters said. Lt. Robert Moses, unit commander of the Delaware State Police High Technology Crimes Unit, told the committee that the software has been instrumental in allowing law enforcement to "proactively" identify criminals who possess and distribute child pornography, helping lead to arrests and prosecutions. Grier Weeks, executive director of an anticrime nonprofit association known as the National Association to Protect Children, said the system has "revolutionized law enforcement" in the child pornography area. Biden and Sen. Jeff Sessions (R-Ala.), the committee's ranking member, said they were troubled that because of limited resources, investigators are able to take on less than 2 percent of what they called "known" cases of child-pornography trafficking via the Internet. Biden said he also isn't pleased to see that the FBI currently has only 32 agents working in its "Innocent Images" unit, which focuses on child pornography. Still, Biden said he isn't out to "exaggerate" the problem and acknowledged that some of those cases may involve "accidental" exchanges of illicit material. Biden pushed for passage of a bill known as the Combating Child Exploitation Act. It would authorize more than $1 billion over the next eight years to hire 250 new federal agents devoted to Internet crimes against children, provide additional funding to regional computer forensics labs, and give out more federal grants to the regional Internet Crimes Against Children (ICAC) task forces. The House of Representatives passed a companion bill in October. "We can get our arms around it, the worst aspect of it," he said, "if we provide the resources." Sessions cautioned the law enforcement officials to be smart about obtaining search warrants in such investigations. "You can't just go peruse everybody's computer," he said. "You train the officers in what is legal and established and approved and how to get warrants when they need a warrant?" Waters said he "didn't know of any cases where (requests for warrants) had been overturned." News.com's Declan McCullagh contributed to this report From rforno at infowarrior.org Thu Apr 17 20:20:55 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 17 Apr 2008 16:20:55 -0400 Subject: [Infowarrior] - More on...Senator: Let's monitor all P2P for illegal files In-Reply-To: <20080417170910.GA885@gsp.org> Message-ID: ------ Forwarded Message From: Rich K This is a disaster-in-the-making. Estimates of how many compromised systems are out there vary (recently, Rick Wesson of Support Intelligence posited 40%, which is about 320M, and I think that's on the high side) but I think there's rough consensus that it's on the order of 100M. The new owners of those systems are quite capable of causing them to engage in P2P traffic explicity designed to trip these proposed sensors. They're also capable of making sure that when the doors of innocent people are kicked down in pre-dawn raids by heavily armed law enforcement agents, that the evidence they're looking for will be waiting for them on the disk drives of those systems. Do you think that any judge or jury anywhere in the United States is savvy enough about malware, botnets, etc. to understand all this and see that it creates much more than reasonable doubt? It sure didn't turn out well for Julie Amero, and that was a slam-dunk obvious case of ordinary porn adware infesting a system that was crawling with all kinds of malware. This is also why the FBI's entrapment strategy: FBI posts fake hyperlinks to snare child porn suspects http://www.news.com/8301-13578_3-9899151-38.html?tag=nefd.pop is fatally flawed: the new owners of all those hijacked systems can quite easily trip that sensor as well, in fact that one's REALLY easy: it's probably only a matter of time until some Windows virus du jour includes a hardcoded list of those and hits them. On the other hand, it's reasonable to surmise that actual child pornographers out there are careful enough, savvy enough, and paranoid enough to avoid making obvious mistakes in file naming, to use encryption, and to take considerable pains to ensure that their systems aren't infested by malware. Which means that the most likely outcome of this project will be the arrest and conviction of any number of completely innocent people, while the actual targets are unlikely to be caught. And arrest alone is enough to destroy someone's life: I was falsely branded a paedophile http://news.bbc.co.uk/2/hi/uk_news/magazine/7326736.stm This just isn't going to work, it will piss away a billion dollars, and it will put innocent people in prison. From rforno at infowarrior.org Fri Apr 18 01:41:13 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 17 Apr 2008 21:41:13 -0400 Subject: [Infowarrior] - New domestic terror bill proposed Message-ID: MinMon audio: Coleman co-sponsors troubling, under-the-radar domestic terrorism bill by: Steve Perry Tue Apr 15, 2008 at 3:26:12 PM http://minnesotamonitor.com/showDiary.do?diaryId=3719 Minnesota Sen. Norm Coleman is the Senate co-sponsor of a little-noticed domestic anti-terrorism bill that could carry us several steps closer to the good old days of the House Un-American Activities Committee and Joe McCarthy. The Violent Radicalization and Homegrown Terrorism Prevention Act (S.1959) is currently in committee after passing the House last year with no media scrutiny and no real debate by a 404-6 margin. The primary sponsor of the Senate bill is fellow Republican Susan Collins of Maine. The purpose of the measure is to create a permanent federal commission to scrutinize radicals and would-be terrorists, and to fund a series of university-based centers devoted to ferreting out and tracking the dangerous subversives among us. The latter would operate under the auspices of the Department of Homeland Security. A handful of critics from the blogosphere and the legal world have called out the measure on grounds that it its vague mandate amounts to criminalizing dissent. But even in the civil liberties demi-monde, it seems to be making little impact. One reason the bill has attracted so little attention: It's a thoroughly bipartisan push that actually originated in the Democratic party. Though the Senate version is sponsored by two Republicans, the House version that passed last year was introduced by a Democrat, Jane Harman of California, and 10 of her 14 co-sponsors were also Democrats. I contacted Peter Erlinder, a former president of the National Lawyers Guild and a constitutional criminal law professor at William Mitchell in St. Paul who has spoken up against the bill. "If politically motivated violence is what this war [the 'war on terror'] is about," he tells Minnesota Monitor, "we can put virtually any definition to it that we choose to. Even, for example, something like a demonstration against the World Trade Organization where there might be some broken windows. Even the Republican National Convention in St. Paul this fall would carry with it the possibility that there might be some acts that are not completely passive. Under this definition, anyone associated with those acts, even if they didn't intend the result, could conceivably find themselves being investigated by a commission like this." Currently S.1959 is before the Senate Committee on Homeland Security and Governmental Affairs. Asked about the status of the bill at a Martin Luther King Jr. Day appearance in St. Paul, Coleman reportedly told the audience that he had no plans to try to bring it to the floor in this session. Even if true, that suggests it could well be an early item of congressional business during the administration of President Clinton/McCain/Obama. More from Peter Erlinder regarding S.1959: "We've had experience with this sort of thing before," notes Erlinder. "The legislation not only sets up a study mechanism. It sets up a commission structure that would permit the Congress to organize commissions that would travel around the United States to see who, in any local area, might fit the definition. "It's similar to the hearings that the House Un-American Activities Committee had from the '30s through the '70s. 'Un-American activities' is a term that's just as broad as 'homegrown terrorism' or 'violent radicalization.' There is no there there. [HUAC] was set up in order to study Nazi infiltration in the United States. After WWII, however, its character changed as the political climate changed. It then became the committee that was used to investigate alleged communist ties that people had. And because 'un-Americanism' is something that's in the eye of the beholder, the committee would travel around the country having hearings to find out who was un-American in any particular community. "The problem is that legislative commissions like this have the power of contempt, so that if a person either doesn't answer questions because they don't want to expose their friends to liability, or they don't appear, they can be held in contempt of Congress and be sentenced to prison as a result. Under the HUAC period, that was about two years. So the Hollywood 10, when they refused to name names, were given two years. Under the current state of the law, however, the terrorism enhancements for criminal sentences have been used to extend contempt sentences from two years to 10 years. So people who don't appear before this commission, or don't answer questions the way the commission thinks they should, could face up to 10 years in prison for failing to cooperate." From rforno at infowarrior.org Fri Apr 18 02:16:24 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 17 Apr 2008 22:16:24 -0400 Subject: [Infowarrior] - Oz government demands universal wiretapping Message-ID: Concerns raised as government demands universal wiretapping Privacy an afterthought. Darren Pauli 17/04/2008 09:47:07 http://www.computerworld.com.au/index.php/id;81561031;fp;;fpid;;pf;1 Sweeping reforms will make it easier than ever for law enforcement to intercept communications if amendments to the Telecommunications (Interceptions) Act are agreed upon by a Senate standing committee. The federal government is pushing a bill to force all telecommunications providers to facilitate lawful data interception across fixed and mobile telephone systems, Voice over Internet Protocol (VoIP), Instant Messaging (IM) and chat room discussions. The standing committee is meeting today to discuss the proposed changes to Telecommunications (Interception and Access) Amendment Bill 2008 (TIA). The amendments build on previous reforms by the then Howard government which required Internet Service Providers (ISPs) to implement wiretapping provisions in VoIP services. Private organisations will be handed "quasi-police" powers under separate government plans announced on Monday. Attorney-General Robert McClelland said business owners will be handed powers to intercept employee e-mails without notice in a bid to prevent cyber-terrorism. Consumer advocacy groups are outraged by the reforms and have questioned the motives of the government, labelling the move as a blatant invasion of privacy. NSW Council of Civil Liberties president, Cameron Murphy, said the changes are unnecessary and will inadvertently subject hundreds of people to privacy violations. "These laws will massively increase the number of interception points available for techniques such as wiretapping," Murphy said. "Everything from online chatting, to Skype (VoIP) and mobile phone calls will be open to interception." He believes the changes are being driven by law enforcement which is effectively offloading its work on the private industry. The reforms also violate the privacy of other parties involved in a monitored communication channel, according to the Council, the Australian Privacy Foundation (APF) and the Electronic Frontiers Association (EFA). The organisations told Computerworld that NSW law, which allows businesses to intercept employee e-mails with consent, is a breach of the TIA and the Privacy Act. The problem arises from ambiguity in the law which does not stipulate rules for dealing with third party information, and what constitutes consent. APF board member Roger Clarke called on the government to provide clarity and scope on the new proposals, including what the changes hope to ultimately achieve and who will be affected. "Any employer that acted on the powers of interception (under the NSW bill) are in breach of the TIA and the Privacy Act if they are accessing the information of non-employees," Clarke said. "The attempts of the Attorney-General's Departments of successive governments to get some changes to the TIA have been torn apart by various agencies because they haven't addressed scope. "Every time ministers open their mouths on this type of policy, they keep saying something stupid." He said the scope of the changes can be interpreted to apply to all employers, to private organisations with a responsibility to national infrastructure, or to investigators of serious threats against nation infrastructure. "The last thing we want is private investigators running with enormous powers if an act of terrorism occurs," Clarke said, speaking of McClelland's reference that the employers powers is a counter-terrorism measure. The APF has argued for years for workplace privacy protection law reform, and for interception to be solely in the hands of trained investigators under the public service framework. Both Murphy, Clarke and EFA chair Dale Clapperton called for government to document what it sees as problems with the TIA. From rforno at infowarrior.org Fri Apr 18 02:18:32 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 17 Apr 2008 22:18:32 -0400 Subject: [Infowarrior] - Google News adds quotations Message-ID: Google News adds quotations Posted by Elinor Mills | Post a comment Google is extracting quotations for politicians and celebrities from news sources and featuring them at the top of the Google News results page for certain searches. For instance, a search on "Barack Obama" brings up a quotation by the Democratic presidential hopeful, and clicking on his name under the quote takes you to more pages of his quotations. You can then search within just the quotations from there. "As part of Google's mission to organize the world's information, we've been hard at work making quotations in news articles easy to search and browse," the Google News blog says. "You can now more easily keep track of what your favorite politician, actor, or sports star is saying. You can even search within their quotes for specific topics." I could find quotations for Obama, Hillary Clinton, John McCain, President Bush, and Vladimir Putin, but not for Bill Clinton or some major actors. As for sports stars, this is what Tiger Woods had to say: "I learned my lesson there with the press. I'm not going to say anything." http://www.news.com/8301-10784_3-9921773-7.html?part=rss&subj=news&t ag=2547-1_3-0-20 From rforno at infowarrior.org Fri Apr 18 02:28:55 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 17 Apr 2008 22:28:55 -0400 Subject: [Infowarrior] - Flight Chaos Shows Passengers Have Few Rights Message-ID: April 16, 2008 Practical Traveler Flight Chaos Shows Passengers Have Few Rights By MICHELLE HIGGINS http://www.nytimes.com/2008/04/16/travel/16prac.html American Airlines cancels more than 3,000 flights because of maintenance issues. Too bad. Skybus Airlines goes bankrupt and shuts down. Find another way to get to Ohio. You?re trapped on a tarmac for 10 hours ? sit tight. The state of air travel in the United States has perhaps never been worse, with the Federal Aviation Administration inspection crackdown causing extensive flight cancellations, rising fuel costs driving airlines out of business, and runway congestion sending waves of delays rippling throughout airports across the country. While there?s no question that these are tough times for the airline industry, it is the paying passengers who are feeling the effects. Indeed, the recent spate of flight cancellations and a series of low-cost airline shutdowns have caused many travelers to face a frustrating reality: airline passengers have virtually no rights. ?In the airline industry, the passenger is left holding the bag,? said Dean Headley, an associate professor of marketing at Wichita State University and co-author of a recent report critical of the airlines. Mr. Headley speaks from personal experience. After announcing the findings of the report in Washington earlier this month, he took off on an American Airlines flight bound for Wichita via Dallas. But when the plane landed in Dallas, the passengers found out that all of American?s continuing flights to Wichita had been abruptly canceled after the airline was forced to ground and reinspect its fleet of MD-80 jetliners to make sure a wiring bundle in the wheel wells was stowed properly. After a long delay and much back-and-forth with various American booking agents, Mr. Headley was able to secure a flight out of Dallas to Tulsa ? a three-hour drive from his hometown ? that evening. After plunking down nearly $100 for a rental car, he was able to make it back to Wichita by about 2:30 a.m. ? roughly seven hours late. His bags, however, didn?t arrive until two days later. ?Passengers on airlines are treated differently than other service customers,? he said. ?Most customers have an opportunity to be face to face with a bona fide representative or the company itself. In the airline business, passengers are left to talk to gate agents or ticket counter employees. If they ever do get their complaint to higher levels, there is such an elaborate level of forms and letters and wait and wait. It?s one of the few pure customer businesses where the customer has very little connection with someone who can do something about their situation.? Passengers are entitled to a refund by law ? even for a nonrefundable ticket ? if they decide to cancel a trip because of a flight cancellation or significant nonweather-related change, like a delay of more than a day or a change from nonstop service to a flight with a stop. But with airplanes packed to near capacity these days, good luck finding an open seat on another flight for your family of four when chaos breaks out at the airport. ?Each airline has its own policies about what it will do for delayed passengers waiting at the airport; there are no federal requirements,? according to ?Fly-Rights: A Consumer Guide to Air Travel? from the Department of Transportation. After American grounded its MD-80s last week, some of its passengers were forced to wait as many as three days for a new flight before a seat became available. American issued an apology to its customers via e-mail for the thousands of flight cancellations, noting that it was providing meals, hotels and ground transportation for dislocated customers as well as vouchers for future travel for those stranded overnight. While it?s often in such extreme circumstances that the issue of passenger rights comes up, the fact is that airline passenger protections have slowly been eroding over the years. For example, after the Sept. 11, 2001, terrorist attacks, Congress required competing airlines to charge passengers who had tickets on a failed airline only $25 for a one-way replacement ticket. (The fee was later raised to $50.) But as travelers holding tickets on suddenly defunct carriers like Aloha Airgroup, ATA Airlines and Skybus Airlines recently found out, that safeguard, along with a law that gave passengers 60 days to ride standby at $50 each way, disappeared in 2006 after Congress let the requirement expire. The plight of passengers was acknowledged by a federal appellate court in Manhattan three weeks ago, when ruling on a passenger bill of rights that would require airlines to provide food, water and bathrooms for passengers stuck in a grounded aircraft for more than three hours ? as many were last February when JetBlue Airways parked planes for up to 10 hours during an ice storm. The court struck down a New York State law, noting that, ?Although the goals of the P.B.R. are laudable and the circumstances motivating its enactment deplorable, only the federal government has the authority to enact such a law.? Meanwhile, a similar bill introduced at the federal level was passed by the Senate Commerce Committee as part of the F.A.A.?s budget reauthorization in May of last year. But the bill has been languishing for nearly a year now as the Senate cannot move forward on the legislation until the Finance and Commerce committees resolve the funding issues in the reauthorization. Ironically, some airlines are now trying to make money from passenger concerns about flight delays and cancellations. Air Canada just introduced a new travel assistance service called On My Way. For $50 or $70 round trip, depending on the length of the flight, travelers get around-the-clock access to a dedicated group of specially trained Air Canada customer service agents who promise to rebook you on the first available flight on Air Canada or any other airline. The move highlights how the basic services offered by airlines to stranded passengers often fall short. In the regulated era, most airlines agreed to transfer a traveler of a canceled flight to another airline provided it could get the traveler to his or her destination sooner. This became known as the Rule 240 transfer. Today, each airline spells out its customer service commitments, including how it handles canceled flights, in a ?contract of carriage.? A few carriers will transfer a passenger of a canceled flight to another airline if they don?t come up with another alternative within a specific amount of time. Others are less explicit. Delta, which labels its policy about flight delays and cancellations as Rule 240, states that it will transfer a passenger to another airline ?at our sole discretion.? American says it will consider doing so only if it cannot provide a seat on one of its own flights, but doesn?t specify a time limit for finding passengers a seat. ?They try to couch most everything in a way that gives them an out,? said Paul Hudson, executive director of the Aviation Consumer Action Project, a nonprofit air passenger advocacy group, which helped defend the passenger bill of rights. ?And that?s part of the reason we need a real bill of rights for passengers.? Perhaps the sheer customer neglect demonstrated by airlines could be forgiven if flights were on time, planes were impeccably clean, and bags were rarely lost. But the quality of overall airline service is the worst it?s ever been, according to the annual Airline Quality Rating survey co-authored by Mr. Headley of Wichita State and Brent Bowen of the University of Nebraska at Omaha. The results of the latest survey, which is based on 2007 statistics from the Department of Transportation, were not shocking to anyone who has flown on a plane in the past year. More passengers were bumped off overcrowded planes, more bags were lost, fewer flights arrived on time and more travelers complained than in the previous year, the survey found. The researchers gave the industry a negative 2.16 overall quality score ? the lowest in the nearly two decades they?ve been studying the airlines. Carriers say they do everything possible to take care of their customers at a time when their resources are being stretched to their limits by high fuel prices and other competitive pressures. ?One of our primary missions right now, in the midst of this, is to make sure our customers are confident in our handling of this event,? Mark Mitchell, American?s managing director of customer experience, said of the airline?s recent flight cancellations. To win back customer loyalty, he added, American is offering a $500 travel voucher to customers who were inconvenienced in mid-journey with an overnight stay due to the cancellations. After customers were trapped on grounded planes during a February 2007 storm, JetBlue created its own ?customer bill of rights? and promised to compensate passengers stuck onboard a grounded flight before it takes off for more than three hours with travel vouchers. For its part, the Department of Transportation also has formed a task force to come up with its own recommendations on how airlines should deal with planes stranded on the tarmac. It also has announced a new rule-making proposal to increase passenger rights and protections, including doubling the compensation for passengers who have reserved seats but are bumped from flights. For now, however, passengers are mostly left to fend for themselves when the airlines let them down. The Department of Transportation is urging customers who paid by credit cards for tickets on now defunct carriers like Skybus and ATA Airlines to file a claim with their credit card company. To minimize financial losses, more travelers are considering travel insurance that typically provides reimbursement for accommodations and expenses incurred because of covered travel delays as well as around-the-clock emergency travel hotlines for finding alternative transportation, help rebooking flights or making hotel and rental car reservations. Using an experienced travel agent can often help customers bypass long lines at the airport when chaos ensues and come up with an alternative when flights are canceled. George Hobica, founder of Airfarewatchdog.com, recommends buying a backup ticket that is fully refundable, if you can afford it. ?If your discounted American flight takes off, great: just get a refund on the United fare,? he recently posted on his blog. ?But if American is a no go, you?ll get to your event on time.? From rforno at infowarrior.org Fri Apr 18 02:32:06 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 17 Apr 2008 22:32:06 -0400 Subject: [Infowarrior] - OT: High School Cancer Story In-Reply-To: Message-ID: >From today's WashingtonPost -- just some food for thought about the power of true love despite the pesence of horrible crises happening far too early in a person's life. A sad tale, for sure, but also perhaps encouraging for others. -rick A Lifetime of Undying Devotion To a Life Tragically Cut Short Crews Did Everything In Her Power to Help Boyfriend Battle Cancer http://www.washingtonpost.com/wp-dyn/content/article/2008/04/16/AR2008041603 415_pf.html From rforno at infowarrior.org Fri Apr 18 02:33:26 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 17 Apr 2008 22:33:26 -0400 Subject: [Infowarrior] - Book: The Practice and Policy of Global Internet Filtering Message-ID: Access Denied: The Practice and Policy of Global Internet Filtering Our book, Access Denied: The Practice and Policy of Global Internet Filtering, published by MIT Press, is hitting bookshelves now! http://opennet.net/accessdenied Book Description Many countries around the world block or filter Internet content, denying access to information--often about politics, but also relating to sexuality, culture, or religion--that they deem too sensitive for ordinary citizens. Access Denied documents and analyzes Internet filtering practices in over three dozen countries, offering the first rigorously conducted study of this accelerating trend. Internet filtering takes place in at least forty states worldwide including many countries in Asia and the Middle East and North Africa. Related Internet content control mechanisms are also in place in Canada, the United States and a cluster of countries in Europe. Drawing on a just-completed survey of global Internet filtering undertaken by the OpenNet Initiative (a collaboration of the Berkman Center for Internet and Society at Harvard Law School, the Citizen Lab at the University of Toronto, the Oxford Internet Institute at Oxford University, and the University of Cambridge) and relying on work by regional experts and an extensive network of researchers, Access Denied examines the political, legal, social, and cultural contexts of Internet filtering in these states from a variety of perspectives. Chapters discuss the mechanisms and politics of Internet filtering, the strengths and limitations of the technology that powers it, the relevance of international law, ethical considerations for corporations that supply states with the tools for blocking and filtering, and the implications of Internet filtering for activist communities that increasingly rely on Internet technologies for communicating their missions. Reports on Internet content regulation in forty different countries follow, with each country profile outlining the types of content blocked by category and documenting key findings. Editors Ron Deibert, John Palfrey, Rafal Rohozinski, Jonathan Zittrain Contributors Ross Anderson, Malcolm Birdling, Ronald Deibert, Robert Faris, Vesselina Haralampieva, Steven Murdoch, Helmi Noman, John Palfrey, Rafal Rohozinski, Mary Rundle, Nart Villeneuve, Stephanie Wang, and Jonathan Zittrain From rforno at infowarrior.org Fri Apr 18 22:37:22 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 18 Apr 2008 18:37:22 -0400 Subject: [Infowarrior] - AF Cyber Command officials define unit's scope In-Reply-To: <41220281CD4731468824C64E0C4FBAB93D4B8A@mail.crows.org> Message-ID: Cyber Command officials define unit's scope http://www.af.mil/news/story.asp?id=123094897 by Karen Petitt Air Force Cyber Command (Provisional) Public Affairs 4/17/2008?-?SCOTT AIR FORCE BASE, Ill. (AFPN)?--?Ray guns and light sabers may be weapons of science fiction, but using energy as a warfighting tool is one area that members of the Air Force Cyber Command's 450th Electronic Warfare Wing will be charged with exploring. While details of the wing's composition, mission and manning are still being developed as AFCYBER prepares to become operational by Oct. 1, it's clear that?Air Force officials plan to kick it up a notch when it comes to dominance in the electromagnetic spectrum. "We're going to stop yielding the battlefield to these people who can set off explosives with a cell phone or who can use radar, radio waves or other forms of energy to disrupt our mission or hurt our people," said Lt. Col. Tim Sands, the AFCYBER Transition Team Chief with the 53rd Electronic Warfare Group at Eglin Air Force Base, Fla. Since?Air Force officials added cyberspace as a warfighting domain and was required to redefine airpower to include the use of electronics and the electromagnetic spectrum, Colonel Sands and his team have been working to identify resources and define the scope of their mission. "What's happened in warfare is that it used to cost a lot to disable, destroy or degrade capabilities," he said. "You can think of it as needing the missile system, the aircraft or the actual bomb being dropped to dominate the enemy. So, traditionally, our mission as electronic warfare officers has focused on radar jamming, deception, coding new frequencies and such, and mostly on airborne platforms such at the B-52 (Stratofortress), F-15 (Eagle) and B-1B (Lancer). "Now we've been asked to look at expanding our capabilities and one of these areas is through the use of directed energy such as lasers or microwaves or high powered electromagnetic pulses, for example. It still generates an effect, but not in the traditional sense that we must actually drop a munition on our target," Colonel Sands said. "Just what will be the scope of operations in this venue is an area that will require intense research and coordination to make sure our commanders have the tools they need both offensively and defensively." But warfare in the electromagnetic spectrum is more than the use of directed energy. There are visible and non-visible aspects of the spectrum to include infrared, ultra violet, gamma rays, X-rays and so forth, and those are divided even further into electric and magnetic fields. Determining the capabilities required to achieve a particular effect in support of an overall campaign depends on what portion of cyberspace is contested. Perhaps it would be necessary to use conventional attack methods along with electronic warfare capabilities. That's why another job for leadership is to develop the right type of warfighter for this domain. Lt. Col. Michael Pandolfo, the 53rd EWG deputy commander for operations, said what they need to do is build on the skill sets the officers and enlisted members already have. "The last thing we want to do is create a new tribe or new generation of experts who are only concerned about this one area of warfighting," Colonel Pandolfo said. "We've got to integrate these folks in and through other areas of our Air Force missions. How to do this and what will it look like is something that's being vigorously discussed. What we do know is that we've begun cyber-specific training for our aircrews so they have a better perspective of where we're at and where we're headed. But, there is still much work to do." Another electronic warfare officer of 23 years who's been leading the charge at the air staff level is Col. Bob Schwarze, the chief of EW and Cyber Requirements at the Pentagon. He said the creation of this new EW wing will consolidate what has been scattered throughout various commands in the past. "Now what we're doing is looking at our mission and determining the resources we need to accomplish it and do it in a way where we have a clear chain of command," Colonel Schwarze said. "That's why you'll see some intelligence capabilities, some space-related assets, and perhaps some electronic maintenance folks who work with some of our EW airborne platforms and such. Bringing us all together this way will help us manage the resources and the people more effectively, which is one reason why AFCYBER is standing up as a separate command." During this transition period, the leadership emphasized that current electronic warfare capabilities won't be affected negatively and that their missions will proceed as normal. This is a good thing because electronic warfare has historically been shown to be critical in preventing the enemy from communicating and with providing tactical intelligence.? Winston Churchill described the fighting during World War II as the "battle of the beams," and with today's expanded technology and ease with which its acquired, it's even more important for the 450th EWW to ensure commanders have the tools needed to control and shape the battlefield. From rforno at infowarrior.org Sat Apr 19 03:10:22 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 18 Apr 2008 23:10:22 -0400 Subject: [Infowarrior] - Microsoft plans Office subscription service Message-ID: Microsoft plans Office subscription service Posted by Ina Fried | 13 comments http://www.news.com/8301-13860_3-9921711-56.html?part=rss&subj=news&tag=2547 -1_3-0-5 Microsoft confirmed that it is planning a subscription service that combines the consumer version of Office with its OneCare security suite. Code-named Albany, the product has a single installer that puts Office Home and Student, OneCare, as well as a host of Windows Live services, onto a user's PC. As long as users keep paying for the subscription, they are entitled to the latest versions of the products. Once they stop paying, they lose the right to use any version. The product is aimed at consumers that want a simple way to have access to Microsoft's productivity suite and keep their computer protected, Microsoft said. "There is a customer segment that really enjoys this always-on, always up-to-date aspect of the service," Microsoft group product manager Bryson Gordon said. Microsoft is planning to introduce a limited beta version of Albany in the coming days, with the aim of launching the product commercially sometime later this year, Gordon said. The company still hasn't decided on how much it will charge or how the product will be sold, he said. In talking about the product, Microsoft did not refer to Google Docs by name, but I have said a subscription product might be Microsoft's way of trying to find a more palatable way of charging for Office amid stepped-up competition from free and online rivals. By tying the Office subscription to OneCare, Microsoft is linking the purchase to one of the few areas where consumers have shown a willingness to pay for software--security. In this way, Microsoft can make the pitch to those buying security software that, for some extra dollars, they can always have the latest version of Office as well. Those who subscribe to Albany will also get several free Microsoft products pushed onto their desktop--including online document-sharing product Office Live Workspace, Windows Live Messenger, Windows Live Photo Gallery, and Windows Live Mail. Gordon argued that having all the products installed at one time is seen as a plus by the segment targeted by Albany, but he agreed that some users may not be interested in having so many Microsoft products foisted upon them. Office and OneCare will continue to be offered in traditional ways, he added. Other products may be added in over time, he said, and Microsoft could also try the Albany approach for other market segments, such as small businesses. From rforno at infowarrior.org Sat Apr 19 03:12:13 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 18 Apr 2008 23:12:13 -0400 Subject: [Infowarrior] - MPAA Decides Pullmylink.com Doesn't Have Enough Publicity Message-ID: MPAA accuses Pullmylink.com of aiding movie piracy Thu Apr 17, 2008 8:37pm EDT http://www.reuters.com/article/technologyNews/idUSN1720278020080418 By Gina Keating LOS ANGELES (Reuters) - The Motion Picture Association of America on Thursday sued Pullmylink.com, a Web site featuring links to free -- and allegedly pirated -- movies and TV shows, claiming the site promotes and profits from copyright infringement. The lawsuit, filed in Los Angeles federal court, is the seventh action filed by the MPAA against content aggregators in the United States since late last year and is part of a larger anti-piracy campaign that included a criminal raid on the UK headquarters of one such site, TV Links. The campaign against sites that link to, but do not host, illegal content has raised some eyebrows with critics asking why the association doesn't go after the host sites or Internet search engines such as Google.com, which owns video sharing site YouTube.com. "Is the message that it's less criminal to host illegal content on YouTube than it is to link to it from a site such as TV Links?" Guardian technology columnist Jack Schofield wrote in the wake of the MPAA-directed raid on TV Links in October. "In future, do I risk being thrown in the slammer for linking directly to a YouTube video?" The MPAA, which represents Hollywood's major studios in government affairs, has obtained settlements or resolutions in the six other cases against Web aggregators of video content. It plans to continue its aggressive pursuit of new sites using "a variety of techniques" to force them to hand back profits made from advertising, anti-piracy director John Malcolm said. The association has talked with Google and other search engines, as well as Chinese user-generated content sites that host many of the videos, to try to have traffic directed away from the infringing content and to have it taken down quicker, Malcolm said. "We think these companies are good corporate actors (and) we engage with them in other ways," Malcolm said. "You can't equate a legitimate search vendor ... with somebody who is making a lot of money off the backs of creative artists." The MPAA says piracy, including Web postings of camcorded and unlicensed content, cost the U.S. film industry $18.2 billion in lost profits in 2005, including $7 billion from Internet piracy. Pullmylink.com sees 12,000 visitors a day who view more than 39,000 pages of content, including movies that are still in theaters and cable television shows. The site recently featured links to streamed copies of the feature films "Stop-Loss," "21" and "The Other Boleyn Girl", which have not yet been released to DVD, as well as the cable TV series "The Tudors," "Entourage," and "Rome" and many broadcast TV series. It also carried advertisements by online movie rental company Netflix Inc. A Netflix spokesman said the company buys its online ads in bulk and was not aware that one had ended up on pullmylinks.com. Malcolm said the MPAA was exploring "the whole issue of (online) ad brokers" as another avenue for choking off revenue to illegal streaming and download sites. (Editing by Braden Reddall) From rforno at infowarrior.org Sat Apr 19 03:25:44 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 18 Apr 2008 23:25:44 -0400 Subject: [Infowarrior] - The Future of Economy Class Seats? Message-ID: Giving you the Future of a Modern World, we present our latest product the 'Cozy Suite' A first for the economy cabin, a seat design offering you a truly relaxed sleeping position. It has a contoured shoulder area specifically profiled for sleeping. The shape was derived from numerous prototype and passenger trials to minimise the step-back of the seats. You do not feel like the seats are even staggered, allowing interaction between you and other passengers, while reinforcing a high level of privacy. The Cozy Suite can be installed from 31" to 38" pitch. < - Pics and More - > http://www.thompsonsolutions.co.uk/ts_cozysuite.html# From rforno at infowarrior.org Sat Apr 19 03:27:47 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 18 Apr 2008 23:27:47 -0400 Subject: [Infowarrior] - Morale at Homeland Security Still Shaky After Five Years Message-ID: Morale at Homeland Security Still Shaky After Five Years By Stephen Barr Friday, April 18, 2008; D04 http://www.washingtonpost.com/wp-dyn/content/article/2008/04/17/AR2008041703 657_pf.html Most employees at the Department of Homeland Security like their work, believe it is important and cooperate with others to get the job done. That, no doubt, is a great comfort to the department's senior leaders. But the leadership can take no pleasure in findings that show roughly half of employees are troubled by the department's pay and promotion practices. These attitudes were captured in a new employee survey at Homeland Security, the results of which will be released to the department's workforce. In the survey, nearly 55 percent of respondents said they did not agree that pay raises depend on job performance, 45 percent did not think promotions are based on merit, and 42 percent did not believe creativity and innovation are rewarded. To a large degree, these workforce views have not changed from five years ago, when the department began operating. That is especially troubling to officials in the department's big law enforcement agencies, which are essential to improving the nation's border security and thwarting terrorist attacks. For example, when asked whether "pay raises depend on how well employees do their jobs," nearly 60 percent of those surveyed at Customs and Border Protection responded with what the report labeled "negative" views. The question also drew negative responses at Immigration and Customs Enforcement (54.6 percent), the Secret Service (52.5 percent) and the Transportation Security Administration (54.9 percent). Employees at these law enforcement agencies were slightly less negative about their chances for winning a promotion and getting recognized for their creativity. A substantial number appeared to be uncertain how they felt or had no opinion. On the pay, promotion and creativity questions, about one in four employees opted to check "neutral" as a response. For the 2007 survey, the department received completed forms from 65,753 of 141,160 eligible employees, a response rate of 47 percent. The survey suggested that the department may be losing ground in some areas even as it improves in others. For example, 49 percent of respondents said they were satisfied with their salaries, compared with 55 percent in 2006. Only 32 percent said they were satisfied by their level of involvement in decisions that affect their work, down seven percentage points from 2006. But 62 percent agreed that their workload is reasonable, up from 55 percent. And 29 percent said differences in performance were recognized by their bosses "in a meaningful way," up from 22 percent in 2006. The survey report offered no detailed analysis of what the findings mean. But it noted that employees rated twice as many survey items as problem areas than as strengths. "Not surprisingly, supervisors were more positive than nonsupervisors," the report said. The report, prepared by a consultant, includes recommendations for follow-up action, such as using town hall meetings and focus groups to identify where improvements are needed. "It is extremely important," the report said, that any efforts to address employee issues include rank-and-file workers. From rforno at infowarrior.org Sat Apr 19 18:37:26 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 19 Apr 2008 14:37:26 -0400 Subject: [Infowarrior] - 8th Annual NSA Cyber Defense Exercise Message-ID: Department of Defense, United States of America NSA/CSS, Ft. Meade, MD 20755-6000 https://www.nsa.gov/releases/cdx.cfm NSA PRESS RELEASE 17 April 2008 For further information, contact: NSA Public and Media Affairs, 301-688-6524 8th Annual Cyber Defense Exercise The National Security Agency/Central Security Service (NSA/CSS) Information Assurance Directorate will host the 8th Annual Cyber Defense Exercise (CDX), 21-24 April 2008. Joining the five service academies this year will be teams from the Air Force Institute of Technology (AFIT) and a team from the Naval Postgraduate School (NPS). Although the teams will participate in the exercise, they will not be eligible to win the coveted CDX trophy. The teams that will be competing for the trophy and bragging rights are the United States Naval Academy (USNA), United States Air Force Academy (USAFA), United States Merchant Marine Academy (USMMA), the United States Coast Guard Academy (USCGA) and last year?s winner, the United States Military Academy (USMA). The teams will compete from their respective school locations; however, the activities will be monitored from the exercise headquarters located at the Lockheed Martin facility at 6625 Selnick Drive, Elkridge, Maryland 21075. The Cyber Defense Exercise is a computer security competition designed to foster education and awareness among future military leaders about the role of information assurance (IA) in protecting the nation?s critical information systems. The exercise challenges teams of students drawn from each of the service academies with designing, building, and successfully defending a real-world computer network against simulated intrusions by a team of Department of Defense experts. The entire exercise is conducted on virtual private networks, providing a safe path for the exercise while preventing interference with real-world networks. * Journalists interested in covering the event are invited to attend CDX Media Day on Thursday, April 24, 2008, from 10:00 am to 11:00 am. * Media representatives will be given access to interview service-member participants and the spokesperson for the NSA/CSS Information Assurance Directorate, Mr. Tony Sager. * Cameras are not permitted on the premises, but photographs will be provided to media representatives who attend the CDX. For more information about CDX 2008, contact the NSA/CSS Public and Media Affairs Office. From rforno at infowarrior.org Sun Apr 20 13:34:51 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 20 Apr 2008 09:34:51 -0400 Subject: [Infowarrior] - =?iso-8859-1?q?Behind_TV_Analysts=2C_Pentagon_=B9?= =?iso-8859-1?q?_s_Hidden_Hand?= Message-ID: April 20, 2008 Message Machine Behind TV Analysts, Pentagon?s Hidden Hand By DAVID BARSTOW http://www.nytimes.com/2008/04/20/washington/20generals.html In the summer of 2005, the Bush administration confronted a fresh wave of criticism over Guant?namo Bay. The detention center had just been branded ?the gulag of our times? by Amnesty International, there were new allegations of abuse from United Nations human rights experts and calls were mounting for its closure. The administration?s communications experts responded swiftly. Early one Friday morning, they put a group of retired military officers on one of the jets normally used by Vice President Dick Cheney and flew them to Cuba for a carefully orchestrated tour of Guant?namo. To the public, these men are members of a familiar fraternity, presented tens of thousands of times on television and radio as ?military analysts? whose long service has equipped them to give authoritative and unfettered judgments about the most pressing issues of the post-Sept. 11 world. Hidden behind that appearance of objectivity, though, is a Pentagon information apparatus that has used those analysts in a campaign to generate favorable news coverage of the administration?s wartime performance, an examination by The New York Times has found. The effort, which began with the buildup to the Iraq war and continues to this day, has sought to exploit ideological and military allegiances, and also a powerful financial dynamic: Most of the analysts have ties to military contractors vested in the very war policies they are asked to assess on air. Those business relationships are hardly ever disclosed to the viewers, and sometimes not even to the networks themselves. But collectively, the men on the plane and several dozen other military analysts represent more than 150 military contractors either as lobbyists, senior executives, board members or consultants. The companies include defense heavyweights, but also scores of smaller companies, all part of a vast assemblage of contractors scrambling for hundreds of billions in military business generated by the administration?s war on terror. It is a furious competition, one in which inside information and easy access to senior officials are highly prized. Records and interviews show how the Bush administration has used its control over access and information in an effort to transform the analysts into a kind of media Trojan horse ? an instrument intended to shape terrorism coverage from inside the major TV and radio networks. Analysts have been wooed in hundreds of private briefings with senior military leaders, including officials with significant influence over contracting and budget matters, records show. They have been taken on tours of Iraq and given access to classified intelligence. They have been briefed by officials from the White House, State Department and Justice Department, including Mr. Cheney, Alberto R. Gonzales and Stephen J. Hadley. In turn, members of this group have echoed administration talking points, sometimes even when they suspected the information was false or inflated. Some analysts acknowledge they suppressed doubts because they feared jeopardizing their access. A few expressed regret for participating in what they regarded as an effort to dupe the American public with propaganda dressed as independent military analysis. ?It was them saying, ?We need to stick our hands up your back and move your mouth for you,? ? Robert S. Bevelacqua, a retired Green Beret and former Fox News analyst, said. Kenneth Allard, a former NBC military analyst who has taught information warfare at the National Defense University, said the campaign amounted to a sophisticated information operation. ?This was a coherent, active policy,? he said. As conditions in Iraq deteriorated, Mr. Allard recalled, he saw a yawning gap between what analysts were told in private briefings and what subsequent inquiries and books later revealed. ?Night and day,? Mr. Allard said, ?I felt we?d been hosed.? The Pentagon defended its relationship with military analysts, saying they had been given only factual information about the war. ?The intent and purpose of this is nothing other than an earnest attempt to inform the American people,? Bryan Whitman, a Pentagon spokesman, said. It was, Mr. Whitman added, ?a bit incredible? to think retired military officers could be ?wound up? and turned into ?puppets of the Defense Department.? Many analysts strongly denied that they had either been co-opted or had allowed outside business interests to affect their on-air comments, and some have used their platforms to criticize the conduct of the war. Several, like Jeffrey D. McCausland, a CBS military analyst and defense industry lobbyist, said they kept their networks informed of their outside work and recused themselves from coverage that touched on business interests. ?I?m not here representing the administration,? Dr. McCausland said. Some network officials, meanwhile, acknowledged only a limited understanding of their analysts? interactions with the administration. They said that while they were sensitive to potential conflicts of interest, they did not hold their analysts to the same ethical standards as their news employees regarding outside financial interests. The onus is on their analysts to disclose conflicts, they said. And whatever the contributions of military analysts, they also noted the many network journalists who have covered the war for years in all its complexity. Five years into the Iraq war, most details of the architecture and execution of the Pentagon?s campaign have never been disclosed. But The Times successfully sued the Defense Department to gain access to 8,000 pages of e-mail messages, transcripts and records describing years of private briefings, trips to Iraq and Guant?namo and an extensive Pentagon talking points operation. These records reveal a symbiotic relationship where the usual dividing lines between government and journalism have been obliterated. Internal Pentagon documents repeatedly refer to the military analysts as ?message force multipliers? or ?surrogates? who could be counted on to deliver administration ?themes and messages? to millions of Americans ?in the form of their own opinions.? Though many analysts are paid network consultants, making $500 to $1,000 per appearance, in Pentagon meetings they sometimes spoke as if they were operating behind enemy lines, interviews and transcripts show. Some offered the Pentagon tips on how to outmaneuver the networks, or as one analyst put it to Donald H. Rumsfeld, then the defense secretary, ?the Chris Matthewses and the Wolf Blitzers of the world.? Some warned of planned stories or sent the Pentagon copies of their correspondence with network news executives. Many ? although certainly not all ? faithfully echoed talking points intended to counter critics. ?Good work,? Thomas G. McInerney, a retired Air Force general, consultant and Fox News analyst, wrote to the Pentagon after receiving fresh talking points in late 2006. ?We will use it.? Again and again, records show, the administration has enlisted analysts as a rapid reaction force to rebut what it viewed as critical news coverage, some of it by the networks? own Pentagon correspondents. For example, when news articles revealed that troops in Iraq were dying because of inadequate body armor, a senior Pentagon official wrote to his colleagues: ?I think our analysts ? properly armed ? can push back in that arena.? The documents released by the Pentagon do not show any quid pro quo between commentary and contracts. But some analysts said they had used the special access as a marketing and networking opportunity or as a window into future business possibilities. John C. Garrett is a retired Army colonel and unpaid analyst for Fox News TV and radio. He is also a lobbyist at Patton Boggs who helps firms win Pentagon contracts, including in Iraq. In promotional materials, he states that as a military analyst he ?is privy to weekly access and briefings with the secretary of defense, chairman of the Joint Chiefs of Staff and other high level policy makers in the administration.? One client told investors that Mr. Garrett?s special access and decades of experience helped him ?to know in advance ? and in detail ? how best to meet the needs? of the Defense Department and other agencies. In interviews Mr. Garrett said there was an inevitable overlap between his dual roles. He said he had gotten ?information you just otherwise would not get,? from the briefings and three Pentagon-sponsored trips to Iraq. He also acknowledged using this access and information to identify opportunities for clients. ?You can?t help but look for that,? he said, adding, ?If you know a capability that would fill a niche or need, you try to fill it. ?That?s good for everybody.? At the same time, in e-mail messages to the Pentagon, Mr. Garrett displayed an eagerness to be supportive with his television and radio commentary. ?Please let me know if you have any specific points you want covered or that you would prefer to downplay,? he wrote in January 2007, before President Bush went on TV to describe the surge strategy in Iraq. Conversely, the administration has demonstrated that there is a price for sustained criticism, many analysts said. ?You?ll lose all access,? Dr. McCausland said. With a majority of Americans calling the war a mistake despite all administration attempts to sway public opinion, the Pentagon has focused in the last couple of years on cultivating in particular military analysts frequently seen and heard in conservative news outlets, records and interviews show. Some of these analysts were on the mission to Cuba on June 24, 2005 ? the first of six such Guant?namo trips ? which was designed to mobilize analysts against the growing perception of Guant?namo as an international symbol of inhumane treatment. On the flight to Cuba, for much of the day at Guant?namo and on the flight home that night, Pentagon officials briefed the 10 or so analysts on their key messages ? how much had been spent improving the facility, the abuse endured by guards, the extensive rights afforded detainees. The results came quickly. The analysts went on TV and radio, decrying Amnesty International, criticizing calls to close the facility and asserting that all detainees were treated humanely. ?The impressions that you?re getting from the media and from the various pronouncements being made by people who have not been here in my opinion are totally false,? Donald W. Shepperd, a retired Air Force general, reported live on CNN by phone from Guant?namo that same afternoon. The next morning, Montgomery Meigs, a retired Army general and NBC analyst, appeared on ?Today.? ?There?s been over $100 million of new construction,? he reported. ?The place is very professionally run.? Within days, transcripts of the analysts? appearances were circulated to senior White House and Pentagon officials, cited as evidence of progress in the battle for hearts and minds at home. Charting the Campaign By early 2002, detailed planning for a possible Iraq invasion was under way, yet an obstacle loomed. Many Americans, polls showed, were uneasy about invading a country with no clear connection to the Sept. 11 attacks. Pentagon and White House officials believed the military analysts could play a crucial role in helping overcome this resistance. Torie Clarke, the former public relations executive who oversaw the Pentagon?s dealings with the analysts as assistant secretary of defense for public affairs, had come to her job with distinct ideas about achieving what she called ?information dominance.? In a spin-saturated news culture, she argued, opinion is swayed most by voices perceived as authoritative and utterly independent. And so even before Sept. 11, she built a system within the Pentagon to recruit ?key influentials? ? movers and shakers from all walks who with the proper ministrations might be counted on to generate support for Mr. Rumsfeld?s priorities. In the months after Sept. 11, as every network rushed to retain its own all-star squad of retired military officers, Ms. Clarke and her staff sensed a new opportunity. To Ms. Clarke?s team, the military analysts were the ultimate ?key influential? ? authoritative, most of them decorated war heroes, all reaching mass audiences. The analysts, they noticed, often got more airtime than network reporters, and they were not merely explaining the capabilities of Apache helicopters. They were framing how viewers ought to interpret events. What is more, while the analysts were in the news media, they were not of the news media. They were military men, many of them ideologically in sync with the administration?s neoconservative brain trust, many of them important players in a military industry anticipating large budget increases to pay for an Iraq war. Even analysts with no defense industry ties, and no fondness for the administration, were reluctant to be critical of military leaders, many of whom were friends. ?It is very hard for me to criticize the United States Army,? said William L. Nash, a retired Army general and ABC analyst. ?It is my life.? Other administrations had made sporadic, small-scale attempts to build relationships with the occasional military analyst. But these were trifling compared with what Ms. Clarke?s team had in mind. Don Meyer, an aide to Ms. Clarke, said a strategic decision was made in 2002 to make the analysts the main focus of the public relations push to construct a case for war. Journalists were secondary. ?We didn?t want to rely on them to be our primary vehicle to get information out,? Mr. Meyer said. The Pentagon?s regular press office would be kept separate from the military analysts. The analysts would instead be catered to by a small group of political appointees, with the point person being Brent T. Krueger, another senior aide to Ms. Clarke. The decision recalled other administration tactics that subverted traditional journalism. Federal agencies, for example, have paid columnists to write favorably about the administration. They have distributed to local TV stations hundreds of fake news segments with fawning accounts of administration accomplishments. The Pentagon itself has made covert payments to Iraqi newspapers to publish coalition propaganda. Rather than complain about the ?media filter,? each of these techniques simply converted the filter into an amplifier. This time, Mr. Krueger said, the military analysts would in effect be ?writing the op-ed? for the war. Assembling the Team >From the start, interviews show, the White House took a keen interest in which analysts had been identified by the Pentagon, requesting lists of potential recruits, and suggesting names. Ms. Clarke?s team wrote summaries describing their backgrounds, business affiliations and where they stood on the war. ?Rumsfeld ultimately cleared off on all invitees,? said Mr. Krueger, who left the Pentagon in 2004. (Through a spokesman, Mr. Rumsfeld declined to comment for this article.) Over time, the Pentagon recruited more than 75 retired officers, although some participated only briefly or sporadically. The largest contingent was affiliated with Fox News, followed by NBC and CNN, the other networks with 24-hour cable outlets. But analysts from CBS and ABC were included, too. Some recruits, though not on any network payroll, were influential in other ways ? either because they were sought out by radio hosts, or because they often published op-ed articles or were quoted in magazines, Web sites and newspapers. At least nine of them have written op-ed articles for The Times. The group was heavily represented by men involved in the business of helping companies win military contracts. Several held senior positions with contractors that gave them direct responsibility for winning new Pentagon business. James Marks, a retired Army general and analyst for CNN from 2004 to 2007, pursued military and intelligence contracts as a senior executive with McNeil Technologies. Still others held board positions with military firms that gave them responsibility for government business. General McInerney, the Fox analyst, for example, sits on the boards of several military contractors, including Nortel Government Solutions, a supplier of communication networks. Several were defense industry lobbyists, such as Dr. McCausland, who works at Buchanan Ingersoll & Rooney, a major lobbying firm where he is director of a national security team that represents several military contractors. ?We offer clients access to key decision makers,? Dr. McCausland?s team promised on the firm?s Web site. Dr. McCausland was not the only analyst making this pledge. Another was Joseph W. Ralston, a retired Air Force general. Soon after signing on with CBS, General Ralston was named vice chairman of the Cohen Group, a consulting firm headed by a former defense secretary, William Cohen, himself now a ?world affairs? analyst for CNN. ?The Cohen Group knows that getting to ?yes? in the aerospace and defense market ? whether in the United States or abroad ? requires that companies have a thorough, up-to-date understanding of the thinking of government decision makers,? the company tells prospective clients on its Web site. There were also ideological ties. Two of NBC?s most prominent analysts, Barry R. McCaffrey and the late Wayne A. Downing, were on the advisory board of the Committee for the Liberation of Iraq, an advocacy group created with White House encouragement in 2002 to help make the case for ousting Saddam Hussein. Both men also had their own consulting firms and sat on the boards of major military contractors. Many also shared with Mr. Bush?s national security team a belief that pessimistic war coverage broke the nation?s will to win in Vietnam, and there was a mutual resolve not to let that happen with this war. This was a major theme, for example, with Paul E. Vallely, a Fox News analyst from 2001 to 2007. A retired Army general who had specialized in psychological warfare, Mr. Vallely co-authored a paper in 1980 that accused American news organizations of failing to defend the nation from ?enemy? propaganda during Vietnam. ?We lost the war ? not because we were outfought, but because we were out Psyoped,? he wrote. He urged a radically new approach to psychological operations in future wars ? taking aim at not just foreign adversaries but domestic audiences, too. He called his approach ?MindWar? ? using network TV and radio to ?strengthen our national will to victory.? The Selling of the War >From their earliest sessions with the military analysts, Mr. Rumsfeld and his aides spoke as if they were all part of the same team. In interviews, participants described a powerfully seductive environment ? the uniformed escorts to Mr. Rumsfeld?s private conference room, the best government china laid out, the embossed name cards, the blizzard of PowerPoints, the solicitations of advice and counsel, the appeals to duty and country, the warm thank you notes from the secretary himself. ?Oh, you have no idea,? Mr. Allard said, describing the effect. ?You?re back. They listen to you. They listen to what you say on TV.? It was, he said, ?psyops on steroids? ? a nuanced exercise in influence through flattery and proximity. ?It?s not like it?s, ?We?ll pay you $500 to get our story out,? ? he said. ?It?s more subtle.? The access came with a condition. Participants were instructed not to quote their briefers directly or otherwise describe their contacts with the Pentagon. In the fall and winter leading up to the invasion, the Pentagon armed its analysts with talking points portraying Iraq as an urgent threat. The basic case became a familiar mantra: Iraq possessed chemical and biological weapons, was developing nuclear weapons, and might one day slip some to Al Qaeda; an invasion would be a relatively quick and inexpensive ?war of liberation.? At the Pentagon, members of Ms. Clarke?s staff marveled at the way the analysts seamlessly incorporated material from talking points and briefings as if it was their own. ?You could see that they were messaging,? Mr. Krueger said. ?You could see they were taking verbatim what the secretary was saying or what the technical specialists were saying. And they were saying it over and over and over.? Some days, he added, ?We were able to click on every single station and every one of our folks were up there delivering our message. You?d look at them and say, ?This is working.? ? On April 12, 2003, with major combat almost over, Mr. Rumsfeld drafted a memorandum to Ms. Clarke. ?Let?s think about having some of the folks who did such a good job as talking heads in after this thing is over,? he wrote. By summer, though, the first signs of the insurgency had emerged. Reports from journalists based in Baghdad were increasingly suffused with the imagery of mayhem. The Pentagon did not have to search far for a counterweight. It was time, an internal Pentagon strategy memorandum urged, to ?re-energize surrogates and message-force multipliers,? starting with the military analysts. The memorandum led to a proposal to take analysts on a tour of Iraq in September 2003, timed to help overcome the sticker shock from Mr. Bush?s request for $87 billion in emergency war financing. The group included four analysts from Fox News, one each from CNN and ABC, and several research-group luminaries whose opinion articles appear regularly in the nation?s op-ed pages. The trip invitation promised a look at ?the real situation on the ground in Iraq.? The situation, as described in scores of books, was deteriorating. L. Paul Bremer III, then the American viceroy in Iraq, wrote in his memoir, ?My Year in Iraq,? that he had privately warned the White House that the United States had ?about half the number of soldiers we needed here.? ?We?re up against a growing and sophisticated threat,? Mr. Bremer recalled telling the president during a private White House dinner. That dinner took place on Sept. 24, while the analysts were touring Iraq. Yet these harsh realities were elided, or flatly contradicted, during the official presentations for the analysts, records show. The itinerary, scripted to the minute, featured brief visits to a model school, a few refurbished government buildings, a center for women?s rights, a mass grave and even the gardens of Babylon. Mostly the analysts attended briefings. These sessions, records show, spooled out an alternative narrative, depicting an Iraq bursting with political and economic energy, its security forces blossoming. On the crucial question of troop levels, the briefings echoed the White House line: No reinforcements were needed. The ?growing and sophisticated threat? described by Mr. Bremer was instead depicted as degraded, isolated and on the run. ?We?re winning,? a briefing document proclaimed. One trip participant, General Nash of ABC, said some briefings were so clearly ?artificial? that he joked to another group member that they were on ?the George Romney memorial trip to Iraq,? a reference to Mr. Romney?s infamous claim that American officials had ?brainwashed? him into supporting the Vietnam War during a tour there in 1965, while he was governor of Michigan. But if the trip pounded the message of progress, it also represented a business opportunity: direct access to the most senior civilian and military leaders in Iraq and Kuwait, including many with a say in how the president?s $87 billion would be spent. It also was a chance to gather inside information about the most pressing needs confronting the American mission: the acute shortages of ?up-armored? Humvees; the billions to be spent building military bases; the urgent need for interpreters; and the ambitious plans to train Iraq?s security forces. Information and access of this nature had undeniable value for trip participants like William V. Cowan and Carlton A. Sherwood. Mr. Cowan, a Fox analyst and retired Marine colonel, was the chief executive of a new military firm, the wvc3 Group. Mr. Sherwood was its executive vice president. At the time, the company was seeking contracts worth tens of millions to supply body armor and counterintelligence services in Iraq. In addition, wvc3 Group had a written agreement to use its influence and connections to help tribal leaders in Al Anbar Province win reconstruction contracts from the coalition. ?Those sheiks wanted access to the C.P.A.,? Mr. Cowan recalled in an interview, referring to the Coalition Provisional Authority. Mr. Cowan said he pleaded their cause during the trip. ?I tried to push hard with some of Bremer?s people to engage these people of Al Anbar,? he said. Back in Washington, Pentagon officials kept a nervous eye on how the trip translated on the airwaves. Uncomfortable facts had bubbled up during the trip. One briefer, for example, mentioned that the Army was resorting to packing inadequately armored Humvees with sandbags and Kevlar blankets. Descriptions of the Iraqi security forces were withering. ?They can?t shoot, but then again, they don?t,? one officer told them, according to one participant?s notes. ?I saw immediately in 2003 that things were going south,? General Vallely, one of the Fox analysts on the trip, recalled in an interview with The Times. The Pentagon, though, need not have worried. ?You can?t believe the progress,? General Vallely told Alan Colmes of Fox News upon his return. He predicted the insurgency would be ?down to a few numbers? within months. ?We could not be more excited, more pleased,? Mr. Cowan told Greta Van Susteren of Fox News. There was barely a word about armor shortages or corrupt Iraqi security forces. And on the key strategic question of the moment ? whether to send more troops ? the analysts were unanimous. ?I am so much against adding more troops,? General Shepperd said on CNN. Access and Influence Inside the Pentagon and at the White House, the trip was viewed as a masterpiece in the management of perceptions, not least because it gave fuel to complaints that ?mainstream? journalists were ignoring the good news in Iraq. ?We?re hitting a home run on this trip,? a senior Pentagon official wrote in an e-mail message to Richard B. Myers and Peter Pace, then chairman and vice chairman of the Joint Chiefs of Staff. Its success only intensified the Pentagon?s campaign. The pace of briefings accelerated. More trips were organized. Eventually the effort involved officials from Washington to Baghdad to Kabul to Guant?namo and back to Tampa, Fla., the headquarters of United States Central Command. The scale reflected strong support from the top. When officials in Iraq were slow to organize another trip for analysts, a Pentagon official fired off an e-mail message warning that the trips ?have the highest levels of visibility? at the White House and urging them to get moving before Lawrence Di Rita, one of Mr. Rumsfeld?s closest aides, ?picks up the phone and starts calling the 4-stars.? Mr. Di Rita, no longer at the Defense Department, said in an interview that a ?conscious decision? was made to rely on the military analysts to counteract ?the increasingly negative view of the war? coming from journalists in Iraq. The analysts, he said, generally had ?a more supportive view? of the administration and the war, and the combination of their TV platforms and military cachet made them ideal for rebutting critical coverage of issues like troop morale, treatment of detainees, inadequate equipment or poorly trained Iraqi security forces. ?On those issues, they were more likely to be seen as credible spokesmen,? he said. For analysts with military industry ties, the attention brought access to a widening circle of influential officials beyond the contacts they had accumulated over the course of their careers. Charles T. Nash, a Fox military analyst and retired Navy captain, is a consultant who helps small companies break into the military market. Suddenly, he had entree to a host of senior military leaders, many of whom he had never met. It was, he said, like being embedded with the Pentagon leadership. ?You start to recognize what?s most important to them,? he said, adding, ?There?s nothing like seeing stuff firsthand.? Some Pentagon officials said they were well aware that some analysts viewed their special access as a business advantage. ?Of course we realized that,? Mr. Krueger said. ?We weren?t na?ve about that.? They also understood the financial relationship between the networks and their analysts. Many analysts were being paid by the ?hit,? the number of times they appeared on TV. The more an analyst could boast of fresh inside information from high-level Pentagon ?sources,? the more hits he could expect. The more hits, the greater his potential influence in the military marketplace, where several analysts prominently advertised their network roles. ?They have taken lobbying and the search for contracts to a far higher level,? Mr. Krueger said. ?This has been highly honed.? Mr. Di Rita, though, said it never occurred to him that analysts might use their access to curry favor. Nor, he said, did the Pentagon try to exploit this dynamic. ?That?s not something that ever crossed my mind,? he said. In any event, he argued, the analysts and the networks were the ones responsible for any ethical complications. ?We assume they know where the lines are,? he said. The analysts met personally with Mr. Rumsfeld at least 18 times, records show, but that was just the beginning. They had dozens more sessions with the most senior members of his brain trust and access to officials responsible for managing the billions being spent in Iraq. Other groups of ?key influentials? had meetings, but not nearly as often as the analysts. An internal memorandum in 2005 helped explain why. The memorandum, written by a Pentagon official who had accompanied analysts to Iraq, said that based on her observations during the trip, the analysts ?are having a greater impact? on network coverage of the military. ?They have now become the go-to guys not only on breaking stories, but they influence the views on issues,? she wrote. Other branches of the administration also began to make use of the analysts. Mr. Gonzales, then the attorney general, met with them soon after news leaked that the government was wiretapping terrorism suspects in the United States without warrants, Pentagon records show. When David H. Petraeus was appointed the commanding general in Iraq in January 2007, one of his early acts was to meet with the analysts. ?We knew we had extraordinary access,? said Timur J. Eads, a retired Army lieutenant colonel and Fox analyst who is vice president of government relations for Blackbird Technologies, a fast-growing military contractor. Like several other analysts, Mr. Eads said he had at times held his tongue on television for fear that ?some four-star could call up and say, ?Kill that contract.? ? For example, he believed Pentagon officials misled the analysts about the progress of Iraq?s security forces. ?I know a snow job when I see one,? he said. He did not share this on TV. ?Human nature,? he explained, though he noted other instances when he was critical. Some analysts said that even before the war started, they privately had questions about the justification for the invasion, but were careful not to express them on air. Mr. Bevelacqua, then a Fox analyst, was among those invited to a briefing in early 2003 about Iraq?s purported stockpiles of illicit weapons. He recalled asking the briefer whether the United States had ?smoking gun? proof. ? ?We don?t have any hard evidence,? ? Mr. Bevelacqua recalled the briefer replying. He said he and other analysts were alarmed by this concession. ?We are looking at ourselves saying, ?What are we doing?? ? Another analyst, Robert L. Maginnis, a retired Army lieutenant colonel who works in the Pentagon for a military contractor, attended the same briefing and recalled feeling ?very disappointed? after being shown satellite photographs purporting to show bunkers associated with a hidden weapons program. Mr. Maginnis said he concluded that the analysts were being ?manipulated? to convey a false sense of certainty about the evidence of the weapons. Yet he and Mr. Bevelacqua and the other analysts who attended the briefing did not share any misgivings with the American public. Mr. Bevelacqua and another Fox analyst, Mr. Cowan, had formed the wvc3 Group, and hoped to win military and national security contracts. ?There?s no way I was going to go down that road and get completely torn apart,? Mr. Bevelacqua said. ?You?re talking about fighting a huge machine.? Some e-mail messages between the Pentagon and the analysts reveal an implicit trade of privileged access for favorable coverage. Robert H. Scales Jr., a retired Army general and analyst for Fox News and National Public Radio whose consulting company advises several military firms on weapons and tactics used in Iraq, wanted the Pentagon to approve high-level briefings for him inside Iraq in 2006. ?Recall the stuff I did after my last visit,? he wrote. ?I will do the same this time.? Pentagon Keeps Tabs As it happened, the analysts? news media appearances were being closely monitored. The Pentagon paid a private contractor, Omnitec Solutions, hundreds of thousands of dollars to scour databases for any trace of the analysts, be it a segment on ?The O?Reilly Factor? or an interview with The Daily Inter Lake in Montana, circulation 20,000. Omnitec evaluated their appearances using the same tools as corporate branding experts. One report, assessing the impact of several trips to Iraq in 2005, offered example after example of analysts echoing Pentagon themes on all the networks. ?Commentary from all three Iraq trips was extremely positive over all,? the report concluded. In interviews, several analysts reacted with dismay when told they were described as reliable ?surrogates? in Pentagon documents. And some asserted that their Pentagon sessions were, as David L. Grange, a retired Army general and CNN analyst put it, ?just upfront information,? while others pointed out, accurately, that they did not always agree with the administration or each other. ?None of us drink the Kool-Aid,? General Scales said. Likewise, several also denied using their special access for business gain. ?Not related at all,? General Shepperd said, pointing out that many in the Pentagon held CNN ?in the lowest esteem.? Still, even the mildest of criticism could draw a challenge. Several analysts told of fielding telephone calls from displeased defense officials only minutes after being on the air. On Aug. 3, 2005, 14 marines died in Iraq. That day, Mr. Cowan, who said he had grown increasingly uncomfortable with the ?twisted version of reality? being pushed on analysts in briefings, called the Pentagon to give ?a heads-up? that some of his comments on Fox ?may not all be friendly,? Pentagon records show. Mr. Rumsfeld?s senior aides quickly arranged a private briefing for him, yet when he told Bill O?Reilly that the United States was ?not on a good glide path right now? in Iraq, the repercussions were swift. Mr. Cowan said he was ?precipitously fired from the analysts group? for this appearance. The Pentagon, he wrote in an e-mail message, ?simply didn?t like the fact that I wasn?t carrying their water.? The next day James T. Conway, then director of operations for the Joint Chiefs, presided over another conference call with analysts. He urged them, a transcript shows, not to let the marines? deaths further erode support for the war. ?The strategic target remains our population,? General Conway said. ?We can lose people day in and day out, but they?re never going to beat our military. What they can and will do if they can is strip away our support. And you guys can help us not let that happen.? ?General, I just made that point on the air,? an analyst replied. ?Let?s work it together, guys,? General Conway urged. The Generals? Revolt The full dimensions of this mutual embrace were perhaps never clearer than in April 2006, after several of Mr. Rumsfeld?s former generals ? none of them network military analysts ? went public with devastating critiques of his wartime performance. Some called for his resignation. On Friday, April 14, with what came to be called the ?Generals? Revolt? dominating headlines, Mr. Rumsfeld instructed aides to summon military analysts to a meeting with him early the next week, records show. When an aide urged a short delay to ?give our big guys on the West Coast a little more time to buy a ticket and get here,? Mr. Rumsfeld?s office insisted that ?the boss? wanted the meeting fast ?for impact on the current story.? That same day, Pentagon officials helped two Fox analysts, General McInerney and General Vallely, write an opinion article for The Wall Street Journal defending Mr. Rumsfeld. ?Starting to write it now,? General Vallely wrote to the Pentagon that afternoon. ?Any input for the article,? he added a little later, ?will be much appreciated.? Mr. Rumsfeld?s office quickly forwarded talking points and statistics to rebut the notion of a spreading revolt. ?Vallely is going to use the numbers,? a Pentagon official reported that afternoon. The standard secrecy notwithstanding, plans for this session leaked, producing a front-page story in The Times that Sunday. In damage-control mode, Pentagon officials scrambled to present the meeting as routine and directed that communications with analysts be kept ?very formal,? records show. ?This is very, very sensitive now,? a Pentagon official warned subordinates. On Tuesday, April 18, some 17 analysts assembled at the Pentagon with Mr. Rumsfeld and General Pace, then the chairman of the Joint Chiefs. A transcript of that session, never before disclosed, shows a shared determination to marginalize war critics and revive public support for the war. ?I?m an old intel guy,? said one analyst. (The transcript omits speakers? names.) ?And I can sum all of this up, unfortunately, with one word. That is Psyops. Now most people may hear that and they think, ?Oh my God, they?re trying to brainwash.? ? ?What are you, some kind of a nut?? Mr. Rumsfeld cut in, drawing laughter. ?You don?t believe in the Constitution?? There was little discussion about the actual criticism pouring forth from Mr. Rumsfeld?s former generals. Analysts argued that opposition to the war was rooted in perceptions fed by the news media, not reality. The administration?s overall war strategy, they counseled, was ?brilliant? and ?very successful.? ?Frankly,? one participant said, ?from a military point of view, the penalty, 2,400 brave Americans whom we lost, 3,000 in an hour and 15 minutes, is relative.? An analyst said at another point: ?This is a wider war. And whether we have democracy in Iraq or not, it doesn?t mean a tinker?s damn if we end up with the result we want, which is a regime over there that?s not a threat to us.? ?Yeah,? Mr. Rumsfeld said, taking notes. But winning or not, they bluntly warned, the administration was in grave political danger so long as most Americans viewed Iraq as a lost cause. ?America hates a loser,? one analyst said. Much of the session was devoted to ways that Mr. Rumsfeld could reverse the ?political tide.? One analyst urged Mr. Rumsfeld to ?just crush these people,? and assured him that ?most of the gentlemen at the table? would enthusiastically support him if he did. ?You are the leader,? the analyst told Mr. Rumsfeld. ?You are our guy.? At another point, an analyst made a suggestion: ?In one of your speeches you ought to say, ?Everybody stop for a minute and imagine an Iraq ruled by Zarqawi.? And then you just go down the list and say, ?All right, we?ve got oil, money, sovereignty, access to the geographic center of gravity of the Middle East, blah, blah, blah.? If you can just paint a mental picture for Joe America to say, ?Oh my God, I can?t imagine a world like that.? ? Even as they assured Mr. Rumsfeld that they stood ready to help in this public relations offensive, the analysts sought guidance on what they should cite as the next ?milestone? that would, as one analyst put it, ?keep the American people focused on the idea that we?re moving forward to a positive end.? They placed particular emphasis on the growing confrontation with Iran. ?When you said ?long war,? you changed the psyche of the American people to expect this to be a generational event,? an analyst said. ?And again, I?m not trying to tell you how to do your job...? ?Get in line,? Mr. Rumsfeld interjected. The meeting ended and Mr. Rumsfeld, appearing pleased and relaxed, took the entire group into a small study and showed off treasured keepsakes from his life, several analysts recalled. Soon after, analysts hit the airwaves. The Omnitec monitoring reports, circulated to more than 80 officials, confirmed that analysts repeated many of the Pentagon?s talking points: that Mr. Rumsfeld consulted ?frequently and sufficiently? with his generals; that he was not ?overly concerned? with the criticisms; that the meeting focused ?on more important topics at hand,? including the next milestone in Iraq, the formation of a new government. Days later, Mr. Rumsfeld wrote a memorandum distilling their collective guidance into bullet points. Two were underlined: ?Focus on the Global War on Terror ? not simply Iraq. The wider war ? the long war.? ?Link Iraq to Iran. Iran is the concern. If we fail in Iraq or Afghanistan, it will help Iran.? But if Mr. Rumsfeld found the session instructive, at least one participant, General Nash, the ABC analyst, was repulsed. ?I walked away from that session having total disrespect for my fellow commentators, with perhaps one or two exceptions,? he said. View From the Networks Two weeks ago General Petraeus took time out from testifying before Congress about Iraq for a conference call with military analysts. Mr. Garrett, the Fox analyst and Patton Boggs lobbyist, said he told General Petraeus during the call to ?keep up the great work.? ?Hey,? Mr. Garrett said in an interview, ?anything we can do to help.? For the moment, though, because of heavy election coverage and general war fatigue, military analysts are not getting nearly as much TV time, and the networks have trimmed their rosters of analysts. The conference call with General Petraeus, for example, produced little in the way of immediate coverage. Still, almost weekly the Pentagon continues to conduct briefings with selected military analysts. Many analysts said network officials were only dimly aware of these interactions. The networks, they said, have little grasp of how often they meet with senior officials, or what is discussed. ?I don?t think NBC was even aware we were participating,? said Rick Francona, a longtime military analyst for the network. Some networks publish biographies on their Web sites that describe their analysts? military backgrounds and, in some cases, give at least limited information about their business ties. But many analysts also said the networks asked few questions about their outside business interests, the nature of their work or the potential for that work to create conflicts of interest. ?None of that ever happened,? said Mr. Allard, an NBC analyst until 2006. ?The worst conflict of interest was no interest.? Mr. Allard and other analysts said their network handlers also raised no objections when the Defense Department began paying their commercial airfare for Pentagon-sponsored trips to Iraq ? a clear ethical violation for most news organizations. CBS News declined to comment on what it knew about its military analysts? business affiliations or what steps it took to guard against potential conflicts. NBC News also declined to discuss its procedures for hiring and monitoring military analysts. The network issued a short statement: ?We have clear policies in place to assure that the people who appear on our air have been appropriately vetted and that nothing in their profile would lead to even a perception of a conflict of interest.? Jeffrey W. Schneider, a spokesman for ABC, said that while the network?s military consultants were not held to the same ethical rules as its full-time journalists, they were expected to keep the network informed about any outside business entanglements. ?We make it clear to them we expect them to keep us closely apprised,? he said. A spokeswoman for Fox News said executives ?refused to participate? in this article. CNN requires its military analysts to disclose in writing all outside sources of income. But like the other networks, it does not provide its military analysts with the kind of written, specific ethical guidelines it gives its full-time employees for avoiding real or apparent conflicts of interest. Yet even where controls exist, they have sometimes proven porous. CNN, for example, said it was unaware for nearly three years that one of its main military analysts, General Marks, was deeply involved in the business of seeking government contracts, including contracts related to Iraq. General Marks was hired by CNN in 2004, about the time he took a management position at McNeil Technologies, where his job was to pursue military and intelligence contracts. As required, General Marks disclosed that he received income from McNeil Technologies. But the disclosure form did not require him to describe what his job entailed, and CNN acknowledges it failed to do additional vetting. ?We did not ask Mr. Marks the follow-up questions we should have,? CNN said in a written statement. In an interview, General Marks said it was no secret at CNN that his job at McNeil Technologies was about winning contracts. ?I mean, that?s what McNeil does,? he said. CNN, however, said it did not know the nature of McNeil?s military business or what General Marks did for the company. If he was bidding on Pentagon contracts, CNN said, that should have disqualified him from being a military analyst for the network. But in the summer and fall of 2006, even as he was regularly asked to comment on conditions in Iraq, General Marks was working intensively on bidding for a $4.6 billion contract to provide thousands of translators to United States forces in Iraq. In fact, General Marks was made president of the McNeil spin-off that won the huge contract in December 2006. General Marks said his work on the contract did not affect his commentary on CNN. ?I?ve got zero challenge separating myself from a business interest,? he said. But CNN said it had no idea about his role in the contract until July 2007, when it reviewed his most recent disclosure form, submitted months earlier, and finally made inquiries about his new job. ?We saw the extent of his dealings and determined at that time we should end our relationship with him,? CNN said. From rforno at infowarrior.org Sun Apr 20 13:46:03 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 20 Apr 2008 09:46:03 -0400 Subject: [Infowarrior] - Multimedia: How the Pentagon Spread Its Message Message-ID: How the Pentagon Spread Its Message David Barstow, an investigative reporter for The Times, examines primary source documents detailing the Pentagon?s response to criticism of then-Secretary of Defense Donald H. Rumsfeld by a group of prominent retired generals. < - > http://www.nytimes.com/interactive/2008/04/20/washington/20080419_RUMSFELD.h tml From rforno at infowarrior.org Sun Apr 20 13:48:08 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 20 Apr 2008 09:48:08 -0400 Subject: [Infowarrior] - Struggling to Evade the E-Mail Tsunami Message-ID: April 20, 2008 Digital Domain Struggling to Evade the E-Mail Tsunami By RANDALL STROSS http://www.nytimes.com/2008/04/20/technology/20digi.html E-MAIL has become the bane of some people?s professional lives. Michael Arrington, the founder of TechCrunch, a blog covering new Internet companies, last month stared balefully at his inbox, with 2,433 unread e-mail messages, not counting 721 messages awaiting his attention in Facebook. Mr. Arrington might be tempted to purge his inbox and start afresh ? the phrase ?e-mail bankruptcy? has been with us since at least 2002. But he declares e-mail bankruptcy regularly, to no avail. New messages swiftly replace those that are deleted unread. For most of us who are not prominent bloggers, our inbox, thankfully, will never become quite so crowded, at least with nonspam messages. But it doesn?t take all that many to seem overwhelming ? for me, the sight of two dozen messages awaiting individual responses makes me perspire. Eventually, someone will come up with software that greatly eases the burden of managing a high volume of e-mail. But in the meantime, we perhaps should look to the past and see what tips we might draw from prolific letter writers in the pre-electronic era who handled ridiculously large volumes of correspondence without being crushed. When Mr. Arrington wrote a post about the persistent problem of e-mail overload and the opportunity for an entrepreneur to devise a solution, almost 200 comments were posted within two days. Some start-up companies were mentioned favorably, like ClearContext (sorts Outlook inbox messages by imputed importance), Xobni (offers a full communications history within Outlook for every sender, as well as very fast searching), Boxbe (restricts incoming e-mail if the sender is not known), and RapidReader (displays e-mail messages, a single word at a time, for accelerated reading speeds that can reach up to 950 words a minute). But none of these services really eliminates the problem of e-mail overload because none helps us prepare replies. And a recurring theme in many comments was that Mr. Arrington was blind to the simplest solution: a secretary. This was the solution Thomas Edison used in pre-electronic times to handle a mismatch between 100,000-plus unsolicited letters and a single human addressee. Not all correspondents would receive a reply ? a number were filed in what Edison called his ?nut file.? But most did get a written letter from Edison?s office, prepared by men who were full-time secretaries. They became skilled in creating the impression that Edison had taken a personal interest in whatever topic had prompted the correspondent to write. To Mr. Arrington, however, having assistants process his e-mail is anathema. His blog, after all, is dedicated to covering some of the most technically innovative companies in existence. ?I can?t believe how many commenters think the solution to the problem is human labor,? he wrote. Another recipient of large volumes of e-mail messages, Mark Cuban, similarly avoids reliance on human proxies. Mr. Cuban, the owner of the Dallas Mavericks and various ventures, saw Mr. Arrington?s post and wrote a short note on his own blog: ?2,433 Unread E-mails. I Feel your Pain.? Mr. Cuban said that he receives more than a thousand messages a day, which he still processes himself, including the 10 percent that are of ?the ?I want? variety.? (These were what Edison called ?begging letters.?) That personal touch is sorely missed in the e-mail replies we receive from large companies. Customer service automation subjects a message to semantic analysis to extract its general meaning, then dispatches a canned answer at the least possible cost. It aims to provide a ?close enough? reply; it does not provide reassuring words conveyed by one human to another. Mr. Cuban and Mr. Arrington likewise could resort to a technological solution, preparing an auto-response for their public e-mail accounts that would warn strangers that the volume of e-mail precluded even a skimming, let alone dispatching responses. Yet both have resisted that course. We all can learn from H. L. Mencken (1880-1956), the journalist and essayist, who was another member of the Hundred Thousand Letters Club, yet unlike Edison, corresponded without an amanuensis. His letters were exceptional not only in quantity, but in quality: witty gems that the recipients treasured. Marion Elizabeth Rodgers, the author of ?Mencken: The American Iconoclast? (Oxford, 2005), shared with me (via e-mail) details of her subject?s letter-writing habits. In his correspondence, Mencken adhered to the most basic of social principles: reciprocity. If someone wrote to him, he believed writing back was, in his words, ?only decent politeness.? He reasoned that if it were he who had initiated correspondence, he would expect the same courtesy. ?If I write to a man on any proper business and he fails to answer me at once, I set him down as a boor and an ass.? Whether the post brought 10 or 80 letters, Mencken read and answered them all the same day. He said, ?My mail is so large that if I let it accumulate for even a few days, it would swamp me.? YET at the same time that Mencken teaches us the importance of avoiding overnight e-mail indebtedness, he also reminds us of the need to shield ourselves from incessant distractions during the day when individual messages arrive. The postal service used to pick up and deliver mail twice a day, which was frequent enough to permit Mencken to arrange to meet a friend on the same day that he extended the invitation. Yet it was not so frequent as to interrupt his work. Today?s advice from time-management specialists, to keep our e-mail software off, except for twice-a-day checks, replicates the cadence of twice-a-day postal deliveries in Mencken?s time. Ms. Rodgers said that Mencken was acutely disturbed by interruptions that broke his concentration. The sound of a ringing telephone was associated in his mind, he once wrote, with ?wishing heartily that Alexander Graham Bell had been run over by an ice wagon at the age of 4.? Mencken?s 100,000 letters serve as inspiration: we can handle more e-mail than we think we can, but should do so by attending to it only infrequently, at times of our own choosing. Randall Stross is an author based in Silicon Valley and a professor of business at San Jose State University. E-mail: stross at nytimes.com. From rforno at infowarrior.org Mon Apr 21 12:56:52 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 21 Apr 2008 08:56:52 -0400 Subject: [Infowarrior] - Chertoff Says Fingerprints Aren't Personal Data Message-ID: http://www.schneier.com/blog/archives/2008/04/chertoff_says_f.html Chertoff Says Fingerprints Aren't Personal Data Homeland Security Secretary Michael Chertoff says: QUESTION: Some are raising that the privacy aspects of this thing, you know, sharing of that kind of data, very personal data, among four countries is quite a scary thing. SECRETARY CHERTOFF: Well, first of all, a fingerprint is hardly personal data because you leave it on glasses and silverware and articles all over the world, they're like footprints. They're not particularly private. Sounds like he's confusing "secret" data with "personal" data. Lots of personal data isn't particularly secret. From rforno at infowarrior.org Mon Apr 21 17:55:16 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 21 Apr 2008 13:55:16 -0400 Subject: [Infowarrior] - Baker College wins National Collegiate Cyber Defense Competition Message-ID: Baker College wins National Collegiate Cyber Defense Competition By Joe Barr on April 21, 2008 (4:00:00 PM) http://www.linux.com/feature/132873 Baker College of Flint, Mich., defeated defending champion Texas A&M University and four other regional winners from across the country to capture the third annual National Collegiate Cyber Defense Competition, which concluded in San Antonio, Texas, over the weekend. Texas A&M finished a close second, and the University of Louisville took third. Also competing for the championship were the Community College of Baltimore County, Mount San Antonio College of Los Angeles County, and the Rochester Institute of Technology. Hosted by the Center for Infrastructure Assurance and Security (CIAS) at the University of Texas at San Antonio (UTSA), the event pits six regional winners, each given a similar small enterprise network to protect, against a team made up of experienced security professionals dubbed the Red Team, a.k.a. Team Hilarious. Teams are scored on how well they protect their identical networks, made up a Cisco router and five servers: Windows 2003 running Internet Information Services, Windows 2000 running DNS, Solaris X86 running Apache and OpenSSL, Gentoo running MySQL and NFS, and BSD running Sendmail. Team workstations can run Vista, Windows, Fedora, or BSD, as the team prefers. Teams are required to provide SMTP, POP3, HTTP, HTTPS,and DNS services throughout the competition, and outages on any of those services result in deductions from their score. At specified times, the teams are also asked to bring up FTP, SSH, RDP, and VNC services, in accordance with the 2008 competition rules. Dr. Gregory White In addition to the attackers (the Red Team) and the defenders (the Blue Teams), there is also a White Team. The White Team acts as the overall network operations center, observers, and as communications center. All requests for information, assistance, and problem reporting by the competing teams go through the White Team; teams are not allowed direct communication with the outside world except for publicly available information and software available on the Internet. The White Team also delivers in-competition requests for new services and scores the teams' performance. The entire event took place at the San Antonio Airport Hilton hotel, and each team (Red, White, and each competing Blue team) had its own private, closely guarded room. A White Team observer was present in each competing team's room for the entire competition. Team Hilarious Red Team captain Dave Cowen has a jovial face and a pirate's beard. When his laughter could be heard in the hall outside the Red Team room, collegians winced, because they knew that another server has just fallen prey to the Red Team's relentless attacks. The other Red Team members (first names only) Luke, Ryan, Evan, Jacob, and Leon are all professionals in the security industry. On Friday, the first day of the competition, the Red Team had the adrenaline of the hunt, the chase, the pursuit of hapless quarry, in the air, as team members sat around the conference table, staring into the screens of their laptops, some using two laptops at once, and sharing information as they gleefully began probing the target networks for weaknesses and mapping IP addresses to specific configurations. One of the first remarks heard after the competition began was, "Interesting, the Solaris exploit from last year still works." That was followed shortly by Dave Cowen announcing "OK, professionals, we need a local Solaris 5.10 exploit for privilege escalation." Red Team Captain Dave CowenIn addition to a few members of the press, the Red Team room was also visited by various federal agents. A contingent from the Secret Service was present all weekend. Three black-suited gentlemen claiming to be from the FBI were present Friday. Defense Information Systems Agency agents were present as part of the competition infrastructure, and among their other duties, helped escort journalists from room to room during the event. The mood in the Baltimore County Community College Blue Team room Friday afternoon was in stark contrast with the lightness and laughter heard in the Team Hilarious room. All seven team members were focused on the job at hand, which was to begin securing the network they found running at the start of the competition. Voices were muted, there was no idle chatter, and everyone was busy at whatever task they had been assigned. Teams are allowed to modify the configurations as they see fit during the event, so long as they follow the rules and provide the required services. The configuration itself seems to have been a weak spot for defending the networks, and at the end of the competition on Sunday, Cowen said that you reach a point where the configuration is more important than the supply of exploits available to attackers. He made that remark not long after hacking a team's Web server so that it displayed their credit card database as its homepage during the last half hour of the competition. A two-hour awards luncheon took place shortly after the end of competition Sunday morning. There were speeches by US Representative Ciro Rodriguez and Cornelius Tate, the brand-new Director of the DHS Cyber Security Division, prior to announcing the winners. This year's competition was the closest ever, with three teams in a virtual tie after the second day, and Baker edging defending champion Texas A&M by the slimmest of margins at the end. Whether they took home the gold or not, all the teams were made up of bright, skillful students, and given the presence of two community college teams in the final six, it's obvious that the size of the school is not as important as the skill of its students in the world of cyber defense. Baltimore County Community College, the only team with a female competitor, and Mount San Antonio Community College in Los Angeles, proved that network security skills are not the exclusive domain of larger, better-known institutions. Their presence at this national competition is roughly the equivalent of a community college basketball team making it to the NCAA's Final Four, and both schools and students deserve kudos for going head to head against teams from much larger schools, especially since those schools may include two graduate students on their team. Dr. Gregory White, director of the UTSA CIAS, one of the founders of the original competition when it was held on a regional basis rather than nationally, explained there is a large network and computer security population in San Antonio, primarily because the Air Intelligence Agency is located there. UTSA was a logical place to become an academic center for computer and network security. That led to it become the first Texas university to be designated as a "Center for Academic Excellence in Information Assurance Education" by both the DHS and the National Security Agency, and it currently offers bachelor and masters-level degrees in information security from several of its schools. Sponsors for this year's event included the AT&T Foundation, DHS, Cisco Systems, Acronis, Northrop Grumman, Accenture, the Information Systems Security Association, Core Security, our sister site ThinkGeek, Code Magazine, and Pepsi. White said that more sponsors are needed for future competitions in order to do all the things CIAS wants to accomplish. From rforno at infowarrior.org Tue Apr 22 01:53:34 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 21 Apr 2008 21:53:34 -0400 Subject: [Infowarrior] - Secret pact allows the US to spy on UK motorists Message-ID: Secret pact allows the US to spy on UK motorists Big Buddy is watching y'all By Egan Orion: Monday, 21 April 2008, 4:16 PM http://www.theinquirer.net/gb/inquirer/news/2008/04/21/quiet-pact-allows-spy -uk THE UK Home Secretary secretively signed a "special certificate" last year that gives foreign security agencies real-time access to traffic camera images and related data monitoring British motorists on highways throughout the UK. Opposition politicians and civil liberties advocates yesterday accused Gordon Brown's government of attempting to hide from Parliament its covert plans to facilitate international surveillance of UK citizens in violation of privacy laws. Under the authorisation signed last July 4 by Jacqui Smith, video feeds and still images captured from roadside TV cameras, along with personal data derived from them, can be transmitted out of the UK to countries such as the US, that are outside the European Economic Area. Home Secretary Smith failed to mention the exception in a statement she made to Parliament less than two weeks later on July 17, 2007 outlining Metropolitan Police exemptions to the 1998 Data Protection Act. The dispensation gives British police "anti-terrorism" officers the permission to transmit images and information overseas, based upon any representation that the materials are relevant to a "terrorism" threat either in the UK or elsewhere. Liberal Democratic leader Nick Clegg said last night, "This confirms that this Government is happy to hand over potentially huge amounts of information on British citizens under the catch-all pretext of 'national security'." UK civil liberties groups are appalled that the UK government is monitoring the daily movements of British citizens on a wholesale basis, even more so that it's willing to provide surveillance images and data to foreign intelligence agencies. Opponents of what they view as a nascent surveillance state fear the imposition of a "data mining" programme to filter and correlate billions of pieces of data to profile individuals, activities and relationships in ways that might be abused, such as to target minorities and political groups and suppress peaceful dissent. A Home Office spokesman defended powers granted by the "special certificate" on the grounds of "counter terrorism" and national security, as they always do, of course. Speaking anonymously, he said "We would like to reassure the public that robust controls have been put in place to control and safeguard access to, and use of, the information." In other words, "Trust us." ? From rforno at infowarrior.org Tue Apr 22 03:14:33 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 21 Apr 2008 23:14:33 -0400 Subject: [Infowarrior] - Few Clear Wins in U.S. Anti-Terror Cases Message-ID: Few Clear Wins in U.S. Anti-Terror Cases Moving Early on Domestic Suspects Often Does Not Bring Convictions By Carrie Johnson and Walter Pincus Washington Post Staff Writers Monday, April 21, 2008; A01 http://www.washingtonpost.com/wp-dyn/content/article/2008/04/20/AR2008042002 227_pf.html When seven ragtag men in a Miami religious sect were indicted in 2006 for their role in a bizarre plot to blow up the FBI Miami office and Chicago's Sears Tower, then- Attorney General Alberto R. Gonzales said the case represented "a new brand of terrorism" among homegrown gangs that "may prove to be as dangerous as groups like al-Qaeda." Justice Department officials used similar rhetoric in a 2003 case against a Tampa-area man and his associates who allegedly supported a reign of terror by a violent Palestinian group. The officials did so again in a 2004 case involving a Dallas charity known as the Holy Land Foundation, which they said provided "blood money" to finance overseas suicide bombings. But juries in all three cases saw things differently than the government's national security team. In the most recent disappointment for federal prosecutors, a jury last week did not reach a verdict in the Miami case for the second time. In the Holy Land case, one defendant was cleared of the charges and jurors deadlocked on charges against the others. After 12 days of deliberation, jurors in the Tampa case acquitted two men and could not agree on the charges against the main defendant. The department's domestic terrorism record to date -- no new attacks, but few blockbuster convictions and some high-profile hung juries or acquittals -- has provoked criticism of its early strategy for going after homegrown terrorist cells and the people who fund plots well before deadly events occur. Jurors appear to be particularly troubled by a controversial element in the Miami case, part of several other early prosecutions, in which FBI informants encouraged others to perform acts they otherwise may not have done. This week, federal prosecutors in Miami will announce whether they will seek to try the defendants for the third time. The government's incentive to do so is powerful: Two years ago, it intended the case to be a model for intervention against potential terrorists before they acquire the weapons and insight needed to act. Independent commissions have urged the FBI to become more aggressive at detecting threats and neutralizing them before they explode. But what emerged was an approach where investigators sometimes acted very early, charging conspiracies to commit minor crimes or immigration and tax violations as a way to preempt potential threats, while avoiding the disclosure of sensitive intelligence. Justice Department officials say they are pleased to have won a few high-profile convictions as well as some little-noticed guilty pleas. Increasingly, authorities say, their current goal is broader than a courtroom victory: It is collecting enough intelligence to eradicate a threat by using informants, wiretaps and other tools to get as clear a picture as possible . "Our mission is not just to disrupt an isolated plot, but to thoroughly dismantle the entire network that supports it," FBI Director Robert S. Mueller III told an audience this month. * * * The Miami case revolved around a part-time contractor who gathered a loose band of men in a rented room in a downscale neighborhood known as Liberty City. The group, distantly affiliated with the Moorish Science Temple religion, talked about Muhammad, Jesus, Confucius and Buddha, and also practiced martial arts. Its leader, Narseal Batiste, told his Yemenese grocer in October 2005 that he wanted to conduct jihad to overthrow the U.S. government. The grocer, an FBI informant who himself had a criminal record, told the bureau. The FBI then employed a second informant, this one an Arab from overseas who depicted himself as a representative of Osama bin Laden. Batiste confided, somewhat fantastically, that he wanted to blow up the Sears Tower in Chicago, which would then fall into a nearby prison, freeing Muslim prisoners who would become the core of his Moorish army. With them, he would establish his own country. The FBI informant, under bureau guidance, refocused Batiste on what he said was bin Laden's plot -- to bomb FBI offices in several U.S. cities. Batiste's group was enlisted by the FBI informant to aid in the attack. The informant then wrote out what he termed an al-Qaeda oath, and got Batiste to lead his men in taking it -- an act that the government argued was key evidence of their guilt. After one of the seven left Miami to get away from the group, an internal dispute developed and it fell apart. They were then arrested, charged with conspiracy to commit a terrorist act and placed in prison, where they remain. Jurors in the case, which ended in a mistrial last week, have not spoken about it publicly. But panel members who deliberated in the first trial told reporters they were skeptical that the defendants were as dangerous as prosecutors asserted. * * * Formerly the largest Muslim charity in the United States, the Holy Land Foundation was "funding the works of evil" and encouraging suicide bombings on behalf of Hamas, according to a press conference statement in 2004 by then-Attorney General John D. Ashcroft. Earlier that morning, authorities had arrested a group of men with ties to the foundation for supporting Hamas, violating laws that bar financial transactions that threaten national security, and money laundering, among 42 counts that could have sent the men to prison for decades. But the prosecution ended in a mistrial last October, when Dallas jurors could not reach agreement on charges involving two defendants and mostly cleared another of criminal wrongdoing. Jurors have offered contrasting accounts of the problems they faced, but at least one cast doubt on the quality of the evidence. Prosecutors are scheduled to retry the case later this year. A less-publicized case involves Javed Iqbal, a Brooklyn businessman who provided overseas cable access to clients and data to others, including U.S. government agencies. In August 2006, Iqbal was arrested for conspiring to supply financial support to a terrorist agency. His alleged crime was selling access to Al-Manar, the news and information cable channel run by Hezbollah out of Lebanon. According to court filings, the case started when a confidential informant told the FBI in February 2006 that Iqbal was selling access to Al-Manar. At the time, it was not illegal, but the next month the Treasury Department added Al-Manar to the list on the grounds that funds it obtained went to Hezbollah, which the United States considers a terrorist group. In June, the FBI's confidential informant went back to Iqbal's company and again offered to buy the overseas cable service that included Al-Manar. Iqbal told the informant that Al-Manar was temporarily unavailable, but would return. Iqbal also allegedly said he knew the channel was now on the terrorist list, but he expected that to change. After being arrested for conspiring to violate the law, Iqbal was released on $250,000 bail. In November 2006, he was indicted again, along with a partner, this time on multiple charges of conspiracy to provide support to Hezbollah. At the time of the arrests, Michael Garcia, the U.S. attorney for the Southern District of New York, said, "As terrorist organizations become more sophisticated, it is critical that we respond using all the law enforcement tools the law provides." They are awaiting trial. * * * The Justice Department, U.S. attorneys and the FBI have doggedly pursued individual suspects in these domestic terrorism cases, even when their initial steps are unsuccessful. In Miami, prosecutors not only sought a retrial after the first hung jury but also went after the one person, Lyglenson Lemorin, whom the jury found not guilty. Instead of turning him loose, they immediately had him detained for possible deportation to his native Haiti on grounds that he had been indicted on a felony charge. Law enforcement officers say that in deciding when to indict, they weigh whether the targets might flee overseas, whether the cost of surveillance is paying adequate dividends, and whether a group is likely to take actions that could cost human lives. "There's a risk here that while we're trying to perfect our evidence that something very bad could happen," said Patrick Rowan, acting chief of the Justice Department's National Security Division. "It's certainly the case that there is a value in stopping a plot, even if you aren't 100 percent certain that a conviction is assured." Robert M. Chesney, a law professor at Wake Forest University who studies the government's terrorism cases, said the picture is complicated. "The bottom line is that they are doing considerably better than is often reported . . . but they certainly aren't doing perfectly and they've had plenty of black eyes along the way," Chesney said. One senior law enforcement official recently said, "We may have been too aggressive at the beginning." He thinks that early cases, such as the one in Miami, were pushed too hard and that the FBI and U.S. attorneys now understand that getting a full picture of potential threats by groups is as important as making cases. J. Wells Dixon, a staff attorney for the Center for Constitutional Rights, said the Miami case is among the "few and far between" disappointments in the government's aggressive campaign to attack the sources and funding of possible terrorist groups. These outliers, Dixon said, are not a signal that terrorism cases are too complex for juries but rather a sign that the current system is working. "If you have 12 jurors who decide that an individual or an organization should not be convicted, I think that suggests these people are in fact not guilty of anything," Dixon said. Andrew C. McCarthy prosecuted Omar Abdel Rahman, the man known as the blind sheik, for his role in the 1993 World Trade Center bomb plot. McCarthy said that had the first Trade Center bombing, which killed six people, not happened, he still wonders whether the government could have secured convictions of the same defendants on more nebulous charges that they had made "fantastical" plans to blow up the United Nations and the Lincoln Tunnel. "The argument that the people really are pathetic, hapless, incapable, has more resonance if you strike at an early stage," he said. "In a way, you're undone by your own efficiency. I do think it's harder to be a prosecutor today." Staff researcher Julie Tate contributed to this report. From rforno at infowarrior.org Tue Apr 22 03:15:58 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 21 Apr 2008 23:15:58 -0400 Subject: [Infowarrior] - Optimism and the Digital World Message-ID: Optimism and the Digital World By L. GORDON CROVITZ April 21, 2008; Page A15 http://online.wsj.com/article/SB120873501564529841.html?mod=todays_columnist s In the 1850s, James Rothschild complained that it was a "crying shame that the telegraph has been established" because suddenly anyone "can get the news." The Rothschild banking empire was built through private couriers who ponied from one European trading center to another, profiting from market-moving news about business and trade. The telegraph ended such exclusive access. Almost as annoying, information became a constant. Rothschild complained, "One has too much to think about when bathing, which is not good." This early Information Age became real time when Queen Victoria sent President James Buchanan the first trans-Atlantic cable. "The Atlantic is dried up, and we become in reality as well as in wish one country," editorialized the Times of London. "The Atlantic Telegraph has half undone the Declaration of 1776." Tiffany's crafted jewelry out of unused cables, and a popular novel of the era was "Wired Love," a Morse Code-era version of online matchmaking. The telegraph shrank the world, upended business practices, democratized information and confounded government regulators. Today's digital world makes these challenges of the telegraph era seem quaint. Modern-day Rothschilds, and even the more workaday among us, are tethered to BlackBerrys. Our digital-native children simultaneously instant message one another, listen to iPods and watch videos ? while doing their homework. Scientists now suspect that this next generation may be developing a different brain structure, reflecting online activity from toddler age. This Information Age and how it affects us as consumers, businesspeople and citizens seems like a timely topic for a new column. My sensibility on these issues is that of a media practitioner for some 25 years so far, running media and information businesses, including as a former publisher of The Wall Street Journal. The focus will be on the accelerating impact of new technology. This column will also comment on public policy, seeking to discourage restraints on innovation while protecting sometimes conflicting concerns such as national security and privacy. The media was one of the first industries to be roiled by new digital technology. Retailer John Wanamaker once quipped that he knew that half his advertising spending was wasted ? he just didn't know which half. As a result of the efficiency of the Internet and other targeted media, many newspapers, magazines and broadcasters have had large declines in revenues and profitability. The largest media company in the world is Google, which produces little original content and indeed would instead call itself an engineering company. Silicon Valley is driving consumer choice and behavior at least as much as Madison Avenue. We have many new choices in how we access news, information and entertainment. The number of professional journalists continues to fall, but the potential good news is that technology makes it possible for anyone to write and build an audience. New forms of online journalism are already filling the gaps. It was a Barack Obama-supporting blogger, citing her journalistic duty, who broke the recent big story of his comments in San Francisco about the bitterness of small-town voters. There are hard questions to consider. For example, does the easy availability of information necessarily mean the advance of knowledge and wisdom? Endless information from many sources may or may not be as trustworthy as information handled by trained editors or through analog-era processes like academic peer review or independent ratings of financial instruments. Part of the answer may be new tools to capture the wisdom of crowds, such as the information art form exemplified by Wikipedia. The good news is that almost all public information is now available at the click of a mouse; the bad news is that unfiltered information overflow can leave people as confused as James Rothschild once was. Despite the importance to the economy of technological innovation, public policy often stymies entrepreneurs. Rules for telecommunications, intellectual property and even immigration need to be updated for today's technologies ? indeed to make tomorrow's technologies possible. Likewise, national security now depends on how well information dots about threats are gathered and connected. This requires a sophistication about mining and linking information through open, yet secure, systems that often conflicts with the hierarchical culture of government bureaucracies. Still, technologists are optimists, for good reason. My own bias is that as information becomes more accessible, individuals gain choice, control and freedom. Established institutions ? governments, large companies and special-interest groups ? need to work harder to justify their authority. As information and knowledge spread, financial and human capital become more global and more competitive. The uncertainties and dislocations from new technology can be wrenching, but genies don't go back into bottles. The First Law of Technology says that "with every change in technology that affects consumer behavior, we always overestimate the impact in the short term, but then underestimate the full impact over the long term." The original dot-com era a decade ago was overhyped, but by now the Web has become a utility, increasingly available anywhere for any purpose. This is the Information Age, yet we're just beginning to gather the information and understanding to know how it changes our lives. Write to informationage at wsj.com From rforno at infowarrior.org Tue Apr 22 03:22:21 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 21 Apr 2008 23:22:21 -0400 Subject: [Infowarrior] - Just Who's Being Exploited? Message-ID: Just Who's Being Exploited? Jamie Reid, 2008-04-21 http://www.securityfocus.com/columnists/470?ref=rss A cynic, it has been said, is someone who knows the price of everything and the value of nothing. ? In spite of all the vendor-hacker goodwill that 0-day purchasing schemes have been designed to promote, something isn't adding up. ? Last month's revelation that Tipping Point paid out a prize of $10,000 and a new laptop (MSRP: about $2000) at the CanSecWest conference, for the privilege of being the exclusive licensor of a heretofore unpublished vulnerability in Apple's Safari web browser to researcher, Charles Miller of Independent Security Evaluators, may lend some credence to this adage. The topic of 0-day vulnerability pricing is not new. Attempts to derive a price that precisely values the exclusive knowledge of how to secretly control millions of hosts, vary in their approach, but the $10,000 bounty posted by Tipping Point resonates with many as a fair price for a remotely exploitable, admin-privilege-yielding vulnerability in a widely deployed software package. Competitors in the bug-buying space like WabiSabiLabi's auction scheme, and iDefense's VCP offer lower rewards, but provide different structured incentive packages for disclosing 0-day exploits to them. One professional security researcher, when asked to provide an estimate said, "[The time] depends on the person and tools they know," and elaborated that the specific circumstances around the vulnerability change the amount of effort, replying "[For him it] can be anywhere from a few minutes for an ActiveX vulnerability to a couple of days for a system vulnerability." Based on his personal consulting rates, his estimate agrees with the figure of the Tipping Point prize, quoting, "probably under $10,000". Some arithmetic and a simple cost-benefit analysis, however, suggests that researchers may be vastly underbidding buyers. Given the cost of cleaning up after a worm, and even a fraction of the exaggerated damages some companies claim in computer crime cases, a bounty of $10,000 is a song. If you are a twenty-something computer-science student in a former Soviet state and your prospects for gainful employment are limited to running DDoS botnets for extorting casinos and porn sites, sure, $10,000 is a tidy sum. But from the perspective of a potential victim of a worm infestation, this bug finder's fee wouldn't cover the premium of an insurance policy against the damage from a 0-day worm. A useful treatment of what vulnerabilities can be worth has been written by the same researcher who won the CanSecWest competition, Charlie Miller. In his paper, The Legitimate Vulnerability Market: Inside the Secretive World of 0-Day Exploit Sales, he demonstrates how a buyer associated with a government agency (presumably American) paid $50,000 for an exploit for a vulnerability in an unspecified Linux daemon back in 2005. A source I spoke with close to the Tipping Point ZDI program indicated that the vast majority of bugs the program receives are cross-site scripting and SQL injection attacks against "dinky web applications," such as bulletin boards, counters and blogging tools, and while paying for these relatively "crappy" bugs is a loss, buying only a few really good 0-day bugs at $10,000 justifies paying for the less serious ones. There are a few factors, however, that the prices paid by Mr. Miller's spooky government customers, and the existing vulnerability buying programs, seem to take into account. The first appears when one considers what it would cost for a given organization to do the research to find 0-day themselves, and the opportunity cost of assigning the resources to the task, even $50,000 is low. Let's even assume that a government hires a consultant with successful, first-hand vulnerability development experience and we can play with some ball-park figures. Security consultants of a Big-5 consulting firm bill about $1200 a day for a junior consultant, and $2500 a day for a senior one. According Charles Miller, the winner of the Pwn2Own challenge at CanSecWest, it took three weeks to find and develop an exploit for the Safari browser. So, consider that 15 days security consulting at the Big-5 rate costs between $18,000 and $37,500 and compare it to Miller's $12,000 gross win. In this case, that is a pretty hefty agency fee. Not that there is anything wrong with that, but it does suggest exploit writers may not be the only ones doing the exploiting. The sources I spoke with also indicated that the bar is much higher for bug finders now than it was 5 years ago. A working understanding of reverse engineering, assembly languages, stack protection schemes and memory management is necessary to find serious vulnerabilities in most software. However the sources acknowledged that ready-made shell code from projects like Metasploit does not raise the bar to an unreachable level. These liberal estimates of consulting time assume that hackers of the calibre to develop 0-day on-order are available to a government. Sure there are a few good hackers out there relative to the number of security professionals, but demand for them from cash-hemorrhaging security start-ups precludes most good hackers from entering public service. Even the clumsy, rudimentary risk pricing using Annualized Loss Expectancy (ALE) that estimates the projected cost of recovery using the number of likely occurrences makes worm defense worth hundreds of thousands of dollars for a bank, hospital or large enterprise. When the costs of recovery projected buy risk models for IT security are compared with the amounts being paid for 0-day vulnerabilities, there is a big scary gap that shows one of the following: 1. according to the market prices for 0-day exploits, the security risk from 0-day vulnerabilities is vastly overestimated, 2. according to IT risk models, vulnerabilities are completely underpriced, or 3. most 0-day developers lack basic negotiation skills. The turnaround on the winning Pwn2Own exploit was a few weeks by a very experienced creator and, anecdotally, since the average security consultant doesn't even code, it would take one significantly longer than three weeks to find and develop a working 0-day exploit. Maybe the middle ground in all of this, however improbable, is for exploit writers to exchange 0-day exploits for a royalty agreement for each IDS installation that used a signature for their exploit. The business of security companies is to package and pass along costs to customers with a premium, and a royalty program would improve the incentives, and in turn the quality of development done by lone hackers. Somehow, the cost-benefit equation has to be rewritten to better favor the legitimate, yet difficult, work of security researchers. Because, in spite of all the vendor-hacker goodwill that 0-day purchasing schemes have been designed to promote, something isn't adding up. But perhaps I am just a cynic. Jamie Reid is a privacy, security and risk consultant to healthcare agencies in Toronto. From rforno at infowarrior.org Tue Apr 22 17:11:11 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Apr 2008 13:11:11 -0400 Subject: [Infowarrior] - CRS Reports on Data Protection Message-ID: (c/o SecrecyNews) "Information Security and Data Breach Notification Safeguards," updated April 3, 2008: http://www.fas.org/sgp/crs/secrecy/RL34120.pdf "Congressional Oversight of Intelligence: Current Structure and Alternatives," updated April 1, 2008: http://www.fas.org/sgp/crs/intel/RL32525.pdf "Data Mining and Homeland Security: An Overview," updated April 3, 2008: http://www.fas.org/sgp/crs/homesec/RL31798.pdf From rforno at infowarrior.org Tue Apr 22 17:23:08 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Apr 2008 13:23:08 -0400 Subject: [Infowarrior] - (IN)SECURE Magazine Issue 16 released In-Reply-To: <6124EB18-E542-4203-BD8D-6EFA24557CD3@insecuremag.com> Message-ID: (IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics. Issue 16 has just been released. Download it from: http://www.insecuremag.com The covered topics include: - Security policy considerations for virtual worlds - US political elections and cybercrime - Using packet analysis for network troubleshooting - The effectiveness of industry certifications - Building a secure future: lessons learned from 2007's highest- profile security events - Advanced social engineering and human exploitation, part 2 - Interview with Nitesh Dhanjani, Senior Manager at Ernst & Young - Is your data safe? Secure your web apps - RSA Conference 2008 - Producing secure software with security enhanced software development processes - Network event analysis with Net/FSE - Security risks for mobile computing on public WLANs: hotspot registration - Black Hat Europe 2008 Briefings & Training - A Japanese perspective on Software Configuration Management - Windows log forensics: did you cover your tracks? - Traditional vs. non-tranditional database auditing - Payment card data: know your defense options Visit the (IN)SECURE Magazine web site at: http://www.insecuremag.com Subscribe to our RSS feed at: http://feeds.feedburner.com/insecuremagazine Thanks goes to the following companies for their support of (IN)SECURE magazine: Qualys - http://www.qualys.com/pci_compliance/se-g GFI - http://www.gfi.com/adentry.asp?adv=62&loc=41 Contact: - For information on contributing to (IN)SECURE Magazine, please contact Chief Editor Mirko Zorz at editor( at )insecuremag.com - For marketing inquiries do contact Marketing Director Berislav Kucan at marketing( at )insecuremag.com From rforno at infowarrior.org Tue Apr 22 17:31:13 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Apr 2008 13:31:13 -0400 Subject: [Infowarrior] - Quantum cryptography broken Message-ID: Quantum cryptography broken KurzweilAI.net, April 20, 2008 Two Swedish scientsts, Jorgen Cederlof, now of Google, and Jan-Ake Larsson of Link?ping University, have found a security weakness in the quantum cryptography authentication process--and have devised a proposed solution. In a paper published in IEEE Trans. Inf Theory, 54: 1735-1741 (2008), they point out that an eavesdropper could gain partial knowledge on the key in quantum cryptography that may have an effect on the security of the authentication in the later round. By accessing the quantum channel used in quantum cryptography, the attacker can change the message to be authenticated (since the message is influenced by attacker-initiated events on the quantum channel). This, combined with partial knowledge of the key (transmitted on the quantum channel), creates a potential security gap, they suggest. Their proposed solution: simply transmit an extra exchange of a small amount of random bits on the quantum classical (Internet) channel. http://www.kurzweilai.net/news/frame.html?main=/news/news_single.html?id%3D8 471 From rforno at infowarrior.org Tue Apr 22 23:18:36 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Apr 2008 19:18:36 -0400 Subject: [Infowarrior] - FW: Automatic Patch-Based Exploit Generation In-Reply-To: <20080422221521.GA25799@gsp.org> Message-ID: (c/o RSK) Automatic Patch-Based Exploit Generation http://www.cs.cmu.edu/~dbrumley/pubs/apeg.html "The automatic patch-based exploit generation problem is: given a program P and a patched version of the program P', automatically generate an exploit for the potentially unknown vulnerability present in P but fixed in P'. In this paper, we propose techniques for automatic patch-based exploit generation, and show that our techniques can automatically generate exploits for vulnerable programs based upon patches provided via Windows Update." From rforno at infowarrior.org Tue Apr 22 23:55:47 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Apr 2008 19:55:47 -0400 Subject: [Infowarrior] - Appeals Court: Border electronics searches are okay Message-ID: (be warned, ye who carry proprietary business information or personal data on your devices......rf) Border Agents Can Search Laptops Without Cause, Appeals Court Rules By Ryan Singel EmailApril 22, 2008 | 6:21:20 PMCategories: Privacy, The Courts http://blog.wired.com/27bstroke6/2008/04/border-agents-c.html Federal agents at the border do not need any reason to search through travelers' laptops, cell phones or digital cameras for evidence of crimes, a federal appeals court ruled Monday, extending the government's power to look through belongings like suitcases at the border to electronics. The unanimous three-judge decision reverses a lower court finding that digital devices were "an extension of our own memory" and thus too personal to allow the government to search them without cause. Instead, the earlier ruling said, Customs agents would need some reasonable and articulable suspicion a crime had occurred in order to search a traveler's laptop. On appeal, the government argued that was too high a standard, infringing upon its right to keep the country safe and enforce laws. Civil rights groups, joined by business traveler groups, weighed in, defending the lower court ruling. The 9th U.S. Circuit Court of Appeals sided with the government, finding that the so-called border exception to the Fourth Amendment's prohibition on unreasonable searches applied not just to suitcases and papers, but also to electronics. The ruling (.pdf) came in a case where customs agents searched the laptop of Michael Arnold who was returning from the Philippines. They found images they believed to be child pornography, seized the laptop and later arrested him. While the lower court ruling excluded from trial the pictures of young boys the government says it found on the hard drive, they now can be used again. The panel chose to follow the reasoning of a similar case from the 4th Circuit, known as Ickes (.pdf), which held that the government did not need any reason to search a vehicle crossing the border. The 9th's ruling did not, however, clarify whether a traveler has to help the government search his computer, by providing the login information, or what would happen when the government decided to search a laptop with encrypted data on the drive. The defendant in the case can appeal the decision to the U.S. Supreme Court, but the Court is unlikely to take up an issue that two separate appeals courts have agreed upon. In the meantime, travelers should be aware that anything on their mobile devices can be searched by government agents, who may also seize the devices and keep them for weeks or months. When in doubt, think about whether online storage or encryption might be tools you should use to prevent the feds from rummaging through your journal, your company's confidential business plans or naked pictures of you and your-of-age partner in adult fun. The case is Arnold vs. USA. From rforno at infowarrior.org Wed Apr 23 01:11:25 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Apr 2008 21:11:25 -0400 Subject: [Infowarrior] - Sony to acquire Gracenote Message-ID: Sony to acquire Gracenote http://www.macnn.com/articles/08/04/22/sony.gracnote/ Sony Corporation of America has signed a merger agreement with Gracenote, Inc, and will pay approximately $260 million plus other contingent consideration for the digital media information warehouse. Formerly known as CDDB, Gracenote delivers information -- including lyrics -- on music to various services including Apple iTunes and Yahoo! Music Jukebox. The companies say that Gracenote's existing business will continue to operate separately as a wholly owned Sony subsidiary, and that the senior management team will remain with the company. "Gracenote is a global leader in technology and services for digital media identification, enrichment, and recommendation, and these capabilities will be essential to the next wave of innovation in content, services, and consumer electronics," said Tim Schaaff, Sony's Senior Vice President, Software. "Sony sees tremendous growth potential in developing Gracenote as a separately run business unit, and by broadly embracing Gracenote's platforms, Sony expects to significantly enhance and accelerate its own digital content, service, and device initiatives." From rforno at infowarrior.org Wed Apr 23 01:19:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Apr 2008 21:19:46 -0400 Subject: [Infowarrior] - Microsoft loses 'Vista Capable' appeal Message-ID: Microsoft loses 'Vista Capable' appeal; more insider e-mails could emerge Gregg Keizer http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo nomyName=operating_systems&articleId=9079518&taxonomyId=89&intsrc=kc_top April 21, 2008 (Computerworld) Microsoft Corp.'s attempt to reverse a lower court's ruling in the ongoing "Vista Capable" lawsuit was denied by an appeals court on Monday. The decision means the case can resume. It also means that new insider e-mails subpoenaed from Microsoft and nearly 30 other companies could be made public. In a brief order dated April 21, the Ninth Circuit Court of Appeals rejected Microsoft's request to overturn a decision by U.S. District Court Judge Marsha Pechman in February that granted class-action status to a lawsuit that charges the company deceived consumers in 2006 with its Windows Vista Capable marketing program. The year-old case alleges that many of the PCs labeled with a "Vista Capable" sticker in the months before Vista was released were able to run only Home Basic, a version the plaintiffs say lacked some of the most heavily promoted elements of the new operating system. Microsoft has disputed the charges. In papers filed last month, Microsoft petitioned the Ninth Circuit Court to hear its challenge and asked Pechman to suspend the class-action case while the appeal was heard by the higher court. The company argued that continuing the lawsuit might mean new disclosures of insider e-mails, which could "jeopardize Microsoft's goodwill" and "disrupt Microsoft's relationships with its business partners." Pechman agreed and suspended the lawsuit three weeks ago while the appeals court reviewed her class-action decision. The case has gained attention because of the 158 pages of Microsoft e-mails the plaintiffs' attorneys acquired during discovery. Among other revelations, the messages showed that top-level Microsoft executives struggled with the new operating system on machines labeled "Vista Capable," and that partners such as Dell Inc. warned Microsoft that the campaign would confuse consumers about which versions of Vista their new PCs would be able to run. Monday, Microsoft said it was eager to renew the case. "The Ninth Circuit's decision not to accept our request for interim review is not a ruling on the merits of our case," said spokesman Jack Evan. "We look forward to presenting all of the facts on what the district court itself said is a novel claim." With the lawsuit moving forward again, it's possible more Microsoft documents will see the light of day; last month, lawyers for the plaintiffs served subpoenas on 29 companies and individuals in a hunt for more information about the Vista Capable program. Among the companies and people told to produce e-mails and other documents were retailers like Best Buy and Wal-Mart, computer makers such as Dell and Hewlett-Packard Co., chip maker Intel Corp., and Jim Allchin, the former head of Windows development who resigned the day after Vista shipped in January 2007. Several of those companies filed objections to the subpoenas, calling the requests "harassing" and disruptive to their business. "Plaintiffs are pleased that the Ninth Circuit has denied Microsoft's petition for permission to appeal Judge Pechman's class certification order," said Jeff Thomas, an attorney representing one of the original plaintiffs. "We look forward to the setting of a new trial date and proceeding with discovery." When Pechman suspended the discovery process, she also vacated the case's schedule, which called for a trial date in late October. It's unclear how the two-week delay will affect the schedule. From rforno at infowarrior.org Wed Apr 23 01:20:41 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Apr 2008 21:20:41 -0400 Subject: [Infowarrior] - Microsoft to nuke MSN Music DRM keys Message-ID: DRM sucks redux: Microsoft to nuke MSN Music DRM keys By Jacqui Cheng | Published: April 22, 2008 - 04:08PM CT http://arstechnica.com/news.ars/post/20080422-drm-sucks-redux-microsoft-to-n uke-msn-music-drm-keys.html Customers who have purchased music from Microsoft's now-defunct MSN Music store are now facing a decision they never anticipated making: commit to which computers (and OS) they want to authorize forever, or give up access to the music they paid for. Why? Because Microsoft has decided that it's done supporting the service and will be turning off the MSN Music license servers by the end of this summer. MSN Entertainment and Video Services general manager Rob Bennett sent out an e-mail this afternoon to customers, advising them to make any and all authorizations or deauthorizations before August 31. "As of August 31, 2008, we will no longer be able to support the retrieval of license keys for the songs you purchased from MSN Music or the authorization of additional computers," reads the e-mail seen by Ars. "You will need to obtain a license key for each of your songs downloaded from MSN Music on any new computer, and you must do so before August 31, 2008. If you attempt to transfer your songs to additional computers after August 31, 2008, those songs will not successfully play." This doesn't just apply to the five different computers that PlaysForSure allows users to authorize, it also applies to operating systems on the same machine (users need to reauthorize a machine after they upgrade from Windows XP to Windows Vista, for example). Once September rolls around, users are committed to whatever five machines they may have authorized?along with whatever OS they are running. The news will likely upset a number of Microsoft's customers, who bought music from MSN Music before the company launched the Zune Marketplace and decided to ditch the old store. Microsoft's decision to turn off the MSN Music authorization servers serves as a painful reminder that DRM ultimately severely limits your rights. Companies that control various DRM schemes, as well as the content providers themselves, can yank your ability to play the content which you lawfully purchased (and now, videos) at any moment?no matter what your expectation was when you bought it. Some Major League Baseball fans learned this the hard way last fall. Bennett insists that MSN Music keys are, in fact, not yet expiring. Technically speaking, that's true?if I authorize one of my PCs, never get rid of it for the rest of my life, and never upgrade its OS, I will be able to play my tracks forever. But as some of our readers note, this technicality is not rooted in reality?the authorizations will now expire when the computer does, for whatever reason. DRM-free music may be the new hotness these days, but people who bought music before the record industry began to see the light are still stuck with their DRMed music. Of course, MSN Music customers do have one other option: burning all of their music to audio CD and then re-ripping them back to the computer as MP3s, sans DRM. But that's a lossy, lousy solution. From rforno at infowarrior.org Wed Apr 23 12:20:41 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 Apr 2008 08:20:41 -0400 Subject: [Infowarrior] - EMI Says You Can't Store Your Music Files Online Message-ID: More idiocy from the recording industry.......actually, I think I'm being redundant in saying that. --rf EMI Says You Can't Store Your Music Files Online Today, MP3tunes' CEO Michael Robertson sent out an email to all users of the online music backup and place-shifting service MP3tunes.com, asking them to help publicize EMI's ridiculous and ignorant lawsuit against the company. EMI believes that consumers aren't allowed to store their music files online, and that MP3tunes is violating copyright law by providing a backup service. (And we're not using a euphemism here?it really is a backup/place-shifting service and not a file sharing site in disguise.) < - > http://consumerist.com/382824/emi-says-you-cant-store-your-music-files-onlin e From rforno at infowarrior.org Wed Apr 23 12:21:58 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 Apr 2008 08:21:58 -0400 Subject: [Infowarrior] - Aeryon Scout snaps stills from above Message-ID: (IIRC think some Brit police units already use this thing, or something that looks like it........rf) Remote controlled Aeryon Scout snaps stills from above by Darren Murph, posted Apr 23rd 2008 at 6:16AM Though certainly not the first gizmo designed with aerial photography in mind, the Aeryon Scout is a notch above most alternatives. The hovering platform enables users to capture still shots and log digital video from up above, and while it can be controlled remotely, we're also hearing that autonomous navigation isn't totally out of reach. Currently, the device is still looking to escape the prototype stage, but its creators are already eying police forces, security firms and surveying / engineering businesses in hopes of landing a few clients. Considering the stunningly high $30,000 to $50,000 price tag, we'd say they're looking in the right (read: only) direction. http://www.engadget.com/2008/04/23/remote-controlled-aeryon-scout-snaps-stil ls-from-above/ From rforno at infowarrior.org Wed Apr 23 15:41:35 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 Apr 2008 11:41:35 -0400 Subject: [Infowarrior] - Wal-Mart Rations Rice, Warns of "Supply and Demand" Concerns Message-ID: (I never thought I'd see stories like this regarding the US......but there are a ton of food-scarcity stories making the news this week. Scary! -rf) Wednesday, Apr. 23 2008 Wal-Mart Rations Rice, Warns of "Supply and Demand" Concerns http://www.foxbusiness.com/markets/industries/retail/article/walmart-limits- sale-rice-supply-concerns_575879_7.html Wal-Mart, the world?s largest retailer, said on Wednesday that it would ration the amount of rice each customer can purchase because of recent ?supply and demand trends.? ?We are limiting the sale of Jasmine, Basmati and Long Grain White Rices to four bags per member visit,? the company said in a statement. ?This is effective immediately in all of our U.S. clubs, where quantity restrictions are allowed by law.? Wal-Mart (WMT) is the first major grocer to limit the purchasing of a commodity because of the recent run up in prices. The company said it is not limiting the purchase of other basic food products like flour or oil. The price of rice, which is the primary foodstuff for the majority of the human population around the world, rose to $894 a metric ton according to the Thai Rice Exporters Association. That?s compared to the $327.25 a ton average price in the same month last year. In Chicago, the price of export-quality rice rose to $24.745 per 100 pounds on Tuesday. The run up in price in rice is primarily related to poor harvests and countries curbing exports. Thailand, Asia?s largest exporter of rice, said it may curb exports. The World Food Program called the recent run up in prices of rice and other basic commodities a ?silent famine.? Wal-Mart did not say when the rationing would end, but it was ?working with our suppliers to address this matter to ensure we are in stock, and we are asking for our members' cooperation and patience.? From rforno at infowarrior.org Wed Apr 23 15:42:06 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 Apr 2008 11:42:06 -0400 Subject: [Infowarrior] - Americans hoard food as industry seeks regs Message-ID: Article published Apr 23, 2008 Americans hoard food as industry seeks regs http://www.washingtontimes.com/apps/pbcs.dll/article?AID=/20080423/BUSINESS/ 868303815/1001&template=printart April 23, 2008 By Patrice Hill - Farmers and food executives appealed fruitlessly to federal officials yesterday for regulatory steps to limit speculative buying that is helping to drive food prices higher. Meanwhile, some Americans are stocking up on staples such as rice, flour and oil in anticipation of high prices and shortages spreading from overseas. Their pleas did not find a sympathetic audience at the Commodity Futures Trading Commission (CFTC), where regulators said high prices are mostly the result of soaring world demand for grains combined with high fuel prices and drought-induced shortages in many countries. The regulatory clash came amid evidence that a rash of headlines in recent weeks about food riots around the world has prompted some in the United States to stock up on staples. Costco and other grocery stores in California reported a run on rice, which has forced them to set limits on how many sacks of rice each customer can buy. Filipinos in Canada are scooping up all the rice they can find and shipping it to relatives in the Philippines, which is suffering a severe shortage that is leaving many people hungry. While farmers here and abroad generally are benefiting from the high prices, even they have been burned by a tidal wave of investors and speculators pouring into the futures markets for corn, wheat, rice and other commodities and who are driving up prices in a way that makes it difficult for farmers to run their businesses. "Something is wrong," said National Farmers Union President Tom Buis, adding that the CFTC's refusal to rein in speculators will force farmers and consumers to take their case to Congress. "It may warrant congressional intervention," he said. "The public is all too aware of the recent credit crisis on Wall Street. We don't want a lack of oversight and regulation to lead to a similar crisis in rural America." Food economists testifying at a daylong hearing of the commission said the doubling of rice and wheat prices in the past year is a result of strong income growth in China, India and other Asian countries, where people entering the middle class are buying more food and eating more meat. Farm animals consume a substantial share of the world's grain. U.S. wheat stocks are at the lowest levels in 60 years because worldwide consumption of wheat has exceeded production in six of the past eight years, said U.S. Agriculture Department chief economist Gerald Bange. Adding to tight supplies was the back-to-back failure of two years of wheat crops caused by drought in Australia, a major wheat exporter, he said. In addition, the diversion of one-third of the U.S. corn crop into making ethanol for vehicles has increased prices for corn and other staples such as soybeans and cotton as more acreage is set aside for ethanol production. Farmers also have raised prices because they have been hard hit by spiraling energy costs, which not only raised the price of diesel fuel to records of over $4 a gallon but drove up the cost of nitrogen fertilizer, which is made from natural gas. "Commodity prices across the board are at levels not experienced in many of our lifetimes," said CFTC Chairman Walter Lukken. "These price levels, along with record energy costs, have put a strain on consumers as well as many producers and commercial participants that utilize the futures markets to manage risks." The upswing in prices has been exaggerated by the massive influx of investors and speculators seeking to profit from rising prices for corn, wheat, oil, gold and other commodities. Big Wall Street firms and hedge funds have taken huge positions in futures markets that once were dominated by relatively small operators such as farmers and grain-elevator owners. Small investors, who see fast-rising commodities as good hedges against inflation and a falling dollar, also are getting a piece of the action by investing in index funds that are tied to commodity prices. "During such turbulent times, it is tempting to shoot first and ask questions later," Mr. Lukken said, but he contended the commission should be "cautious" about doing anything to curb speculation. He and other regulators argued that speculators add volume and liquidity to the markets, which makes them operate more efficiently and helps farmers and other players. Commissioner Michael V. Dunn said the soaring demand for food and fuel worldwide might be leading to permanently higher food prices, both domestically and abroad. "We may already be working under or fast approaching a new paradigm of higher agricultural prices," he said. "There is not a silver bullet or single solution to address the problems we are currently facing." From rforno at infowarrior.org Wed Apr 23 20:18:40 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 Apr 2008 16:18:40 -0400 Subject: [Infowarrior] - UK county uses terror laws to spy on underage smokers Message-ID: (but...i thought these terror laws weren't going to be extended into non-terror investigations......that's what they said here in the US about the Patriot---oh, right. --rf) Council uses terror laws to spy on underage smokers Apr 21 2008 By Fionnuala Bourke http://icbirmingham.icnetwork.co.uk/sundaymercury/news/tm_headline=council-u ses-terror-laws-to-spy-on-underage-smokers%26method=full%26objectid=20796268 %26siteid=50002-name_page.html A MIDLAND council is using laws designed to combat terrorism to spy on kids they suspect of underage smoking and drinking. Staffordshire County Council has carried out nearly 70 surveillance operations across the county in the last three years. Trading Standards officers secretly filmed underage kids smoking and drinking during some of the investigations - and used informants to identify rogue shopkeepers who sold them the fags and booze. The council snoops used the Regulation of Investigatory Powers Act (RIPA) to tackle the petty offences, yet the legislation was originally designed to prevent terrorism and serious crimes. Other Staffordshire surveillance cases involved monitoring the movement of farm animals and targeting people cashing in on bootleg DVD sales. Story continues Continue story ADVERTISEMENT Click! Leicester East MP Keith Vaz, Chairman of the Commons Home Affairs Committee, was shocked to learn how the anti-terror legislation was being used. He told the Sunday Mercury: "I'm astonished that this legislation is being misused in this way in cases which seem to be petty and vindictive. "We have just completed an inquiry into the surveillance society and noted that there has been a huge growth in the use of these laws. "The people responsible have some very serious questions to answer.". But Staffordshire County Council's Fraud and Community Safety Manager, Brandon Cooke, defended the operations which he said were crucial for combatting anti-social behaviour. Figures obtained under the Freedom of Information Act show the council used the RIPA legislation to carry out 'direct surveillance' 51 times over the last three years. Council spies also used the legal powers 16 times to obtain telephone and e-mail records of suspects. The reasons for surveillance were given for 38 of the cases. They included 11 investigations into adults buying booze for underage children and five undercover test purchases by minors in suspect shops. A total of 10 spying missions were carried out into farm animal mistreatment, while another 10 concerned counterfeit DVD sales. Yet there were just two prosecutions and nine cautions issued in the cases. No offences occurred in eight probes and no action was taken in 14 others. Walsall North Labour MP David Win-nick, also a member of the Home Affairs Committee, said: "It is totally inappropriate for local authorities to use counter terrorism laws in this way, bearing in mind that Britain faces a serious terrorism threat. "Councils should have other powers to investigate these matters. But we do not want people to feel the are living in a Big Brother 1984 style society." But Mr Cooke said the RIPA powers were being used correctly by Trading Standards officers. He said: "People's lives are blighted by anti-social behaviour and criminality which centres around drinking. I would not consider sales of a poisonous sub-stance to a minor a petty offence. "One of the issues around alcohol is that generally the public regard people drinking before they are 18 as the norm, a right of passage into the adult world. "But that is where our culture needs to change. We need these powers to investigate these sales and to prevent the unruly behaviour that can result from them. "In some cases, we receive intelligence about youths sending an adult as a proxy into off-licences to buy alcohol on their behalf. "In a recent case we filmed a crowd of underage youths drinking outside one store. When they finished their supplies they got straight onto the phone to an adult who came down and bought them more. "There are exceptional circumstances where our undercover investigators will need to develop a relationship with a shop owner in order to find out if they are committing a crime. "One instance that comes to mind is where we learnt of a store that had sold excessive amounts of glue to a minor who died from overdosing on it. "In such circumstances the investigator would need to visit the shop repeatedly to purchase glue and make himself known to the vendor, who should be aware that this is suspicious. "That investigator may not be a volunteer and would be treated as a Covert Human Intelligence Source. "In respect to animal health, teams do go out and film their movements on farms. This has been necessary to prevent outbreaks of diseases such as BSE or Blue Tongue. "As far as counterfeit DVDs go, it is well documented that the proceeds of these kind of goods often goes towards serious organised crime, including terrorism." A spokeswoman for Staffordshire County Council said: "The Regulation of Investigatory Powers Act 2000 (RIPA) is used to regulate investigation measures the council uses when investigating a crime where the authority has a statutory duty of enforcement, eg, breaches of trading standards regulations or animal health regulations." fionnuala[2014]bourke at mrn.co.uk Top Top | Back Back | E-mail to a friend | Printable version From rforno at infowarrior.org Wed Apr 23 20:36:48 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 Apr 2008 16:36:48 -0400 Subject: [Infowarrior] - Microsoft's Rob Bennett defends DRM decision Message-ID: At least he points the finger at the moneygrubbing studios and their totally incompetent policymakers..........rf Interview: Microsoft's Rob Bennett defends DRM decision Posted by Greg Sandoval | 10 comments http://www.news.com/8301-10784_3-9926741-7.html?part=rss&subj=news&t ag=2547-1_3-0-20 Rob Bennett knew people were going to be angry. Bennett is the Microsoft executive who notified former customers of the now defunct MSN Music service on Tuesday that the company would no longer issue DRM keys for their songs after August 31. This means that, while former customers can listen to their music on authorized computers for as long as the hardware lasts, they won't be able to transfer music to a new PC after that deadline. "Had we had the ability to deliver DRM-free tracks at the time, we absolutely would have done that. We talked to the labels at the time about that." --Rob Bennett, Microsoft executive In an interview with CNET News.com, Bennett said that continuing to support the DRM keys was impractical, that the issue only affects a "small number" of people and that focusing exclusively on the Zune was the best way to go. He also noted that it wasn't Microsoft's decision to wrap music into digital rights management. The reason for the decision to shut down the DRM-licensing servers was "every time there is an OS upgrade, the DRM equation gets complex very quickly," said Bennett, general manager of entertainment, video, and sports for MSN. "Every time, you saw support issues. People would call in because they couldn't download licenses. We had to write new code, new configurations each time...We really believe that, going forward, the best thing to do is focus exclusively on Zune." Microsoft shut down MSN Music in November 2006, following a failed effort to turn the site into a legitimate iTunes challenger. Redmond then turned its attention and resources on the Zune digital music player and its music store, Marketplace. For the past 18 months, Microsoft has continued to enable former customers of MSN Music to move their song libraries to new computers. The decision to stop providing new keys has been widely criticized. Critics have long said that DRM was a means to control legally purchased music at the expense of consumers. To them, the MSN situation proves it. Bennett defended Microsoft. He said the company never wanted DRM on its songs. "Had we had the ability to deliver DRM-free tracks at the time, we absolutely would have done that," Bennett said. "We talked to the labels at the time about that. As a company, we have continued to push for this. Zune has a subset in their catalog of DRM-free MP3s. Now, the industry is making progress. The labels are understanding the downside of DRM when its used the way they wanted to use it, they end up punishing the users who bought music legally more than those who want to circumvent the system." Bennett added that Microsoft believes in protecting intellectual property, but that the company also wants people to be able to enjoy their media without unreasonable restrictions. "No one ever foresaw being in this situation," Bennett said. "It's not something we like to do. We want to make it easy and as painless for our customers as possible. We really feel, in the long term, what's best for people who want to buy music from Microsoft is to move to Zune." Bennett said that former MSN Music customers can back up their music by burning it to CDs. But what about the loss of sound quality should they decide to rerip the music? "We (delivered) music at 160 kbps," Bennett said. "In my personal (experience), you're not going to lose that much fidelity." From rforno at infowarrior.org Thu Apr 24 02:58:42 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 Apr 2008 22:58:42 -0400 Subject: [Infowarrior] - Embedding Military Propagandists into the News Media Message-ID: Embedding Military Propagandists into the News Media Pentagon News Networks By JOHN STAUBER and SHELDON RAMPTON http://www.counterpunch.org/stauber04232008.html David Barstow of the New York Times has written the first installment in what is already a stunning expos? of the Bush Administration's most powerful propaganda weapon used to sell and manage the war on Iraq: the embedding of military propagandists directly into the TV networks as on-air commentators. We and others have long criticized the widespread TV network practice of hiring former military officials to serve as analysts, but even in our most cynical moments we did not anticipate how bad it was. Barstow has painstakingly documented how these analysts, most of them military industry consultants and lobbyists, were directly chosen, managed, coordinated and given their talking points by the Pentagon's ministers of propaganda. Thanks to the two-year investigation by the New York Times, we today know that Victoria Clarke, then the Assistant Secretary of Defense for Public Affairs, launched the Pentagon military analyst program in early 2002. These supposedly independent military analysts were in fact a coordinated team of pro-war propagandists, personally recruited by Secretary of Defense Donald Rumsfeld, and acting under Clarke's tutelage and development. One former participant, NBC military analyst Kenneth Allard, has called the effort "psyops on steroids." As Barstow reports, "Internal Pentagon documents repeatedly refer to the military analysts as 'message force multipliers' or 'surrogates' who could be counted on to deliver administration 'themes and messages' to millions of Americans 'in the form of their own opinions.' ... Don Meyer, an aide to Ms. Clarke, said a strategic decision was made in 2002 to make the analysts the main focus of the public relations push to construct a case for war." Clarke and her senior aide, Brent T. Krueger, eventually signed up more than 75 retired military officers who penned newspaper op/ed columns and appeared on television and radio news shows as military analysts. The Pentagon held weekly meetings with the military analysts, which continued as of April 20, 2008, when the New York Times ran Barstow's story. The program proved so successful that it was expanded to issues besides the Iraq War. "Other branches of the administration also began to make use of the analysts. Mr. Gonzales, then the attorney general, met with them soon after news leaked that the government was wiretapping terrorism suspects in the United States without warrants, Pentagon records show. When David H. Petraeus was appointed the commanding general in Iraq in January 2007, one of his early acts was to meet with the analysts." Barstow spent two years digging, using the Freedom of Information Act and attorneys to force the Bush Administration to release some 8,000 pages of documents now under lock and key at the New York Times. This treasure trove should result in additional stories, giving them a sort of "Pentagon Papers" of Iraq war propaganda. In 1971, when the Times printed excerpts of the Pentagon Papers on its front page, it precipitated a constitutional showdown with the Nixon Administration over the deception and lies that sold the war in Vietnam. The Pentagon Papers issue dominated the news media back then. Today, however, Barstow's stunning report is being ignored by the most important news media in America -- TV news -- the source where most Americans, unfortunately, get most of their information. Joseph Goebbels, eat your heart out. Goebbels is history's most notorious war propagandist, but even he could not have invented a smoother PR vehicle for selling and maintaining media and public support for a war: embed trusted "independent" military experts into the TV newsroom. As with most propaganda, the key to the success of this effort was the element of concealment, as these analysts and the Bush administration hid the fact that their talking points and marching orders were coming directly from the Pentagon. The use of these analysts was a glaring violation of journalistic standards. As the code of ethics of the Society of Professional Journalists explains, journalists are supposed to * Avoid conflicts of interest, real or perceived. * Remain free of associations and activities that may compromise integrity or damage credibility. * Refuse gifts, favors, fees, free travel and special treatment, and shun secondary employment, political involvement, public office and service in community organizations if they compromise journalistic integrity. * Disclose unavoidable conflicts. * Be vigilant and courageous about holding those with power accountable. * Deny favored treatment to advertisers and special interests and resist their pressure to influence news coverage. * Be wary of sources offering information for favors or money. The networks using these analysts as journalists shamelessly failed to vet their experts and ignored the obvious conflicts of hiring a person with financial relationships to companies profiting from war to be an on-air analyst of war. They acted as if war was a football game and their military commentators were former coaches and players familiar with the rules and strategies. The TV networks even paid these "analysts" for their propaganda, enabling them to present themselves as "third party experts" while parroting White House talking points to sell the war. Now that Barstow has blown their cover, the TV networks have generally refused to comment about this matter. Further compounding their violations of the public trust, they are blacking out coverage of the New York Times expos?, no doubt on advice of their own PR and crisis management advisors. Since the 1920s there have been laws passed to stop the government from doing what Barstow has exposed. It is actually illegal in the United States for the government to propagandize its own citizens. As Barstow's report demonstrates, these laws have been repeatedly violated, are not enforced and are clearly inadequate. The U.S. Congress therefore needs to investigate this and the rest of the Bush propaganda campaign that sold the war in Iraq. The attack and occupation of Iraq continues, with no end in sight. Estimates of the number of Iraqi dead range from the hundreds of thousands to more than a million. The cost to American taxpayers will eventually be in the trillions of dollars. More than 4,000 US soldiers have lost their lives, and this is just a part of the horrific toll of mental and physical disability that the war is taking on hundreds of thousands of troops and their families. This war would never have been possible had the mainstream news media done its job. Instead, it has repeated the Big Lies that sold the war. This war would never have been possible without the millions of dollars spent by the Bush Administration on sophisticated and deceptive public relations techniques such as the Pentagon military analyst program that David Barstow has exposed. It should come as no surprise to anyone that Victoria Clarke, who designed and oversaw this Pentagon propaganda machine, now works as a commentator for TV network news. She may have changed jobs and employers since leaving the Pentagon, but her work remains the same. John Stauber is the executive director of the Center for Media and Democracy. Sheldon Rampton is its research director. They have co-authored two books about the war: Iraq: Weapons of Mass Deception and The Best War Ever. From rforno at infowarrior.org Thu Apr 24 06:05:38 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 Apr 2008 02:05:38 -0400 Subject: [Infowarrior] - Vista's 11 Pillars of Failure Message-ID: http://www.pcmag.com/article2/0,2817,2286065,00.asp Vista's 11 Pillars of Failure ARTICLE DATE: 04.21.08 By John C. Dvorak While the public's attention seems to be swinging toward Windows 7 (the next iteration of the OS)?a topic I'll address in the weeks ahead?the fact of the matter is that Vista remains. And it seems that the OS now has two distinct groups of users. One group happily uses Vista, with few concerns or complaints. In fact, many of them are baffled by all the grumbling. The other group is the fist-shaking Vista bashers who condemn each and every flaw the OS exhibits. The latter group is by far the most vocal and easily drowns out the former group. Its complaints stem from the anti-Microsoft backlash, which reflects dissatisfaction with the company's history, business practices, tactics, and bogus announcements. Much of the disgruntlement, however, can be attributed Vista itself?and the poor marketing job done by Microsoft. I mention the bogus announcements above because, at some point, you do get a little tired of Microsoft making exaggerated promises and then never coming close to delivering the goods. In the case of Vista, it has to do with the three "pillars" that were announced early on. The OS really delivered on only one of the pillars, and that pillar was nothing but Windows dressing: Aero, the resource hog and performance sapper. With the "pillars" in mind, I decided to take a look at the 11 reasons why Vista remains on shaky ground: 1)Market confusion. From the beginning, everyone moaned about the fact that there were simply too many versions of the OS for sale. Who needs all the variations? It's stupid?plain and simple. What you want is the one best version, not a slew of namby-pamby ones. This happened because the folks at Microsoft know only how to merchandise and, seemingly, not how to market. 2)Code size. I've got two words for you: TOO BIG. Enough said. 3)Missing components. Yes, WinFS, the promised file system and a core pillar of Vista, isn't there. The promises regarding the development of this file system go back to 1991. And Microsoft cannot make it a reality? Why? 4)Laptop battery-life drain. This was supposed to be fixed with special code and hybrid hard disks (HHD). Still, users have to resort to expensive silicon drives. 5)HHD fiasco. I'm still irked about being told by the HD industry that the benefits of the new generation of hard drives will "make people flock to Vista." That was over two years ago, and suddenly there's silence about the whole thing. One of these days, someone will tell me what really happened. My guess: It never worked correctly, and no one could make it work. 6)Bogus Vista-capable stickers. Microsoft's "Windows Vista capable" campaign was an incredible marketing botch. Computers were sold with an indication that they were "Windows Vista capable" when they were not. This did wonders for goodwill. 7)Missing drivers. It seems incredible that all of the Windows drivers that worked with XP did not necessarily work with Vista. How does that happen? 8)Conflicting advice. There was no consistent advice for users about implementation, and Microsoft did nothing to help. Some people said that you should get a new computer only with Vista preloaded and not upgrade. Others said upgrades were fine. Others upgraded and complained. Microsoft should have put up a specialized Web site that could test machines remotely and tell users whether it would be a good idea?or not?to upgrade. A promotional/test CD-ROM that could boot Vista (like those Knoppix Linux disks) would have been a good idea, too. 9)XP mania. You'd think that the world was in love with Windows XP. Everyone wants to keep it on the market, and this makes Vista look even worse. What's more, there were far too many reports about people reverting to XP after an "experience" with Vista. If Microsoft had the testing service that I mention above in place, this would never have happened. 10)Mediocre rollout. Unlike other rollouts of important Windows products, Microsoft did not put on much of a show with Vista. While there were some weird posters placed in subways and maybe a few TV commercials, none of it compared with the rollouts from a few years back, where the company got worldwide attention. By comparison, the company seemed almost sheepish or embarrassed by Vista, something that was also reflected in the recent lackluster rollout of Server 2008?a total snooze. This sent the wrong signals to users and may have made them hypercritical. 11)Performance. You're not supposed to deliver a new operating system that's been in development for more than four years yet performs worse than the previous OS. Performance should be at the top, not the bottom, of the to-do list. You get the sense that Microsoft just piles code on top of code and somewhere in the middle of it all is MS-DOS 1.0. I could probably put another dozen items on this list. The point is that it's a big list already. With all the resources in the world at Microsoft's disposal, you have to wonder why the company cannot get everything right even once. Discuss this article in the forums! Copyright (c) 2008Ziff Davis Media Inc. All Rights Reserved. From rforno at infowarrior.org Thu Apr 24 15:30:13 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 Apr 2008 11:30:13 -0400 Subject: [Infowarrior] - NCSL (state legislatures council) calls for the repeal of REAL ID Act Message-ID: NCSL Home > State & Federal Issues: State-Federal Relations > NCSL Letter of Support for S. 717 Repealing the Real ID Act Add to MyNCSL http://www.ncsl.org/statefed/RealID040408.htm April 4, 2008 RE: NCSL Supports The Identification Security Enhancement Act of 2007 (S.717) Dear Senators Akaka and Sununu: The National Conference of State Legislatures (NCSL) expresses its support for your legislation ? S. 717, the Identification Security Enhancement Act of 2007 ? that would repeal the REAL ID Act and reinstitute the negotiated rulemaking process that preceded it. State legislators are extremely concerned about homeland security and place security and emergency preparedness as a very high policy and budgetary priority. State legislators share the goals of REAL ID and are committed to making sure that state-issued identity credentials are tamper-resistant, free from fraud and abuse, and reliable documents. Many state legislatures initiated efforts to improve state-issued driver?s licenses even before the tragedy of September 11, 2001. However, lacking the full policy and financial commitment of the federal government to ensure the success of the state-federal partnership needed to make REAL ID possible, NCSL now calls upon Congress to repeal REAL ID and reinstate the negotiated rule-making process. This approach will achieve our shared goals for security in a manner that respects states? rights, privacy protections, and fiscal responsibility. Please have your staff contact Jeremy Meadows (202-624-8664; jeremy.meadows at ncsl.org) or Molly Ramsdell (202-624-3584; molly.ramsdell at ncsl.org) in NCSL?s Washington office with any questions or concerns. Thank you for your courage to seek this reasoned approach to security measures. We look forward to working with you. Sincerely, Representative Donna D. Stone Speaker Joe Hackney Delaware House of Representatives North Carolina House of Representatives President President-Elect CC: Members, U.S. Senate Committee on the Judiciary Members, U.S. Senate Committee on Homeland Security & Governmental Affairs From rforno at infowarrior.org Thu Apr 24 19:09:56 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 Apr 2008 15:09:56 -0400 Subject: [Infowarrior] - Criminals target energy, financial markets, Mukasey says Message-ID: Criminals target energy, financial markets, Mukasey says http://www.cnn.com/2008/CRIME/04/23/organized.crime.threats/index.html >From Terry Frieden CNN WASHINGTON (CNN) -- Attorney General Michael Mukasey warned Wednesday that organized criminal networks have penetrated portions of the international energy market and tried to control energy resources. In a speech at the Center for Strategic and International Studies in Washington, he said similar efforts have targeted the international financial system by injecting billions of illicit funds to try to corrupt financial service providers. Mukasey then vowed to beef up U.S. efforts to fight international organized crime, which he called a growing threat to U.S. security and stability. The attorney general and top law enforcement officials from the FBI, Immigration and Customs Enforcement and the Justice Department Criminal Division said a classified threat assessment prompted the creation of a strategy to combat the threat. It calls for several U.S. agencies and their overseas counterparts to better prioritize their targets, to improve information sharing and to boost cooperation in law enforcement investigations and operations. "The activities of transnational and national organized criminal enterprises are increasing in scope and magnitude as these groups continue to strengthen their networking with each other to expand their operations," said FBI Deputy Director John Pistole. Officials declined to discuss specific cases because the information remains classified, and disclosure could jeopardize ongoing investigations. However, the International Organized Crime Threat Assessment identified eight general strategic threats from international organized criminals: ? The penetration of the energy market and other strategic sectors of the U.S. and world economy. As U.S. energy needs continue to grow, so, too, could the power of those who control energy resources. ? Providing logistical and other support to terrorists, foreign intelligence services and foreign governments, all with interests harmful to those of U.S. national security. ? The trafficking in people and contraband goods, bringing people and products through U.S. borders to the detriment of border security, the U.S. economy, and the health and lives of those exploited. ? The exploitation of the U.S. and international financial system to move illegal profits and funds, including sending billions in illicit funds through the U.S. financial system each year. To continue this practice, they seek to corrupt financial service providers globally. ? The use of cyberspace to target U.S. victims and infrastructure, jeopardizing the security of personal information, the stability of business and government infrastructures and the security and solvency of financial investment markets. ? The manipulation of securities exchanges and engaging in sophisticated fraud schemes that rob U.S. investors, consumers and government agencies of billions of dollars. ? The successful corruption of public officials around the world, including countries of vital strategic importance to the United States, and continuing efforts to find ways to influence -- legally or illegally -- U.S. officials. ? The use of violence and the threat of violence as a basis of power. All AboutMichael Mukasey ? Terrorism Find this article at: http://www.cnn.com/2008/CRIME/04/23/organized.crime.threats/index.html From rforno at infowarrior.org Thu Apr 24 22:58:06 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 Apr 2008 18:58:06 -0400 Subject: [Infowarrior] - "Terrorphobia", public opinion, and policy decisions Message-ID: http://www.the-american-interest.com/ai2/article.cfm?Id=418&MId=19 Terrorphobia John Mueller A few days after the 9/11 attacks, Vice President Dick Cheney warned that there might never be an ?end date? in the ?struggle? against terrorism, a point when it would be possible to say, ?There, it?s all over with.? More than six and a half years later, his wisdom seems to have been vindicated, though perhaps not quite in the way he intended. At least in its domestic homeland security aspects, the so-called War on Terror shows clear signs of having developed into a popularly supported governmental perpetual-motion machine that could very well spin ?till who laid the rails?, as Mayor Shinn so eloquently, if opaquely, puts it in The Music Man. Since none of the leading Democrats or Republicans running for president this year has managed to express any misgivings about this development, it is fair to assume that the ?war? will amble on during whatever administration happens to follow the present one. In some respects, ironically enough, the closest semblance to a notable opponent the enterprise has so far generated has been George W. Bush himself. The President has, of course, garnered great political benefit from the terrorism scare. He has consistently achieved his best ratings for handling the issue, and Karl Rove has been known to boast publicly about the political utility of fanning terrorist fears for the good of the Republican Party.11. Note Senator Chuck Hagel?s remark on this point in The American Interest (March/April 2008). It is no accident that the President managed to use the t-word at least twenty and as many as 36 times in each of his post-9/11 State of the Union addresses (as opposed to only once in January 2001). However, for a while there he opposed slapping together all sorts of disparate government agencies into the hopelessly unwieldy Department of Homeland Security. He even allowed that letting a responsible Dubai company manage the occasional American port was not necessarily the end of the world. Eventually, he buckled on both issues, and he will probably buckle again when determined, outraged and likely bipartisan opposition rises up against his tentative proposal to halve the amount of Federal money ladled out each year to localities to fight terrorism. But at least there were some transitory glimmers. We may not even get that much from his successor in the White House. The reason is that terrorism and the attendant ?war? thereon have become fully embedded in the public consciousness, with the effect that politicians and bureaucrats have become as wary of appearing soft on terrorism as they are about appearing soft on drugs, or as they once were about appearing soft on Communism. < - > http://www.the-american-interest.com/ai2/article.cfm?Id=418&MId=19 From rforno at infowarrior.org Thu Apr 24 22:58:43 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 Apr 2008 18:58:43 -0400 Subject: [Infowarrior] - 'Jihadist' booted from government lexicon Message-ID: 'Jihadist' booted from government lexicon By MATTHEW LEE ? 4 hours ago http://ap.google.com/article/ALeqM5i3X6Gha4z-MCq9pU0vC4FWqDCXrwD908CUGO0 WASHINGTON (AP) ? Don't call them jihadists any more. And don't call al-Qaida a movement. The Bush administration has launched a new front in the war on terrorism, this time targeting language. Federal agencies, including the State Department, the Department of Homeland Security and the National Counter Terrorism Center, are telling their people not to describe Islamic extremists as "jihadists" or "mujahedeen," according to documents obtained by The Associated Press. Lingo like "Islamo-fascism" is out, too. The reason: Such words may actually boost support for radicals among Arab and Muslim audiences by giving them a veneer of religious credibility or by causing offense to moderates. For example, while Americans may understand "jihad" to mean "holy war," it is in fact a broader Islamic concept of the struggle to do good, says the guidance prepared for diplomats and other officials tasked with explaining the war on terror to the public. Similarly, "mujahedeen," which means those engaged in jihad, must be seen in its broader context. U.S. officials may be "unintentionally portraying terrorists, who lack moral and religious legitimacy, as brave fighters, legitimate soldiers or spokesmen for ordinary Muslims," says a Homeland Security report. It's entitled "Terminology to Define the Terrorists: Recommendations from American Muslims." "Regarding 'jihad,' even if it is accurate to reference the term, it may not be strategic because it glamorizes terrorism, imbues terrorists with religious authority they do not have and damages relations with Muslims around the world," the report says. Language is critical in the war on terror, says another document, an internal "official use only" memorandum circulating through Washington entitled "Words that Work and Words that Don't: A Guide for Counterterrorism Communication." The memo, originally prepared in March by the Extremist Messaging Branch at the National Counter Terrorism Center, was approved for diplomatic use this week by the State Department, which plans to distribute a version to all U.S. embassies, officials said. "It's not what you say but what they hear," the memo says in bold italic lettering, listing 14 points about how to better present the war on terrorism. "Don't take the bait," it says, urging officials not to react when Osama bin Laden or al-Qaida affiliates speak. "We should offer only minimal, if any, response to their messages. When we respond loudly, we raise their prestige in the Muslim world." "Don't compromise our credibility" by using words and phrases that may ascribe benign motives to terrorists. Some other specifics: _ "Never use the terms 'jihadist' or 'mujahedeen' in conversation to describe the terrorists. ... Calling our enemies 'jihadis' and their movement a global 'jihad' unintentionally legitimizes their actions." _ "Use the terms 'violent extremist' or 'terrorist.' Both are widely understood terms that define our enemies appropriately and simultaneously deny them any level of legitimacy." _ On the other hand, avoid ill-defined and offensive terminology: "We are communicating with, not confronting, our audiences. Don't insult or confuse them with pejorative terms such as 'Islamo-fascism,' which are considered offensive by many Muslims." The memo says the advice is not binding and does not apply to official policy papers but should be used as a guide for conversations with Muslims and media. At least at the top level, it appears to have made an impact. Secretary of State Condoleezza Rice, who once frequently referred to "jihad" in her public remarks, does not appear to have used the word, except when talking about the name of a specific terrorist group, since last September. The memo mirrors advice distributed to British and European Union diplomats last year to better explain the war on terrorism to Muslim communities there. It also draws heavily on the Homeland Security report that examined the way American Muslims reacted to different phrases used by U.S. officials to describe terrorists and recommended ways to improve the message. Because of religious connotations, that report, released in January and obtained by AP this week, counseled "caution in using terms such as, 'jihadist,' 'Islamic terrorist,' 'Islamist,' and 'holy warrior' as grandiose descriptions." "We should not concede the terrorists' claim that they are legitimate adherents of Islam," the report said, adding that bin Laden and his adherents fear "irrelevance" more than anything else. "We must carefully avoid giving bin Laden and other al-Qaida leaders the legitimacy they crave, but do not possess, by characterizing them as religious figures, or in terms that may make them seem to be noble in the eyes of some," it said. From rforno at infowarrior.org Fri Apr 25 02:42:55 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 Apr 2008 22:42:55 -0400 Subject: [Infowarrior] - Russian prosecutors eye Internet censorship Message-ID: Russian prosecutors eye Internet censorship http://newsinfo.inquirer.net/breakingnews/infotech/view_article.php?article_ id=132253 Agence France-Presse First Posted 09:06pm (Mla time) 04/23/2008 MOSCOW--The Russian prosecutor's office wants tough anti-extremism laws to be extended to the Internet, state newspaper Rossiiskaya Gazeta reported Wednesday, prompting fears of growing media censorship. The prosecutors office has proposed a legal amendment to bring the Internet under the same rules as printed media, Vyacheslav Sizov, a top official at the prosecutor general's office told the daily. Newspapers deemed in court to have published extremist material can be shut down under current laws. The new proposal is for any website deemed to have hosted extremist material to be blocked by providers in Russia "within a month," Sizov said. The Internet is the freest area of the media in Russia, where almost all television and many newspapers are under formal or unofficial government control. The extremism law has already come under fire from human rights activists, who say its sweeping nature is open to abuse by officials wanting to outlaw legitimate criticism. "It is a worry whenever the government tries to change any law," Oleg Panfilov, director of the Center of Journalism in Extreme Situations, told AFP. "It is difficult to find anyone who is not against extremism but it depends on how the law is used. The government uses (it) selectively." News website www.gazeta.ru was warned for extremism last year after it wrote about cartoons that satirized the prophet Mohammed. Copyright 2008 Agence France-Presse. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. From rforno at infowarrior.org Fri Apr 25 03:06:35 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 Apr 2008 23:06:35 -0400 Subject: [Infowarrior] - Court: Government Must Reveal Watch-List Status Message-ID: Court: Government Must Reveal Watch-List Status to Constantly Detained Americans By Ryan Singel EmailApril 24, 2008 | 8:51:13 PMCategories: Watchlists http://blog.wired.com/27bstroke6/2008/04/gov-must-reveal.html Eight Americans of south Asian and Middle Eastern descent who were repeatedly detained at the border for questioning will be able to learn if they are actually on the government's terrorist watch list, a federal court in Illinois ruled last week, marking the first time that citizens have been able to learn whether they have been added to a sprawling and error-prone list used for screening at borders and traffic stops. The government invoked the powerful state secrets privilege in the case, arguing that letting the plaintiffs know if they are or aren't on the list would harm national security since that could alert them to the fact they have been under government scrutiny. But since the government admits it has stopped the six men and two women more than 35 times, federal Magistrate Judge Sidney Schenkier of the United States Northern Illinois District Court dismissed that argument. Instead he found that the government "failed to establish that, under all the circumstances of this case, disclosure of that information would create a reasonable danger of jeopardizing national security." The plaintiffs, most of whom are Muslim, filed suit (.pdf) against the Department of Homeland Security and the FBI in June 2005. They say none of them have any links to terrorism, but are continually stopped and questioned due to faulty watch lists. They charge government agents have unjustly restrained, confined and questioned them, sometimes for more than four hours, because some have been unfairly put on a watch list, while others say they are continually misidentified as someone on the list. The court's rebuff (.pdf) of the government's use of the state secrets privilege is highly unusual, as courts are rarely willing to challenge the executive branch on mattes of national security. Experts call the state secrets privilege the "nuclear option," and the Bush administration has used it widely to dismiss cases challenging its warrantless wiretapping program and the CIA's use of secret overseas prisons. The lawsuit is also notable since it breaks new legal ground in regards to the government's terrorist watch list, which lacks any mechanism for citizens to challenge their placement on the list. Government audits have repeatedly criticized the operation of the list, which has inadvertantly snagged high-powered nuns, senators, children and government employees with security clearances. The Terrorist Screening Center, which runs the list, says it has been pruning the list and removing errant entries, even as the list grows by an estimated 20,000 names a month. While the TSC says the majority of the names on the list are foreigners, most of the people compared against the list are Americans, who are checked against the list when they are stopped for a traffic violation, enter or leave the country or fly domestically. Additionally, the judge ruled that the state secrets privilege against disclosing sources and methods does apply to FBI investigative files and terrorism information in its TIDES database, but that the government should show those documents to the judge in secret, so the judge can decide what portions of those files can be safely released. The potential class-action lawsuit accuses the government of violating Americans' Fourth and Fifth Amendment rights by exaggerating the risks of persons it puts on the list and not having robust ways of dealing with name mismatches. That, the plaintiffs allege, led government agents to unconstitutionally detain the men and their families for hours and conduct illegal pat down searches. In one case, Customs agents stopped Dr. Khalid Bhatti, a gastroenterologist who has been a U.S. citizen since 1979, searched him on the hood of his car, in front of his wife and daughter-in-law. Agents then handcuffed him, led him away for questioning and examined his cellphone and Palm Pilot. For its part, the government admits nearly all of the secondary screenings occured -- including 11 stops of Oussama Jammal. They also admit that sometimes agents handuffed the plaintiffs, including handcuffing one plaintiff to a chair during questioning. But the government denies (.pdf) that any of the stops were "unjustified," or that its 800,000 name-long watch list is overbroad or negligently administered. Justice Department spokesman Charles Miller declined to comment on the ruling. He also declined to indicate if the government planned to appeal the decision, though that is highly likely. The plaintiffs are asking the court to force the government to change how it handles name mismatches, how Americans are described on the list, and reasonable policies for family members and children that have to wait for a parent to be released from questioning by government agents. From rforno at infowarrior.org Fri Apr 25 07:12:44 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 25 Apr 2008 03:12:44 -0400 Subject: [Infowarrior] - Face scans for air passengers to begin in UK this summer Message-ID: Face scans for air passengers to begin in UK this summer Officials say automatic screening more accurate than checks by humans http://www.guardian.co.uk/business/2008/apr/25/theairlineindustry.transport This article appeared in the Guardian on Friday April 25 2008 on p1 of the Top stories section. It was last updated at 01:00 on April 25 2008. A face recognition system A face recognition system will scan faces and match them to biometric chips on passports. Photograph: Image Source/Getty Airline passengers are to be screened with facial recognition technology rather than checks by passport officers, in an attempt to improve security and ease congestion, the Guardian can reveal. >From summer, unmanned clearance gates will be phased in to scan passengers' faces and match the image to the record on the computer chip in their biometric passports. Border security officials believe the machines can do a better job than humans of screening passports and preventing identity fraud. The pilot project will be open to UK and EU citizens holding new biometric passports. But there is concern that passengers will react badly to being rejected by an automated gate. To ensure no one on a police watch list is incorrectly let through, the technology will err on the side of caution and is likely to generate a small number of "false negatives" - innocent passengers rejected because the machines cannot match their appearance to the records. They may be redirected into conventional passport queues, or officers may be authorised to override automatic gates following additional checks. Ministers are eager to set up trials in time for the summer holiday rush, but have yet to decide how many airports will take part. If successful, the technology will be extended to all UK airports. The automated clearance gates introduce the new technology to the UK mass market for the first time and may transform the public's experience of airports. Existing biometric, fast-track travel schemes - iris and miSense - operate at several UK airports, but are aimed at business travellers who enroll in advance. The rejection rate in trials of iris recognition, by means of the unique images of each traveller's eye, is 3% to 5%, although some were passengers who were not enrolled but jumped into the queue. The trials emerged at a conference in London this week of the international biometrics industry, top civil servants in border control, and police technology experts. Gary Murphy, head of operational design and development for the UK Border Agency, told one session: "We think a machine can do a better job [than manned passport inspections]. What will the public reaction be? Will they use it? We need to test and see how people react and how they deal with rejection. We hope to get the trial up and running by the summer. Some conference participants feared passengers would only be fast-tracked to the next bottleneck in overcrowded airports. Automated gates are intended to help the government's progress to establishing a comprehensive advance passenger information (API) security system that will eventually enable flight details and identities of all passengers to be checked against a security watch list. Phil Booth of the No2Id Campaign said: "Someone is extremely optimistic. The technology is just not there. The last time I spoke to anyone in the facial recognition field they said the best systems were only operating at about a 40% success rate in a real time situation. I am flabbergasted they consider doing this at a time when there are so many measures making it difficult for passengers." Gus Hosein, a specialist at the London School of Economics in the interplay between technology and society, said: "It's a laughable technology. US police at the SuperBowl had to turn it off within three days because it was throwing up so many false positives. The computer couldn't even recognise gender. It's not that it could wrongly match someone as a terrorist, but that it won't match them with their image. A human can make assumptions, a computer can't." Project Semaphore, the first stage in the government's e-borders programme, monitors 30m passenger movements a year through the UK. By December 2009, API will track 60% of all passengers and crew movements. The Home Office aim is that by December 2010 the system will be monitoring 95%. Total coverage is not expected to be achieved until 2014 after similar checks have been introduced for travel on "small yachts and private flights". So far around 8m to 10m UK biometric passports, containing a computer chip holding the carrier's facial details, have been issued since they were introduced in 2006. The last non-biometric passports will cease to be valid after 2016. Home Office minister Liam Byrne said: "Britain's border security is now among the toughest in the world and tougher checks do take time, but we don't want long waits. So the UK Border Agency will soon be testing new automatic gates for British and European Economic Area [EEA] citizens. We will test them this year and if they work put them at all key ports [and airports]." The EEA includes all EU states as well as Norway, Switzerland and Iceland. From rforno at infowarrior.org Fri Apr 25 12:11:02 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 25 Apr 2008 08:11:02 -0400 Subject: [Infowarrior] - Senate Votes to Ban Discrimination Using DNA Tests Message-ID: Senate Votes to Ban Discrimination Using DNA Tests (Update3) By Rob Waters and Aliza Marcus http://www.bloomberg.com/apps/news?pid=20601124&sid=aGlkCem6Llnc&refer=home April 24 (Bloomberg) -- Companies and health insurers would be forbidden to use the results of genetic tests to deny people jobs or medical coverage under legislation approved 95-0 today by the U.S. Senate. The measure, an amended version of one the House passed a year ago, is intended to protect people from discrimination based on DNA tests showing a genetic predisposition to disease. The House is expected to accept the Senate changes, and President George W. Bush is expected to sign the legislation. Genetic tests can help predict a person's likelihood of getting cancers and other diseases and are used by researchers seeking new treatments. The legislation would bar insurers from using test results to deny coverage or raise premiums. Employers would be blocked from collecting genetic information on workers and using results in hiring or firing. This will enable people to get tested without fear of repercussion, supporters said. ``Up until now, our laws have not kept pace with emerging technology,'' Senator Olympia Snowe, a Maine Republican, said in an e-mailed statement after the vote. ``What good are genetic breakthroughs if their benefits are not realized by those they would benefit?'' Health plans and insurers also would be barred from requiring that patients take particular gene tests. ``This bill recognizes that discrimination based on a person's genetic identity is just as unacceptable as discrimination based on a person's race or religion,'' Senator Edward Kennedy, a Massachusetts Democrat, said. ``The administration cooperated and we are grateful for its support.'' Administration Support Michael Leavitt, secretary of the Health and Human Services Department, said he hoped the House would move quickly to pass the measure. ``No American should have to worry that their genetic information will affect their ability to get health insurance or a job,'' Leavitt said in an e-mailed statement. ``New advances in medical research have been accompanied by an uneasiness about how this information will be used -- and that is a barrier we must remove.'' The legislation would make it easier for scientists working to uncover links between genetics and common diseases such as heart disease and diabetes, Kathy Hudson, director of the Washington-based Genetics and Public Policy Center at Johns Hopkins University, said in a telephone interview. Reprisals Feared More than 90 percent of people in the U.S. surveyed by the center say one of their biggest concerns about taking part in such medical research is the possibility that their genetic information will be used against them, Hudson said. ``Now, researchers will be able to say no, it won't happen,'' Hudson said. The legislation also removes an obstacle that keeps some people from getting tested to find out whether they have a high risk of developing diseases such as breast or colon cancer, said Gregory Critchfield, president of Myriad Genetics Laboratories, a unit of Salt Lake City-based Myriad Genetics Inc. ``If we talk to patients who have decided not to be tested, the No. 1 reason given by those individuals for not being tested is the fear that they might possibly be discriminated against,'' Critchfield said in a telephone interview yesterday. The issue became personal for David Resnick, a Boston attorney who works with local hospitals and researchers. His mother died 10 years ago of ovarian cancer and he wondered whether he might be a carrier of genes that may boost the chances of a man developing prostate cancer. The genes increase a woman's risk of breast cancer. No Guarantee He spoke with genetics counselors at Dana-Farber Cancer Institute in Boston about whether to get tested and agonized over what they told him. ``They explained to me that there is no guarantee that there wouldn't be genetic discrimination,'' he said in a telephone interview today. ``I didn't get the test done.'' The legislation should help assure patients that their genetic information can't be ``misused,'' Karen Ignagni, president of America's Health Insurance Plans, the Washington trade association, said in an e-mailed statement. Lawmakers will follow the measure's implementation to ensure that people's privacy is respected, Senator Chris Dodd, a Connecticut Democrat, said. ``We will not hesitate to revisit the bill,'' he said on the Senate floor. More than a dozen companies sell genetic tests, including Servx, DNA Direct, Roche Holding AG, Genelex and Laboratory Corporation of America Holdings. Years of Effort The bill was first introduced in the House 13 years ago by Representative Louise Slaughter, a Democrat from Rochester, New York. After its passage last year by the House, Senate action was blocked by Senator Tom Coburn, a doctor and Republican from Oklahoma. Coburn was concerned the bill would be a ``trial lawyer boon'' that would encourage lawsuits against employers and insurers, Coburn spokesman Don Tatro said in an e-mail. Coburn allowed a vote after changes were made easing his concerns, Tatro said. To contact the reporters on this story: Rob Waters in San Francisco at rwaters5 at bloomberg.net; Aliza Marcus in Washington at amarcus8 at bloomberg.net Last Updated: April 24, 2008 18:11 EDT From rforno at infowarrior.org Fri Apr 25 16:28:58 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 25 Apr 2008 12:28:58 -0400 Subject: [Infowarrior] - GOP wants to tack FISA bill onto war supplemental Message-ID: One of the best things Congress could do is pass rules limiting what can be "tacked on" to legislation, thus precluding things like this, especially on so-called 'must-pass' legislation.....and in this case, legislation that the Dems will prolly vote in favor of simply to avoid looking unpatriotic, no matter WHAT controversial amendments are included. ---rf GOP wants to tack FISA bill onto war supplemental By Klaus Marre Posted: 04/24/08 04:30 PM [ET] http://thehill.com/leading-the-news/gop-wants-to-tack-fisa-bill-onto-war-sup plemental-2008-04-24.html Rep. Jerry Lewis (R-Calif.) announced Thursday that he will try to attach a measure updating the Foreign Intelligence Surveillance Act (FISA) as an amendment to the war supplemental bill. Lewis, the ranking Republican on the House Appropriations Committee, said he would make the move if the war funding bill is taken up by the panel. ?It?s time for the Democratic leaders to put our national security ahead of the desires of trial lawyers and pass the FISA bill that was passed by the Senate,? the lawmaker said. ?This Congress should make this legislation one of its top priorities until the intelligence gap is closed.? Republicans and the White House have engaged in an all-out campaign to get House Democratic leaders to take up a version of the bill that was passed with bipartisan support in the Senate. One of the most contentious issues remaining is whether telecommunications companies should get retroactive immunity if they helped the government with eavesdropping initiatives following the Sept. 11, 2001, attacks. While Republicans support such a provision and it is included in the Senate bill, House Democrats say it needs to be stripped out. http://thehill.com/leading-the-news/gop-wants-to-tack-fisa-bill-onto-war-sup plemental-2008-04-24.html From rforno at infowarrior.org Fri Apr 25 17:58:41 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 25 Apr 2008 13:58:41 -0400 Subject: [Infowarrior] - How to block/kill RFID chips Message-ID: http://www.boingboing.net/2008/04/25/howto-killblock-an-r.html Instructables have just published their latest installment in their series of HOWTOs inspired by my forthcoming novel Little Brother, a young adult book about kids who use technology to wrest liberty from the Department of Homeland Security. This week, it's HOWTO block or kill an RFID chip. -The easiest way to kill an RFID, and be sure that it is dead, is to throw it in the microwave for 5 seconds. Doing this will literally melt the chip and antenna making it impossible for the chip to ever be read again. Unfortunately this method has a certain fire risk associated with it. Killing an RFID chip this way will also leave visible evidence that it has been tampered with, making it an unsuitable method for killing the RFID tag in passports. Doing this to a credit card will probably also screw with the magnetic strip on the back making it un-swipeable. -The second, slightly more convert and less damaging, way to kill an RFID tag is by piercing the chip with a knife or other sharp object. This can only be done if you know exactly where the chip is located within the tag. This method also leaves visible evidence of intentional damage done to the chip, so it is unsuitable for passports. -The third method is cutting the antenna very close to the chip. By doing this the chip will have no way of receiving electricity, or transmitting its signal back to the reader. This technique also leaves minimal signs of damage, so it would probably not be a good idea to use this on a passport. -The last (and most covert) method for destroying a RFID tag is to hit it with a hammer. Just pick up any ordinary hammer and give the chip a few swift hard whacks. This will destroy the chip, and leave no evidence that the tag has been tampered with. This method is suitable for destroying the tags in passports, because there will be no proof that you intentionally destroyed the chip. From rforno at infowarrior.org Sat Apr 26 00:17:17 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 25 Apr 2008 20:17:17 -0400 Subject: [Infowarrior] - DHS Website Compromised by SQL injection Message-ID: Original URL: http://www.theregister.co.uk/2008/04/25/mass_web_attack_grows/ Department of Homeland Security website hacked! By Dan Goodin Published Friday 25th April 2008 18:57 GMT The sophisticated mass infection that's injecting attack code into hundreds of thousands of reputable web pages is growing and even infiltrated the website of the Department of Homeland Security. While so-called SQL injections are nothing new, this latest attack, which we we reported earlier (http://www.theregister.co.uk/2008/04/24/mass_web_attack/), is notable for its ability to infect huge numbers of pages using only a single string of text. At time of writing, Google searches showed almost 520,000 pages containing the infection string, though the exact number changes almost constantly. As the screenshot below shows, even the DHS, which is responsible for protecting US infrastructure against cyber attacks, wasn't immune. Other hacked sites include those belonging to the United Nations and the UK Civil Service. Screenshot of Google search showing DHS website The attack causes infected sites to redirect visitors to destinations that attempt to install malware on vulnerable machines. At time of writing, the malicious payloads attacked vulnerabilities that already have been patched. And in any case all three of the redirection sites were down, possibly because they were unable to handle the demand. But should the attackers get their hands on a newer exploit - say, one targeting a zero-day vulnerability in QuickTime (http://www.gnucitizen.org/blog/quicktime-0day-for-vista-and-xp/) - it would be relatively easy for them to swap out the payload. One reason the infection has spread so widely is the attackers have managed to find a single attack string that seems to work on tens of thousands of different sites. Most web applications are custom -built for a particular site, so attackers likewise have to custom design attack parameters to exploit weakness. Not so here. "These guys look like they've found a methodology to get a successful SQL injection generically across [many] websites," said Jeremiah Grossman, CTO of WhiteHat Security, which helps companies secure web applications. "That right there is like a skeleton key." The script is also notable for its ability to slip past web application defenses. The SQL query is mostly made up of HEX code, allowing it to obscure itself, at least to apps that use Microsoft SQL. MySQL and PostgreSQL are less easily fooled, according to researcher Ronald van den Heetkamp (http://www.0x000000.com/?i=556). Sites are getting pwned because they fail to sanitize user supplied data. DHS security pros scrubbed the page clean the same day it got infected and took steps to make sure the same attack couldn't succeed against other parts of the DHS website, spokeswoman Amy Kudwa said. "We're well aware of the fact that intrusions happen all the time and that's why we are doing all that we are to secure the .gov domain," she said. While the number of pages that have been infected is high, not all are able to launch an attack once a user visits them, according to Roger Thompson, chief research officer of anti-virus provider AVG. "Very often they're on a page but the stuff doesn't actually fire when you get there," he said. "This is not a cunning, premeditated task; it's just a blast. They're just planting the stuff where they can and the result is a lot of pages [that] don't do anything." But webmasters should not be complacent about removing the injected code from their sites and fixing buggy web apps to make sure more don't spring up. "It's the cleanup effort that's just going to be monstrous," said Grossman, who said affected companies will have to either remove each overwritten table record one at a time, or revert to a recent backup. "Either way, it's going to take forever." Security workers better get cracking. ? From rforno at infowarrior.org Sat Apr 26 00:18:52 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 25 Apr 2008 20:18:52 -0400 Subject: [Infowarrior] - The terror dam of doom that looms over Boise, Idaho Message-ID: Original URL: http://www.theregister.co.uk/2008/04/24/dam_of_doom_risk_analysis/ The terror dam of doom that looms over Boise, Idaho By George Smith, Dick Destiny Published Thursday 24th April 2008 11:55 GMT It shouldn't come as a surprise that some American scientists think terrorism can be defined by equations and a priori vulnerability factors. Close study of terrorist action and behavior is too dull for many in the US counter-terror business, so it's better to have numbers; insurance men, newspaper reporters and government officials like them, and Benchmark Analysis for Quantifying Urban Vulnerability to Terrorist Incidents (http://media.idahostatesman.com/smedia/2008/03/06/22/RiskAn071.source.prod_ affiliate.36.pdf) delivers plenty. Written by University of Arizona math professor Walter W. Piegorsch and two others colleagues and published in a recent edition of the journal Risk Analysis, the study came with a ready-made hook. Boise, Idaho, it is claimed, is among the ten cities in the US most vulnerable to terror. This guaranteed some terror beat coverage in the US newsmedia and, as is usual when some study claims to spot deficiencies in terror defense, thrilled local government officials interested in dunning more taxpayer money from the Feds. Funded by grants from the Department of Homeland Security, the National Cancer Institute and the Environmental Protection Agency, Piegorsch and his cohorts worked out what they dub a "place-based vulnerability index," or PVI, which is said to be a measure of the fragility of a city to terror attack. The most vulnerable city in the US, according to the study, is New Orleans with a PVI of 3.119. At number ten, Boise sports and index of 1.696. Vulnerabilities were come to by contributions from other indices, one of which is called the social vulnerability index, or SoVI, previously employed to quantify a location's vulnerability to environmental hazards by evaluating its socioeconomic and demographic profile. To the SoVI, the boffins add a natural hazards vulnerability index (the HazVI) - "a surrogate for community experience in responding to extreme events... an important factor in preparedness levels" - and the BEVI or "built-environment vulnerability index" which takes into account the decrepitude of man-made infrastructure as measured by age plus housing and property values. That New Orleans comes out top of the list is not unexpected considering its poverty and the general national response to Katrina. But who would have picked lily-white Boise as an urban center where a terror plot could easily succeed? The dam of doom A reporter for the Los Angeles Times thought to ask why, and was told Boise is menaced by Lucky Peak Dam (http://idptv.state.id.us/buildingbig/dams/luckypeak.html), seventeen miles northeast, holding back 300,000 acre-feet of water. "That dam could be a very likely target, or possible target," claimed Piegorsch. Add the assessment that the government in Boise was lame at historical local disaster response and it spelled terror trouble. And this is where the scientists jump the tracks. They have no way of knowing a dam in Idaho is in the dreams of terrorists, but there's quite a bit of evidence, if they have taken the time to read materials from various terror trials, that it probably is not. On the contrary, the evidence suggests that many jihadi terrorists, even if told about Lucky Peak Dam and the pitiful local emergency response, wouldn't know how to destroy such a considerable public work without extensive planning and access to demolition expertise and materials. They've shown no sign of such a capability since 9/11. Perhaps one could employ acetone peroxide bombs or drive one's jeep into the entrance of the dam powerhouse, then set oneself afire? No such story on terror research is complete without someone asking if publicizing such a research paper as Piegorsch's is a good idea. "Some critics have questioned whether statistical research about America's more vulnerable places should be so easily accessible..." reported the Times. "The bad guys have figured this out already," claimed the head boffin, again showing that while he may know a lot about statistics, one could make the counter argument that the man greatly overestimates what "the bad guys" have figured out or can figure out. Since 9/11, this has been a common trope peddled by a broad variety of anti-terror experts. The terrorists always have stuff figured out and when coupled with another canard, the one that states that it's easy to carry out any kind of mayhem, one can begin to go about the job of assigning global fragilities and vulnerabilities without interference. Terrorists? We got 'em The Risk Analysis vulnerability study comes up with its selection of cities by relying on a terrorism database of incidents from 1970-2004, created by the scientists from information on US terror compiled at two sources: the Terrorism Knowledge Base (http://www.tkb.org) and the US Department of Justice. A quick gander at the Terrorism Knowledge Base shows the US awash in terror incidents, almost all of them carried out by American crazies. The great majority of these events are less terrifying than local gang crime in inner city USA. In fact, in the last two years, arsonists motivated by the fire season in southern California have probably caused more property damage and suburban displacement than all of the terrorists in the US section of the TKB combined. But disasters like wildfires and terror incidents are apples and oranges, eh? Indeed they are and a risk analysis can also evaluate which of the two a nation or society is more vulnerable to by employing common sense or the studious lack of it. The latter has been shown to be something of the preferred analytical tool in the US during the last five years. "To put this [report] into practical perspective, suppose city officials in... Charleston, SC, or Norfolk, VA, were considering new forms of coastal antiterrorist protection," the authors write. (One of their conclusions is that coastal cities in the eastern USA and on the Great Lakes trend higher in terror vulnerability.) "This could motivate increased funding allocation(s)..." So an alternative interpretation is that it's good business to have a bad score. The paper also includes a map of US vulnerability to terror nicely color-coded in red (bad), yellow (caution) and green (OK). Of course, since this is all now available on-line the terrorists have already downloaded it and someone in Karachi or Lahore must be making plans for where we least expect it, not Boise, but the previously thought to be terror-safe border between eastern California and western Nevada. ? George Smith is a senior fellow at GlobalSecurity.org, a defense affairs think tank and public information group. At Dick Destiny (http://www.dickdestiny.com/blog/dickdestiny.html), he blogs his way through chemical, biological, and nuclear terror hysteria, often by way of the contents of neighbourhood hardware stores. From rforno at infowarrior.org Sat Apr 26 00:19:53 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 25 Apr 2008 20:19:53 -0400 Subject: [Infowarrior] - Interview with DHS cybersecurity chief Message-ID: Original URL: http://www.theregister.co.uk/2008/04/25/greg_garcia_interview/ Securing cyberspace against war, terror and red tape By Dan Goodin in San Francisco Published Friday 25th April 2008 12:02 GMT Interview In September 2006, the US Secretary of Homeland Security appointed Greg Garcia assistant secretary for cybersecurity and telecommunications. With oversight for the National Cyber Security Division, the Office of Emergency Communications and the National Communications System, he is the federal government's point man for securing the nation's internet and telecommunications' systems against attacks from terrorists or countries that may target the US. The Register sat down with him during the RSA security conference and a couple of things quickly became clear: One, he'd much prefer to see free market forces secure cyberspace than rely on the long arm of the government; and two, like the president he serves, he believes the execution of his duties is pretty much flawless. El Reg: It's been about 18 months since you've been on the job. That's a nice number for report cards, or to check in and see how you're doing. In your judgment, what are your biggest accomplishments and what's the biggest failure or thing that you would have liked to accomplish that you haven't? I think the biggest accomplishments so far are just the level of visibility that cyber security has taken on, not just in the DHS but across the government. I think the cyber initiative is the evidence of that. Leading up to that we had a number of very compelling accomplishments, the biggest of which was in May of last year we released the 17 sector specific plans (http://www.dhs.gov/xprevprot/programs/gc_1179866197607.shtm) as part of the national infrastructure protection plan. This is where each of the critical sectors got together with their agency counterparts in the federal government, sat down side by side, two pens and a piece of paper and mapped out what commitments we are going to make collectively to do the national vulnerability assessment that's necessary across our networks and take the steps to mitigate them. That was a true illustration of the partnership model at work and that it's working. There were trust relationships built around that. I think over the past 18 months I would look back and say the level of engagement of this partnership between the private sector and the public sector is I think a tremendous accomplishment. Is there anything that you were hoping you would have accomplished by now that has not happened? I think this is an evolutionary process. My only regret is that this administration is coming to a close and that the national strategy that we need to pursue is one that's going to take years to really to mature to where it needs to be and as I'm a political I don't expect I'm going to be around much into the next administration. But I'm looking to our private sector partners and career civil servants across the government and in DHS to keep that going. There is growing evidence that [China is] actively engaged not only in attacking infrastructure belonging to private companies but also infrastructure that belongs to the federal government. I believe that Oak Ridge [National] Labs (http://www.channelregister.co.uk/2007/12/07/national_labs_breached/) is one possibility. Do you believe that there are attacks coming from China that are state sponsored? There are attacks coming from everywhere as you know, and there are botnet attacks that you can see coming from a country but that doesn't mean that's where the actual attacker is seated and that botnet computer could be hijacked from a completely different country. That said, there are some things we don't talk about in this forum about nation states or otherwise, but from a DHS perspective what we're particularly interested in is how do we protect our systems from those attacks no matter where they're coming from. Because yes, they could come from nation states, they could come from hacker groups, they could come from hacktivists with political motives, they could come from organized cyber crime groups from different countries. So my objective is to ensure we've got the protective systems in place and the technology in place and the coordinated response to attacks. If DHS were to learn that a particular attack was state-sponsored by the Chinese government, you knew for certain, would it be considered an act of war and responded to accordingly? That's a good question and we are now in a cyber age where our traditional thinking about acts of war are changed. This is something that we are thinking about across the federal government in terms of more strategic thinking about how to deal with that question, because it's a very complex one and it's one that engages numerous players from the State Department to the Defense Department to many others across the federal government. This is part of our national strategy how we deal with that question. You mentioned the important thing being protecting ourselves against an attack wherever it may come from and whoever may be behind it. Are offensive cyber attacks, sort of counter DDoSes, counter unleashing of malware - are those things included in the way DHS should go about protecting the country? Our mission is protective, so we're protecting the homeland, we're protecting our networks. You've seen articles recently where the Air Force cyber command is talking about stepping up its offensive capabilities. DOD is really the most active in that area, but DHS we're protective. If you see a botnet attacking important infrastructure, is taking that botnet out or attacking it one way of protecting ourselves? There are some things we don't want to talk about in open forums, but we do partner with various agencies across the government who have different equities in cyber security, different activities in cyber security and we work together to help each other, particularly making sure that DHS knows what's coming into federal networks so we can take protective actions. There's been some discussion about how to deal with radical jihadi groups that are online and websites that perhaps are spreading jihadi propaganda. One idea is shut them down and another idea is don't shut them down [but rather] study them, monitor them. Shutting them down only drives them underground and then you don't know what the enemy is thinking or doing. Where do you stand on that? DHS's mission is about protecting our networks. We're not engaged in shutting down other networks. That's the purview of other agencies. Does DHS consider the monitoring of groups like that part of its purview, in gathering intelligence and knowing if people are thinking about attacking or doing other things like that? DHS is not an intelligence gatherer, so the effort that we have in the cyber initiative is helping federal agencies monitor what's going in and out of their own networks. We're not monitoring or gathering intelligence. There has been a lot of evidence that attacks on national labs are using very sophisticated spear phishing. Is this something that's within DHS's purview to try to prevent, and if so what exactly are you doing? The US CERT is the focal point for the information sharing about attacks. Last year US Cert received 37,000 incident reports, which is about a 55 per cent increase over FY 07 and most of those were phishing attacks just as you described. So it's our ability to receive that information, watch what's happening across federal networks using our Einstein intrusion detection capabilities and correlating, seeing what the patterns are. As to that collection of anomalous traffic across networks that we're able to push the information back out to our to our federal agencies, to our state governments and to our private sector saying this is what we're seeing. Most recently, last fall, we were able to communicate through notices to our partners a variety of IP addresses that they need to be watching out for for that kind of attack. This is the primary role of the US CERT, which is to both receive information from all sources about what's happening on our networks, analyze it, synthesize it, correlate it, and then push it back out again in actionable formats that people can actually take action and say, OK got it, I'm going to plug this port and apply this patch. That's our value add. It was just this week that a research firm from Atlanta came out with research about a botnet they call Kraken (http://www.theregister.co.uk/2008/04/07/kraken_botnet_menace/), evidently it goes under other names such as Bobax (http://www.theregister.co.uk/2008/04/09/kraken_disagreement/). It's a massive botnet, and it's living in many cases inside of fortune 500 companies and presumably other places it shouldn't be. If Fortune 500 companies aren't taking steps to prevent this kind of thing, what evidence do we have that we're really on the right track when it comes to preventing attacks against important infrastructure? Good question. I think a lot of companies are taking the right steps and a lot of companies are not taking the right steps and part of my role is to communicate the business proposition to these companies as to why they need to take steps to protect against threats that they're not actually seeing. And that's the challenge from a lot of the companies - they feel they need to actually see the threat but sometimes they don't know that they're being infiltrated. This conference is evidence - there are what 17,000 people here - that there is an increasing awareness. So even though there are a lot of companies that are responsible and doing the right thing, our networks really are only as strong as the weakest link and because we are so interconnected, if there are companies that are not doing what they need to do to protect their networks, that in turn may be jeopardizing the security of companies that very well may be doing the right think, and the federal government as well. So do you use a carrot, or at some point do you use a stick? I think it's really a combination, but a stick model, if you mean regulatory, I would be concerned that we could through a regulatory model not keep up with evolving technology, we could not keep up with evolving threats and that what instead we need to do is to push the market place to provide market-based incentives for companies that in order for me as one company to do business with you as another company, I need to be convinced that you're doing the right thing with you're networks. If you're going to connect to me I don't want to catch your virus. I as your customer have to demand this upon you as my vendor or my service provider. That's the model we're trying to push. The stick has to be coming from the market place to the market place, not from the government to the marketplace. Do you think that some sort of digital Pearl Harbor is possible in the next decade and if so, how likely do you think it is? Our networks are so distributed and resilient and redundant that a massive attack that would bring down the internet - I don't think that's possible. I direct your attention to a report from the Business Roundtable last fall. What they said was: We have to envision a situation where you could have multiple coordinated attacks against different pockets of the internet infrastructure such that it degrades confidence in the internet as our mode of doing business. If we lose confidence in that and we cease to want to use it, or we cease to be able to use it, then our business continuity is at stake. So we as CEOs have a responsibility to ensure we have business continuity. That's what cyber security is about. It's about the operations of my business and I as CEO have a responsibility to my shareholders and to my board of directors to ensure that I'm paying attention to this and am taking protective measures and investing in the technology, investing in the people, investing in the best practices and policies to make sure we're doing the right thing. Talk to me a little bit about your own experience with security. Have you ever been a victim of, or worked for the defense of, a network that was under attack? I as a home user do everything I am supposed to do. I keep my anti-virus up to date and keep my firewall turned on. I have seen in the past spyware infect my personal computer, just as everybody has. My role at DHS is to co-ordinate all of those efforts from the operational side of my US CERT to the preparedness side of building the culture of securing across the country. I've not been a hacker. There are those who know how to do it, but I'm more interested in national policy and national strategy. Over the last year there have been dozens of reports of flash drives, hard drives, iPods, all kinds of different devices you can buy at Best Buy or wherever else, with spyware loaded on to them. Do you worry that it's also possible to put on a much more nefarious software that has implications for homeland security? Absolutely. We are acutely aware of potential vulnerabilities across the global supply chain. We live in a global manufacturing environment and that is the natural order of a global business. But with that comes risks that anywhere along the supply chain we could see vulnerabilities into products that are manufactured abroad, whether its hardware or software. This is something we have put more resources into at DHS and that is working with the private sector to consider how we can get a handle on the global supply chain. Thanks very much. Good talking with you. ? From rforno at infowarrior.org Sat Apr 26 13:37:51 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 26 Apr 2008 09:37:51 -0400 Subject: [Infowarrior] - More on....Appeals Court: Border electronics searches are okay In-Reply-To: <4810B7B2.3000304@dcrocker.net> Message-ID: ------ Forwarded Message From: Dave Crocker Date: Thu, 24 Apr 2008 09:39:14 -0700 To: Cc: ip , , Richard Forno Subject: Re: [IP] Re: Appeals Court: Border electronics searches are okay Folks, Worrying about inspections at borders is titillating but probably distracts discussion from the larger and more pervasive examples of unwanted inspection of data on a laptop: physical theft or loss. Protect against that, in a way that is viable on a daily basis, and the border concern is automatically also dealt with. So it's fine to have concern over border inspection serve to motivate efforts at protecting mobile data privacy, but it probably should not guide design. We've seen the same distinction for developing trust-based mechanisms to "fight" spam and other abuse. Good for motivation, bad for design. The design needs to solve things in a way that fits into daily use, rather than being tailored too specifically for special use cases. And no matter how much you cross borders, it's a special case, compared with the rest of your laptop use. As with so many other security issues, in the case of laptop privacy, the core technical challenge is almost certainly a human factors one. Keeping data on a peripheral that is removed is inconvenient and really doesn't solve the problem, since the peripheral is also subject to inspection. And for a large enough amount of data, the i/o rate is not good enough or the storage choices are too limtied. Or both. So it is not likely to scale into widespread use. Having file or disk encryption performed automatically certainly sounds appealing, but it creates the question of how the data are unlocked. If it is convenient enough for daily use by mass-market users, does it really provide meaningful protection? So, for example, having login (boot-time or waking from sleep/hibernation) also unlock the data is extremely appealing, since it creates no new human-factors effort. But does it provide protection against a laptop stolen when you step away from it for a few seconds? Does it need to? I think this translates into the question of granularity for the user activity that controls the crypto. Does the human factors check take place at the right times to be useful while still being tolerable? From rforno at infowarrior.org Sat Apr 26 13:39:14 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 26 Apr 2008 09:39:14 -0400 Subject: [Infowarrior] - Paying cash? Pay more! Message-ID: (c/o Brock Meeks, via Farber's IP........rf) Paying cash? That'll cost extra Posted: Friday, April 25 at 05:00 am CT by Bob Sullivan http://redtape.msnbc.com/2008/04/paying-cash-at.html#posts Rhonda Payne went to an AT&T Wireless store in Calhoun, Ga., recently to pay her phone bill in cash. She'd been hit by ID theft and was forced to close her checking account, so she was worried she wouldn?t be able to mail a check on time. But when she arrived at the store, she was in for a surprise. Paying in person, she was told, costs extra -- $2 extra. Payne objected to the "administrative charge" that was added to her bill but got no sympathy. Instead, she said, she was told she should consider herself lucky because the fee was about to go up to $5. "I was told that it was a courtesy to take cash,? she said. ?I said, ?Are you kidding me?'? It?s no joke. Beginning earlier this year, AT&T Wireless began to charge customers who pay their bills in their stores. "It is a way of saving money ... it helps us keep our costs lower," said AT&T spokesman Mark Siegel. "We want our associates to spend their time helping customers as they are thinking about their wireless plans or looking at phones." There are multiple ways for consumers to pay their bills for free, he added -- in the mail, by electronic payment and on the Web. There are even kiosks in stores where bill payments can be dropped off for free. But having a sales clerk take the payment costs extra. "If someone really wants to pay using the service of a representative, we think it's appropriate to assess this fee," Siegel said. The fee might remind some of the "talk-to-a-teller" fee introduced by First National Bank of Chicago in 1995. Siegel said such fees are routine in other industries, too, citing credit cards as an example. In fact, most credit card issuers do charge a similar fee, called "pay-to-pay." Consumers who call up banks to pay their credit card bills -- often at the last minute to avoid interest charges or late fees ? often are assessed "pay-to-pay" fees ranging from $5 to $15. The practice has recently drawn scrutiny in Congress, and a credit card reform bill introduced by Sen. Carl Levin , D-Mich., would ban the practice. Hurts the poor most Consumer advocate Ed Mierzwinski, director of the U.S. Public Interest Research Group, said he's concerned about AT&T's new fee for another reason: It hits poor people hardest because they are most likely to pay in stores. "It's targeted at people who don't have bank accounts,? he said. ?...It's punitive and largely indefensible. "It's just unfair to me and I'm shocked by it. People that have less money have to pay more to pay their bills. ? It hurts people that really don't have a choice." Studies show that 10 million to 12 million Americans don't have bank accounts and have to pay their bills in cash, he said. Some are undocumented workers; others are consumers who have bounced too many checks in the past and are ineligible for checking accounts. Sometimes called the "unbanked," consumers who live in this cash economy are finding it harder and harder to maintain basic services, Mierzwinski said. "I think (AT&T?s fee) is going to lead to more companies charging more to people who want to pay with cash," he said. Siegel denied that AT&T was targeting cash customers and said his company offers pay-as-you-go pre-paid phones that are better suited for consumers who want to pay in cash. Payne has complained to state regulators and to the Federal Communications Commission, but hasn't received a refund -- or an explanation that satisfies her. "This fee charged by AT&T is ripping off poor people," she said. "I've told everybody I know about this." MAIN PAGE From rforno at infowarrior.org Sat Apr 26 13:44:53 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 26 Apr 2008 09:44:53 -0400 Subject: [Infowarrior] - PBS Takes USS Nimitz On a Long, Choppy Ride Message-ID: PBS Takes USS Nimitz On a Long, Choppy Ride By Tom Shales Washington Post Staff Writer Saturday, April 26, 2008; C01 http://www.washingtonpost.com/wp-dyn/content/article/2008/04/25/AR2008042503 790_pf.html Combine a dizzying mishmash of cinematic gimmicks with a conk-on-the-head rock score, then make the film 10 hours long, and there you have a good recipe for the viewing equivalent of seasickness. That's what you're likely to get from "Carrier," a repetitious PBS documentary about life aboard that hale ship the USS Nimitz. "I do like it, but I didn't love it," says one of the ship's sailors as he describes his cramped sleeping quarters; he has to slip into it like baloney into a sandwich. "Carrier," likewise, is likable enough in parts but not lovable enough; there's simply too much of it, and director Maro Chermayeff can't quite settle on a consistent style. It's hard to tell the fits from the starts. The film also, sad to say, rocks when it isn't rolling. That is, instead of a full-blown orchestral score in the background (the one that immediately comes to mind is Richard Rodgers's brilliant music for the NBC documentary masterpiece "Victory at Sea"), the producers pipe in a rock or pop tune whenever they want to liven up the footage, or give it a beat, or perhaps add some sort of blandly ironic comment. The songs give the film an unfortunate "Top Gun" feel, as if this were all some grandly conceived and overproduced recruitment film. That complaint is not just a fuddy-duddy's longing for the good old days. Obviously, music in the Rodgers idiom would seem anachronistic if used today. But other viable contemporary alternatives are available. Having singers and their songs supplement the dialogue means we are never very far from, or safe from, words -- although the film does mercifully lack a narrator. The Nimitz, said to be one of only 10 nuclear aircraft carriers in the world, is a magnificent playground for any camera, and "Carrier" was shot in HD video, which means properly equipped viewers will see pictures of stunningly sharp clarity. But the pictures aren't as spectacular as one might anticipate, and though Chermayeff doesn't mind lingering at length over the sight of a crew member sitting and talking, he likes to do quick, slick, lickety-split cuts from shot to shot once he gets outside and photographable material is everywhere. There are ways, though, in which "Carrier" resembles a pleasure cruise. The sailors are largely an ingratiating bunch, going about their labors with more good cheer than many a civilian goes about his or hers. Even the prosaic everyday activities are worth seeing, whether they involve making pancakes, polishing brass or, as one crew member puts it, "pushing missiles around." Yes, we see the missiles and yes, they have to get pushed around. Mostly, the Nimitz seems to be roaming around with no particular goal. Near the end of the first part, however, the ship pays a visit to a famous memorial: the one constructed in Hawaii in memory of the USS Arizona, sunk during the attack on Pearl Harbor. A hint of actual music seems to sneak in at this solemn moment. Later in the series, the Nimitz will head for Iraq and play a part in the war, jets taking off from and landing on its deck. One pilot describes the sensation of experiencing that dip from the deck into the air as "kind of like having sex in a car accident." It's hard to be absolutely certain, however, if the takeoffs shown here are any more impressive or dramatic than those replicated by prop planes (with some newsreel footage edited in) in the classic war movie "Thirty Seconds Over Tokyo," more than a half-century ago. The filmmakers are careful to try for political balance, with comments about the war from men and women aboard ship. Although the monstrous attack of Sept. 11, 2001 is repeatedly invoked by the ship's officers in pep talks, one sailor says bluntly, "One thing has absolutely nothing to do with the other" -- the "other," of course, being the war. But another young sailor eloquently expresses the sense of patriotism that compelled him to enlist. Perhaps the most pungent and affecting comment, however, comes from a young African American woman: "I don't get why we're fighting for somebody else's freedom when we barely have our own." Another female member of the crew is reprimanded, on camera, because alcohol was found in her locker. She takes the punishment gamely. Alarm is sounded when it appears one sailor has slipped overboard and is lost at sea, a terrifying prospect. Individually and in the aggregate, the members of the crew are inspiringly impressive, and one can hardly help empathizing with the young man who says, "I don't want to be a quitter, but I really would rather be home." Those who wade into "Carrier" might not want to be quitters, either, but after four or five hours, they may find they'd really rather be checking out who's survived on "American Idol." The 10-part Carrier (10 hours) debuts tomorrow at 9 on Channels 22 and 26. From rforno at infowarrior.org Sat Apr 26 13:48:08 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 26 Apr 2008 09:48:08 -0400 Subject: [Infowarrior] - Easy IO: Chronicling the dumbing-down of America Message-ID: Chronicling the dumbing-down of America By Michiko Kakutani New York Times Article Launched: 04/20/2008 01:36:14 AM PDT http://www.mercurynews.com/books/ci_8991225 There are few subjects more timely than the one tackled by Susan Jacoby in her new book, "The Age of American Unreason," in which she asserts that "America is now ill with a powerful mutant strain of intertwined ignorance, anti-rationalism and anti-intellectualism." For more than a decade, there have been growing symptoms of this. Conservatives have turned the term "intellectual" into a dirty word in politics; policy positions tend to get less attention than personality and tactics in the current presidential campaign; and the democratizing influence of the Internet is working to banish expertise altogether, making everyone an authority on everything. Meanwhile, studies show that American students are falling behind students from other developed countries in science and math, and that ignorance of basic civics class fundamentals, not to mention basic liberal arts concepts, is widespread. In "American Unreason," Jacoby, the author of earlier books like "Freethinkers: A History of American Secularism," explores this dismaying phenomenon. Her book is smart, well researched and frequently cogent, but just as often the material is overly familiar, blandly reprising arguments made by others, while failing to pull these observations together into a coherent, new argument. As Jacoby sees it, there are several key reasons for "the resurgent American anti-intellectualism of the past 20 years." For one, television, video games and the Internet have created a "culture of distraction" that has shortened attention spans and left people with "less time and desire" for "two human activities critical to a fruitful and demanding intellectual life: reading and conversation." The eclipse of print culture by video culture began in the 1960s, Jacoby argues, and the ascendance of youth culture in that decade also promoted an attitude denigrating the importance of tradition, history and knowledge. By the '80s, she goes on, self-education was giving way to self-improvement, core curricula were giving way to classes intended to boost self-esteem and old-fashioned striving after achievement was giving way to a rabid pursuit of celebrity and fame. It was also in the '60s, Jacoby writes, that a resurgent fundamentalism "received a jolt of adrenaline from both the civil rights laws" and the later "cultural rebellions." Another problem, Jacoby argues, is this country's insistence on local control of schools, which means that "children in the poorest areas of the country would have the worst school facilities and teachers with the worst training." The ignorance resulting from the absence of national education standards, combined with the resurgent anti-intellectualism now abroad in the land, Jacoby concludes, is dangerous for any country, but especially dangerous for a democracy. THE AGE OF AMERICAN UNREASON By Susan Jacoby Pantheon Books, 356 pp., $26 From rforno at infowarrior.org Sat Apr 26 15:51:12 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 26 Apr 2008 11:51:12 -0400 Subject: [Infowarrior] - =?iso-8859-1?q?You_=B9_re_an_Author=3F_Me_Too!?= Message-ID: April 27, 2008 Essay You?re an Author? Me Too! By RACHEL DONADIO http://www.nytimes.com/2008/04/27/books/review/Donadio-t.html?_r=1&oref=slog in&pagewanted=print It?s well established that Americans are reading fewer books than they used to. A recent report by the National Endowment for the Arts found that 53 percent of Americans surveyed hadn?t read a book in the previous year ? a state of affairs that has prompted much soul-searching by anyone with an affection for (or business interest in) turning pages. But even as more people choose the phantasmagoria of the screen over the contemplative pleasures of the page, there?s a parallel phenomenon sweeping the country: collective graphomania. In 2007, a whopping 400,000 books were published or distributed in the United States, up from 300,000 in 2006, according to the industry tracker Bowker, which attributed the sharp rise to the number of print-on-demand books and reprints of out-of-print titles. University writing programs are thriving, while writers? conferences abound, offering aspiring authors a chance to network and ?workshop? their work. The blog tracker Technorati estimates that 175,000 new blogs are created worldwide each day (with a lucky few bloggers getting book deals). And the same N.E.A. study found that 7 percent of adults polled, or 15 million people, did creative writing, mostly ?for personal fulfillment.? In short, everyone has a story ? and everyone wants to tell it. Fewer people may be reading, but everywhere you turn, Americans are sounding their barbaric yawps over the roofs of the world, as good old Walt Whitman, himself a self-published author, once put it. ?As publishing has become less expensive, the urge to write my own self has become the opportunity to publish my own self,? said Gabriel Zaid, a Mexican critic and the author of ?So Many Books: Reading and Publishing in an Age of Abundance,? a meditation on literary life in an over-booked world. Today, he added, ?Everyone now can afford to preach in the desert.? At the Book Review, dozens of self-published books arrive each week ? poetry collections, children?s books, memoirs, self-help manuals, sci-fi novels, religious titles. ?The Chronicles of a Hip Hop Legend: Paths of Grand Wizardry? recently crossed the transom, as did a technical monograph on the death of Napoleon, complete with charts on possible arsenic poisoning; an illustrated religious guide, ?Hell: For Those Dying to Get There?; and ?Disney Your Way,? with suggested itineraries for navigating Walt Disney World. There are memoirs by Holocaust survivors and people fighting eating disorders, and novels like ?September Sun,? in which, ?enticed by the powerful aphrodisiac of sex, Michael learns to his chagrin that Murphy?s Law is always in play.? And the numbers suggest the books will keep on coming. IUniverse, a self-publishing company founded in 1999, has grown 30 percent a year in recent years; it now produces 500 titles a month and has 36,000 titles in print, said Susan Driscoll, a vice president of its parent company, Author Solutions. While some are ?calling card? books that specialists sell at conferences and workshops, most are by ordinary people who want to get their work in print. The writers tend to be on both ends of the age spectrum. ?As people get older, they have more time and more money and something to say,? Driscoll said, while their grandchildren are often driven by ?that need for fame,? she said. ?They may not be avid readers, but they certainly are writers.? Not that anyone is necessarily paying attention. Driscoll said that most writers using iUniverse sell fewer than 200 books. Other self-publishing outfits report similar growth. Xlibris, a print-on-demand operation, has 20,000 titles in print, by more than 18,000 authors, said Noel Flowers, a company spokesman. It is ?nonselective? in choosing manuscripts, he said, though it does screen ?for any offensive or inappropriate content.? Xlibris?s top sellers include ?Demonstrating to Win!,? a computer manual (15,600 sold, not including copies bought by the author), and ?The Morning Comes and Also the Night,? which the company lists in the ?religion/Bible/prophecies? category (10,500 sold). For the most part, big booksellers shy away from carrying self-published books. But they?re still looking to jump into the game. IUniverse has a ?strategic alliance? with Barnes & Noble, which sometimes considers stocking self-published titles for some local branches, Driscoll said. Amazon.com owns BookSurge, a print-on-demand operation that produces and distributes books for as little as $3.50 per copy. Borders recently started a self-publishing program with the print-on-demand company Lulu. Would-be authors can pay $299 for formatting, printing and an ISBN code, or for the $499 ?premium package,? an editor will address structure, plot and documentation, along with basics like grammar, punctuation and spelling. The Borders site says self-published authors can even arrange readings in local Borders stores, but the kinks still need to be worked out. ?It is not possible to purchase a place on shelves or an author event today,? a spokeswoman for Borders said. Borders lists its self-publishing program under the rubric ?Borders Lifestyles,? as if writing were a hobby, like golf, rather than a calling or a craft. But for those seeking formal training, there are hundreds of creative writing programs offering M.F.A.?s and other credentialing. The Association of Writers and Writing Programs represented 13 programs when it was founded in 1967. Now it includes 465 full-fledged courses of study, and creative writing classes are offered at most of the 2,400 college English departments in North America. Since the ?60s, creative writing programs have helped ?democratize? the talent pool, providing ?the encouragement to women and a lot of different people of different classes and ethnicities to tell their stories and write their poems,? said David Fenza, the organization?s executive director. He disagrees with those who think an oversupply of books is pushing readers away. ?Some have argued that all this new literary activity is displacing the Great Works and therefore estranging the great audience for literature,? Fenza said. ?Writing programs have their faults, but they still work as advocates for the mind that reads.? Mark McGurl, an associate professor of English at the University of California, Los Angeles, and the author of a forthcoming book on the impact of creative writing programs on postwar American literature, agrees that writing programs have helped expand the literary universe. ?American literature has never been deeper and stronger and more various than it is now,? McGurl said in an e-mail message. Still, he added, ?one could put that more pessimistically: given the manifold distractions of modern life, we now have more great writers working in the United States than anyone has the time or inclination to read.? Self-publishing companies may produce books for less than $5, but how much does all this production cost readers? In ?So Many Books,? Zaid playfully writes that ?if a mass-market paperback costs $10 and takes two hours to read, for a minimum-wage earner the time spent is worth as much as the book.? But for someone earning around $50 to $500 an hour, ?the cost of buying and reading the book is $100 to $1,000? ? not including the time it takes to find out about the book and track it down. On the whole, Zaid is unworried about the proliferation of books, though he doesn?t think everyone should set pen to paper. ?About would-be writers, Andr? Gide used to say: ?D?couragez! D?couragez!??(discourage!), Zaid said in an e-mail message. ?The implication was that real writers would not be discouraged, and the rest would save a lot of time. Of course, some mediocrities are never discouraged, and some potential real writers would be lost. But there is so much talent around that we can afford it.? Indeed. There?s a lot of noise out there, and some of it is music. Rachel Donadio is a writer and editor at the Book Review. From rforno at infowarrior.org Sat Apr 26 15:52:21 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 26 Apr 2008 11:52:21 -0400 Subject: [Infowarrior] - Senators seek to stymie state secret shenanigans Message-ID: Senators seek to stymie state secret shenanigans By Timothy B. Lee | Published: April 25, 2008 - 09:35AM CT http://arstechnica.com/news.ars/post/20080425-senators-seek-to-stymie-state- secret-shenanigans.html The Senate Judiciary Committee yesterday approved legislation that seeks to clarify the rules governing the disclosure of state secrets in the courtroom. The bill's chief sponsor, Sen. Edward Kennedy (D-MA), has touted the legislation as a response to President Bush's aggressive invocation of the state secret privilege in litigation challenging the conduct of the "war on terror." The 11-8 vote was almost entirely along party lines, with only Sen. Arlen Specter (R-PA) breaking ranks to vote in favor of the bill. The state secrets privilege has been at the heart of the wiretapping cases that we have covered here at Ars. Back in 2006, the Bush administration intervened in the Electronic Frontier Foundation's class action lawsuit against AT&T, arguing that the litigation could not be conducted fairly because any information about the NSA's "secret room" would be classified. The administration made the same argument in its effort to stop five state regulatory agencies from probing telco participation in the NSA programs. And the government invoked the state secrets doctrine in defending itself from a lawsuit brought by an Islamic charity that claims it was the target of an illegal wiretap. The U.S. Court of Appeals for the Ninth Circuit ruled for the government on the latter case in November, holding that the pivotal document in the case was covered by the state secrets privilege. But the decision suggested the Ninth Circuit wasn't buying the Bush administration's broader claim that the very existence of the so-called Terrorist Surveillance Program was a state secret. The Ninth Circuit has yet to rule on the EFF lawsuit. The Bush administration routinely asserts the state secret privilege in other civil liberties cases. In a rare setback for the government, a Chicago judge recently ordered the Department of Homeland Security and the FBI to reveal whether an individual who had experienced repeated detentions was on a government watchlist for terrorism suspects, despite government protestations that the information was classified. But in most cases, the invocation of the state secret privilege has been sufficient to get lawsuits thrown out. For example, last October the Supreme Court refused to review a decision that a man who claims he was tortured by the US government could not pursue his case without revealing state secrets. The legislation approved by the Judiciary Committee yesterday seeks to place limits on the assertion of the state secret privilege by clearly defining when it can be used and providing specific procedures for courts to follow in response to assertions of state secrets by the executive branch. Under the proposal, judges would not be permitted to dismiss a case based on the state secrets doctrine unless they determine that it would be impossible for the defendant to fully defend herself without classified information. That would make it more likely that lawsuits challenging government abuses of civil liberties would be allowed to go forward. The legislation gives judges relatively broad discretion to decide which evidence is a state secret and how best to balance the conflicting demands of justice, transparency, and national security. Judges are instructed to work with the government to find a way to allow the case to go forward without revealing state secrets, and are given several options for doing so. This may be done by releasing a redacted version of key documents, producing a summary of key documents that provides information relevant to the litigation without revealing state secrets, or having the government stipulate to facts that are proven by classified documents without releasing the documents themselves. Judges are allowed to exclude attorneys who lack security clearances, or to delay proceedings so that key personnel can obtain the necessary clearances. Alternatively, judges would be permitted to appoint a properly-cleared legal representative for parties whose other lawyers lacked the required clearances. The legislation seems unlikely to become law this year. It still needs to be approved by the full Senate and then be taken up by the House. If Democratic leaders manage to complete that process by the fall, Attorney General Mukasey has suggested that President Bush would veto it. More likely, work completed this year will lay the foundation for Congress to consider state secrets reform in the next Congress, when someone else sits at 1600 Pennsylvania Ave. From rforno at infowarrior.org Sat Apr 26 15:54:47 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 26 Apr 2008 11:54:47 -0400 Subject: [Infowarrior] - Who's Guarding the Blackberries During Meetings? Message-ID: Mexican Embassy: Official Fired After Getting Caught With White House BlackBerries Friday, April 25, 2008 http://www.foxnews.com/story/0,2933,352378,00.html Whether he was up to no good or simply desperate to play BrickBreaker, a Mexican press attach? was caught on camera pocketing several White House BlackBerries during a recent meeting in New Orleans and has since been fired, FOX News has learned. Sources with knowledge of the incident said the official, Rafael Quintero Curiel, served as the lead press advance person for the Mexican Delegation and was responsible for handling logistics and guiding the Mexican media around at the conference. Mexican Embassy spokesman Ricardo Alday said Thursday he was asked to tender his resignation once he arrived back in Mexico City. "Mr. Quintero will be responsible for explaining his actions to the American authorities conducting an investigation. The Mexican government deeply regrets this incident," he said. Quintero Curiel took six or seven of the handheld devices from a table outside a special room in the hotel where the Mexican delegation was meeting with President Bush earlier this week. Everyone entering the room was required to leave his or her cell phone, BlackBerry and other such devices on the table, a common practice when high-level meetings are held. American officials discovered their missing belongings when they were leaving the session. It didn't take long before Secret Service officials reviewed videotape taken by a surveillance camera and found footage showing Quintero Curiel absconding with the BlackBerries. Sources said Quintero Curiel made it all the way to the airport before Secret Service officers caught up with him. He initially denied taking the devices, but after agents showed him the DVD, Quintero Curiel said it was purely accidental, gave them back, claimed diplomatic immunity and left New Orleans with the Mexican delegation. In a letter sent to Mexican newspapers and broadcasters, Quintero Curiel said he had picked up the phones because he thought they had been left behind. He said that as he rushed to the airport, he had given them to a driver to take back to the hotel to hand them over to management. In the letter, he said U.S. Secret Service agents had approached him at the airport, asking him to return the BlackBerries, but he said the agents thanked him for his help when he explained the incident. White House spokeswoman Dana Perino refused to discuss the incident, telling FOX News, "We are aware of the situation, but as it's under investigation by law enforcement officials, we will decline to comment." FOX News' James Rosen and Mike Emanuel and The Associated Press contributed to this report From rforno at infowarrior.org Sat Apr 26 15:57:34 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 26 Apr 2008 11:57:34 -0400 Subject: [Infowarrior] - Peak Water: Aquifers and Rivers Are Running Dry Message-ID: WIRED MAGAZINE: 16.05 Peak Water: Aquifers and Rivers Are Running Dry. How Three Regions Are Coping By Matthew Power Email 04.21.08 | 6:00 PM That the news is familiar makes it no less alarming: 1.1 billion people, about one-sixth of the world's population, lack access to safe drinking water. Aquifers under Beijing, Delhi, Bangkok, and dozens of other rapidly growing urban areas are drying up. The rivers Ganges, Jordan, Nile, and Yangtze ? all dwindle to a trickle for much of the year. In the former Soviet Union, the Aral Sea has shrunk to a quarter of its former size, leaving behind a salt-crusted waste. Water has been a serious issue in the developing world for so long that dire reports of shortages in Cairo or Karachi barely register. But the scarcity of freshwater is no longer a problem restricted to poor countries. Shortages are reaching crisis proportions in even the most highly developed regions, and they're quickly becoming commonplace in our own backyard, from the bleached-white bathtub ring around the Southwest's half-empty Lake Mead to the parched state of Georgia, where the governor prays for rain. Crops are collapsing, groundwater is disappearing, rivers are failing to reach the sea. Call it peak water, the point at which the renewable supply is forever outstripped by unquenchable demand. This is not to say the world is running out of water. The same amount exists on Earth today as millions of years ago ? roughly 360 quintillion gallons. It evaporates, coalesces in clouds, falls as rain, seeps into the earth, and emerges in springs to feed rivers and lakes, an endless hydrologic cycle ordained by immutable laws of chemistry. But 97 percent of it is in the oceans, where it's useless unless the salt can be removed ? a process that consumes enormous quantities of energy. Water fit for drinking, irrigation, husbandry, and other human uses can't always be found where people need it, and it's heavy and expensive to transport. Like oil, water is not equitably distributed or respectful of political boundaries; about 50 percent of the world's freshwater lies in a half-dozen lucky countries. Freshwater is the ultimate renewable resource, but humanity is extracting and polluting it faster than it can be replenished. Rampant economic growth ? more homes, more businesses, more water-intensive products and processes, a rising standard of living ? has simply outstripped the ready supply, especially in historically dry regions. Compounding the problem, the hydrologic cycle is growing less predictable as climate change alters established temperature patterns around the globe. One barrier to better management of water resources is simply lack of data ? where the water is, where it's going, how much is being used and for what purposes, how much might be saved by doing things differently. In this way, the water problem is largely an information problem. The information we can assemble has a huge bearing on how we cope with a world at peak water. That data already shows the era of easy water is ending. Even economically advanced regions face unavoidable pressures ? on their industrial output, the quality of life in their cities, their food supply. Wired visited three such areas: the American Southwest, southeastern England, and southeastern Australia. The difficulties these places face today are harbingers of the dawning era of peak water, and their struggles to find solutions offer a glimpse of the challenge ahead. < - > http://www.wired.com/print/science/planetearth/magazine/16-05/ff_peakwater From rforno at infowarrior.org Sun Apr 27 03:52:02 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 26 Apr 2008 23:52:02 -0400 Subject: [Infowarrior] - Pilot's Laptop Causes Big Airport Security Scare Message-ID: Pilot's Missing Laptop Causes Airport Security Scare posted 11:08 pm Thu April 24, 2008 - Washington http://www.wjla.com/news/stories/0408/514346.html A pilot's laptop, filled with top secret security information was reported missing at Dulles Airport and the ripple effects were felt across the country. The Mesa Airlines employee couldn't find the personal laptop he brought with him while co-piloting a United Express flight from Birmingham, Alabama to Dulles International Airport (web|news) . 17 airports were forced to make emergency changes to access codes at Dulles, Atlanta, Phoenix, Chicago's O'Hare and San Antonio. Various officials within the airline industry admit that with these access codes, someone who went though security could, with the touch of a few buttons, get onto a plane or get outside, right below a plane. A TSA spokesperson said, "On April 17, Mesa Airlines notified TSA that an employee reported a laptop, containing confidential information, had been misplaced, lost or stolen." Federal and airline officials admitted that the classified codes on the computer provided the pilot, through a keypad, access from the gate to the plane and down to ground level right below the plane. Passengers were appalled. "That's just a major security breach for everyone that flies within the United States." One airline insider tells ABC 7 News the laptop was probably stored in an overhead compartment used by passengers and likely stolen. Federal officials quickly contacted 17 U.S. airports used by the pilot, warning them of the security breach. Media representatives for a number of those airports affected, including Dulles, Phoenix and Akron-Canton said the codes were promptly changed. ABC 7 News learned one security official at a midwest airport rushed to work in the middle of the night to prevent a breach. A Mesa Airlines spokesperson said, "Any breach of aviation security is of primary concern to Mesa Airlines and we are fully cooperating with the TSA." Meanwhile, a TSA official said the agency, "may look at increasing the standards for anyone who stores this type of information on their computers." Airline officials said they have very little to go on because they don't know if the pilot was targeted or if it was a crime of opportunity. A spokesperson for Dulles said airport police are investigating. From rforno at infowarrior.org Sun Apr 27 15:59:15 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 27 Apr 2008 11:59:15 -0400 Subject: [Infowarrior] - Business Week on RIAA lawsuits Message-ID: In Depth April 24, 2008, 5:00PM EST text size: TT Does She Look Like a Music Pirate? Inside Tanya Andersen's private war with the recording industry. Hint: She's winning by Heather Green When Tanya Andersen opens the door to her modest apartment in suburban Portland, Ore., her Maltese-terrier mix, Tazz, runs over and wags his tail in a friendly hello. The 45-year-old single mother doesn't seem like much of a fighter. She spends most of her days sitting on an overstuffed sofa with a heating pad behind her back to ease chronic pain and migraines that have kept her on disability for nearly five years. Her voice is soft and halting. Yet this woman is behind a fierce assault on the music industry and its tactics for combating music piracy on the Internet. "I've just got to keep doing what I believe is right," she says, with Tazz curled up next to her on the couch. "And that's fighting and letting people know what's happening." After being sued by the music industry for stealing songs and winning the case's dismissal, Andersen is now taking the record industry to court. Her case is aimed at exposing investigative practices that are controversial and may be illegal, according to the lawsuit. One company hired by the record industry, she claims, snoops through people's computers, uncovering private files and photos, even though it has no legal right to do so. A different industry-backed company uses tactics similar to those of debt collectors, pressuring people to pay thousands of dollars in settlements even before any wrongdoing is proven. In Andersen's case, the industry's Settlement Support Center said that unless she paid $4,000 to $5,000 immediately, it would "ruin her financially," the suit alleges. < - > http://www.businessweek.com/print/magazine/content/08_18/b4082042959954.htm From rforno at infowarrior.org Mon Apr 28 17:38:11 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 28 Apr 2008 13:38:11 -0400 Subject: [Infowarrior] - USAF Commercial musings Message-ID: The narration from this first one (which I saw yesterday immediately following 'Meet The Press' - an odd place for a military recruiting ad, by the way) makes me wonder if there's a new turf war being waged between USAF Space Command and the much-ballyhooed USAF Cyber Command over the 'assets', not to mention 'hearts and minds' of the glamorous gee-whiz cyber-domain the USAF is trying to assert itself in these days. Air Force "Above All" ASAT commercial http://youtube.com/watch?v=Uk7DVpCkgwQ And then this one makes the USAF Space Command look like an ISP tech support center. Huh? http://www.youtube.com/watch?v=bHdjNnUclZg And finally --- don't get me started on the "Above All" moniker the USAF now uses everywhere as its service slogan. Clearly they didn't consider the uncomfortable historical significance when that term was last used in another language back in 1940s Europe. Very poor research, in my view. :( -rick From rforno at infowarrior.org Tue Apr 29 02:28:33 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 28 Apr 2008 22:28:33 -0400 Subject: [Infowarrior] - Now Boarding at BWI: Security With Hint of Calm Message-ID: (last two paragraphs say it all as far as I'm concerned.......rf) http://www.washingtonpost.com/wp-dyn/content/article/2008/04/28/AR2008042802 534_pf.html Now Boarding at BWI: Security With Hint of Calm Prototype Checkpoint Aims to Be More Efficient, Easier on Flyers By Del Quentin Wilber and Ellen Nakashima Washington Post Staff Writers Tuesday, April 29, 2008; D01 Soothing blue lights. Light background noise. Brightly dressed employees who have been trained to create a "calmer environment." A hip spa, right? No. This is how top government officials imagine the airport security checkpoint of the future. In fact, the atmosphere is so calming that Homeland Security Secretary Michael Chertoff yesterday forgot to remove his shoes -- a major no-no -- while demonstrating the prototype checkpoint's screening process for reporters at Baltimore-Washington International Marshall Airport. (His top aviation security official took his shoes off.) The new checkpoint, which includes an automated bin-return system and machines that can see through passengers' clothing, is part of an effort by Homeland Security officials to make airport security more efficient and easier on customers. Authorities also announced yesterday an initiative that they said will reduce hassles faced by travelers with names similar to those on a terrorist watch list. Government officials have to "be willing to always look back at what we do and not assume that what we are doing is always the best way to do it," Chertoff said yesterday in front of what he called the "next-generation" checkpoint. "We have to be willing to revisit it, break the mold and think outside the box," he added. Chertoff said a major component of the government's effort to improve passengers' experiences was to help thousands of people with names similar to those of suspected terrorists. Those passengers often face hurdles in obtaining boarding passes and often must go through extra screening at checkpoints. Members of Congress and celebrities have been snagged by such incidents. Airlines, which check passenger names against the list, will now be allowed to accept dates of birth from passengers to more thoroughly check information against the watch lists, Chertoff said. Once passengers have proven that they are not suspected terrorists, they will be able to print boarding passes at kiosks or at home, rather than going through a check-in line, Chertoff said. Airline representatives said they were generally enthusiastic about the proposal, but some privacy advocates were skeptical the measure will work. "They've been saying for the last five years that they have a mechanism for addressing these problems, and the problems apparently persist," said David Sobel, senior counsel for the Electronic Frontier Foundation. "It almost sounds as if they are now trying to pass the problem off to the airlines." Sobel said passengers need "real assurance" that the data will not be widely disseminated or used in any other way. "We need to see some strict enforceable rules for the limited use of that information," he said. After years of lackluster progress in revamping checkpoints, officials at the Transportation Security Administration said they hoped travelers begin to notice some changes as soon as they reach the airport. Travelers have expressed frustration at having to remove shoes, take laptop computers out of bags and put liquids into small containers jammed into plastic bags. The TSA is buying more than 800 3-D X-ray machines, which on average cost about $125,000 and should make it easier for screeners to spot explosives by giving them multiple views of carry-on luggage. Current machines provide screeners with only one view of a bag, sometimes making it difficult to spot explosives. To improve the chances of spotting explosives hidden on a passenger, the TSA is buying and deploying 30 millimeter-wave devices known as "whole body" imagers that can see through clothing by analyzing the reflection of radio frequency energy bounced off passengers. The devices have been stationed at four airports, including BWI. The 30 devices will about $7 million. Security officials also announced plans yesterday to improve screeners' ability to spot explosives and suspicious behavior while using techniques that can reduce friction with passengers "We are aiming for an effective security checkpoint that also reduces the hassles on passengers," said Kip Hawley, the TSA's administrator. The effort to create a calmer environment was on display at BWI yesterday at a prototype of a future checkpoint. The checkpoint had soothing blue lights, relaxing background noise and screeners in happy blue uniforms. The checkpoint had two millimeter-wave machines, as well as 3-D X-ray devices. At other airports, the TSA is experimenting with family-friendly lines for those not experienced with security requirements or for those with lots of bags. Officials said they will evaluate the effectiveness of lighting and background music at BWI before rolling out those changes at other airports. Airports, not the TSA, would finance such features. A BWI spokesman said the airport had not decided whether to add the features to other checkpoints at the airport. Chertoff brushed off a question about forgetting to remove his footwear, and Hawley said he only removed his because he has "become conditioned" to the rule. Passengers at the airport expressed mixed opinions about whether the new technology and environment will alter an experience that they said was as frustrating as ever. "The ambiance won't change anything," said Gene Lindenboom, 56, an aluminum salesman heading home to Florida. "You still have to remove your shoes. You still have to put liquids in that small bag." When told that Chertoff did not remove his shoes, Lindenboom smiled: "Maybe now I won't have to remove mine anymore." From rforno at infowarrior.org Tue Apr 29 11:12:31 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Apr 2008 07:12:31 -0400 Subject: [Infowarrior] - Pentagon suspends retired military analyst program Message-ID: Pentagon suspends retired military analyst program Mon Apr 28, 2008 11:19am EDT http://www.reuters.com/article/latestCrisis/idUSN28303679 WASHINGTON, April 28 (Reuters) - The Pentagon has suspended a program that fed information about the Iraq war to retired military officers who appeared on U.S. television networks as independent analysts, the Defense Department said on Monday. The program, uncovered last week in a New York Times investigation, was criticized by Democrats for providing private briefings, trips and access to classified intelligence to influence analysts' comments about Iraq and portray the situation as positive even as violence rose in the war zone. Pentagon spokesman Bryan Whitman called the suspension "temporary" and said the Defense Department would review the program to ensure it did not violate department policy. "It's temporarily suspended just so that we can take a look at some of the concerns," Whitman told reporters. The retired military analysts program, also known inside the Pentagon as the "surrogates" program, is run by the department's public affairs office. That office is also conducting the review, Whitman said. He said he does not think the program violated any laws. Under the program, retired officers hired by television networks as analysts met with senior defense officials and senior commanders both in Washington and on Pentagon-sponsored trips to Iraq. According to The New York Times, the Bush administration sought to use the analysts to shape coverage from inside the networks. Sen. Carl Levin, the Michigan Democrat who chairs the Senate Armed Services Committee, also said some of the analysts appeared to be working for defense contractors, raising a potential conflict of interest. (Reporting by Kristin Roberts, Editing by David Wiessler) From rforno at infowarrior.org Tue Apr 29 11:18:43 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Apr 2008 07:18:43 -0400 Subject: [Infowarrior] - U.S. reveals way to get off terror list Message-ID: U.S. reveals way to get off terror list Published: April 28, 2008 at 10:46 AM http://www.upi.com/NewsTrack/Top_News/2008/04/28/us_reveals_way_to_get_off_t error_list/8244/ WASHINGTON, April 28 (UPI) -- The U.S. Department of Homeland Security announced a way for people who don't belong on terrorist watch lists to be spared extra scrutiny at the airport. Under the new program, tens of thousands of travelers who are stopped repeatedly because their names match those of suspected terrorists will be permitted to register with the airlines, USA Today reported Monday. Homeland Security chief Michael Chertoff said once their names and date of birth have been added to company records, they will be treated like the rest of the flying public. "After that, they will get their boarding pass just like everyone else does," Chertoff said. The downside is that travelers will have to provide their personal information to each airline they use and it is up to the airline to decide whether it wants to participate in the program. "The airlines need to learn more about the program to determine to what extent they can use it," said David Castelveter, a spokesman for the Air Transport Association. ? 2008 United Press International. From rforno at infowarrior.org Tue Apr 29 11:30:22 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Apr 2008 07:30:22 -0400 Subject: [Infowarrior] - Pentagon Pundit Scandal Broke the Law Message-ID: Pentagon Pundit Scandal Broke the Law Submitted by Sheldon Rampton on Mon, 04/28/2008 - 19:04. The Pentagon military analyst program unveiled in last week's expos? by David Barstow in the New York Times was not just unethical but illegal. It violates, for starters, specific restrictions that Congress has been placing in its annual appropriation bills every year since 1951. According to those restrictions, "No part of any appropriation contained in this or any other Act shall be used for publicity or propaganda purposes within the United States not heretofore authorized by the Congress." As explained in a March 21, 2005 report by the Congressional Research Service, "publicity or propaganda" is defined by the U.S. Government Accountability Office (GAO) to mean either (1) self-aggrandizement by public officials, (2) purely partisan activity, or (3) "covert propaganda." By covert propaganda, GAO means information which originates from the government but is unattributed and made to appear as though it came from a third party. These concerns about "covert propaganda" were also the basis for the GAO's strong standard for determining when government-funded video news releases are illegal: < - > http://www.prwatch.org/node/7261 From rforno at infowarrior.org Tue Apr 29 17:25:19 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Apr 2008 13:25:19 -0400 Subject: [Infowarrior] - MS helps pluck evidence from cyberscene of crime Message-ID: (c/o DS) http://seattletimes.nwsource.com/cgi-bin/PrintStory.pl?document_id=200437975 1&zsection_id=2003750725&slug=msftlaw29&date=20080429 Microsoft device helps police pluck evidence from cyberscene of crime By Benjamin J. Romano Seattle Times technology reporter Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes. The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB "thumb drive" that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday. The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer. It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site. More than 2,000 officers in 15 countries, including Poland, the Philippines, Germany, New Zealand and the United States, are using the device, which Microsoft provides free. "These are things that we invest substantial resources in, but not from the perspective of selling to make money," Smith said in an interview. "We're doing this to help ensure that the Internet stays safe." Law-enforcement officials from agencies in 35 countries are in Redmond this week to talk about how technology can help fight crime. Microsoft held a similar event in 2006. Discussions there led to the creation of COFEE. Smith compared the Internet of today to London and other Industrial Revolution cities in the early 1800s. As people flocked from small communities where everyone knew each other, an anonymity emerged in the cities and a rise in crime followed. The social aspects of Web 2.0 are like "new digital cities," Smith said. Publishers, interested in creating huge audiences to sell advertising, let people participate anonymously. That's allowing "criminals to infiltrate the community, become part of the conversation and persuade people to part with personal information," Smith said. Children are particularly at risk to anonymous predators or those with false identities. "Criminals seek to win a child's confidence in cyberspace and meet in real space," Smith cautioned. Expertise and technology like COFEE are needed to investigate cybercrime, and, increasingly, real-world crimes. "So many of our crimes today, just as our lives, involve the Internet and other digital evidence," said Lisa Johnson, who heads the Special Assault Unit in the King County Prosecuting Attorney's Office. A suspect's online activities can corroborate a crime or dispel an alibi, she said. The 35 individual law-enforcement agencies in King County, for example, don't have the resources to investigate the explosion of digital evidence they seize, said Johnson, who attended the conference. "They might even choose not to seize it because they don't know what to do with it," she said. "... We've kind of equated it to asking specific law-enforcement agencies to do their own DNA analysis. You can't possibly do that." Johnson said the prosecutor's office, the Washington Attorney General's Office and Microsoft are working on a proposal to the Legislature to fund computer forensic crime labs. Microsoft also got credit for other public-private partnerships around law enforcement. Jean-Michel Louboutin, Interpol's executive director of police services, said only 10 of 50 African countries have dedicated cybercrime investigative units. "The digital divide is no exaggeration," he told the conference. "Even in countries with dedicated cybercrime units, expertise is often too scarce." He credited Microsoft for helping Interpol develop training materials and international databases used to prevent child abuse. Smith acknowledged Microsoft's efforts are not purely altruistic. It benefits from selling collaboration software and other technology to law-enforcement agencies, just like everybody else, he said. Benjamin J. Romano: 206-464-2149 or bromano at seattletimes.com Copyright ? 2008 The Seattle Times Company From rforno at infowarrior.org Tue Apr 29 17:53:07 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Apr 2008 13:53:07 -0400 Subject: [Infowarrior] - Is copyright killing documentaries? Message-ID: Doc makers say unique voices being silenced by rights battles Last Updated: Sunday, April 27, 2008 | 2:36 PM ET Comments8Recommend30 CBC News http://www.cbc.ca/arts/film/story/2008/04/27/creative-commons.html Documentary filmmakers say it's getting tougher to make independent productions because of growing restrictions on what images and sounds they can use. The battle over rights issues was a hot topic of discussion at Toronto's Hot Docs Film Festival, where a session last week about fair use was packed with filmmakers from around the world. Many filmmakers fear they'll soon no longer be able to fully document our pop culture and mixed media age because of the high cost of using footage and sound, and the consolidation of rights to this material in a few hands. Toronto filmmaker Stuart Samuels has been working on a documentary called 27, which mixes archival footage of the lives of Janis Joplin, Jimi Hendrix and Jim Morrison. It hasn't been easy, he told CBC News. "What's changing now is everyone is much more understanding that copyright or the products they own mean money," he said. "The prices right now are all relevant. Half of my budget is rights clearances, if you can get them." Image archives and sound libraries are getting snapped up by larger companies and consolidated in a few hands. It's both more difficult and more expensive to get rights, Samuels said. Yet without the keen eye of documentarians to parse pop culture, the age of media could become a monoculture, he said. "Because of the consolidation, what you're having are intellectual ghettos in a sense," he said. "So the Murdoch group has this stuff, and these studios are going here. So what they do is make in-house documentaries that have the pretense of objectivity but are basically restricted by 'what you own is what you see.'" Even more difficult in EU Italian filmmaker Marco Visalberghi says overlapping laws and sky-high costs have made documentary creation difficult in the European Union. Anything covered with copyright "belongs to the big libraries that cost a fortune," he said. "Freedom of speech is basically impossible in this world that is made up of pictures." As a result, directors are abandoning anything with a hint of pop culture content, Visalberghi told fellow filmmakers in Toronto. Filmmaker Brett Gaylor ran into the clearance quicksand working on a film about copyright. "We tried to get a clip of Arnold Schwarzenegger dropping a puck on a NHL game, because Schwarzenegger came up to Canada to lobby the government about outlawing camcorders in movie theatres," he said. "But CBC wouldn't release it unless the NHL agreed. And the NHL wouldn't release it unless Arnold Schwarzenegger agreed." Schwarzenegger didn't agree and the clip was never used. Creative Commons one way to share Gaynor is backing a Creative Commons for documentary makers ? a source of footage and sounds that is not controlled by a major corporation. His website opensourcecinema.org promotes sharing among filmmakers. Many Canadian documentary makers are getting on board the Creative Commons movement, which involves filmmakers making their work available to others and setting the terms for reuse of their own work. Samuels says its necessary for filmmakers to have the freedom to put archival images and material together in new ways. "If we don't dissect and deconstruct our pop culture about how it is and how it influences us and changes us, then basically we're one big channel. We're one global village, but we're all singing the same note." With files from Eli Glasner From rforno at infowarrior.org Tue Apr 29 19:08:44 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Apr 2008 15:08:44 -0400 Subject: [Infowarrior] - Senators, states beat up on Real ID plans Message-ID: April 29, 2008 10:30 AM PDT Senators, states beat up on Real ID plans Posted by Anne Broache | 1 comment http://www.news.com/8301-10784_3-9931323-7.html?part=rss&subj=news&t ag=2547-1_3-0-20 WASHINGTON--Democratic and Republican senators alike on Tuesday once again piled criticism upon forthcoming Real ID requirements, with some renewing calls to repeal the law for which many of them voted years ago. It's a familiar refrain for the Senate's Homeland Security and Governmental Affairs Committee, whose members made similar remarks at a hearing around this time last year. Senators Daniel Akaka (D-Hawaii) and George Voinovich (R-Ohio), who presided over a Tuesday subcommittee hearing revisiting the topic, said they remain particularly troubled by Real ID's multibillion-dollar price tag for state governments. Akaka and others also voiced worries about the mandate's privacy and civil liberties implications. "The massive amounts of personal information that would be stored in state databases that are to be shared electronically with all other states, as well as the unencrypted data on the Real ID card itself, could provide one-stop shopping for identity thieves," Akaka said at the hearing, where senators heard from Homeland Security assistant policy secretary Stewart Baker, state government representatives, and civil liberties activists. Sen. Daniel Akaka (D-Hawaii) (Credit: U.S. Senate) Akaka, for his part, said he will continue to push for passage of the Identification Security Enhancement Act, which he introduced last Feburary. That bill would yank Real ID and replace it with a "negotiated" rulemaking process that was proposed before Real ID was glued onto an emergency Iraq war spending bill that passed unanimously in 2005. Republicans John Sununu and Lamar Alexander and Democrats Patrick Leahy, Jon Tester, and Max Baucus also support the bill, as do influential state officials and civil liberties groups, but it's unclear whether it has the momentum to go anywhere this year. Meanwhile, the Department of Homeland Security has pushed ahead in its defense of Real ID, as necessary to prevent terrorists, criminals, and illegal immigrants from successfully obtaining and using fraudulent driver's licenses. But the department effectively delayed obligations to begin complying with its rules until at least the end of 2009, granting all 50 states--even those that had passed legislation rejecting the federal mandate--and the District of Columbia initial deadline extensions. Without those extensions, residents of states without Real ID compliant licenses would have encountered difficulties boarding airplanes and entering federal buildings come May 11. "While these extensions have averted a near-term crisis, they do not resolve other problems with Real ID," said Sen. Susan Collins, the Republican ranking member of the Senate Homeland Security Committee. Who who protects the data, and who pays? Baker endured repeated questions about the cost of the program, particularly from committee Republicans. He said "hundreds of millions of dollars have been made available" already for Real ID conversion projects, which, under Homeland Security's revised estimates, are expected to cost about $4 billion over the next decade. But a number of senators said they didn't think that funding was sufficient. Donna Stone, a Delaware state representative and president of the National Conference of State Legislatures, and David Quam, a lobbyist for the National Governors Association, cast doubt on Homeland Security's cost estimates. They said that because of lingering uncertainties surrounding Real ID's requirements, the true costs are difficult to project but likely exceed Homeland Security's estimates. Homeland Security put states in a tough spot by dangling the prospect of a May deadline that might inconvenience their residents, Quam said. The position of state governors is that "Real ID has to be fixed, it has to be workable, it has to be cost-effective, it actually has to increase the security of driver's license systems, and it has to be funded" by the federal government, he said. Perhaps the most blistering critique of Real ID on Tuesday came from Tester, who called the program "the worst kind of Washington, D.C., boondoggle." He suggested it was curious that his home state had been granted a deadline extension, even though its attorney general had told Homeland Security that state law did not authorize Montana to implement Real ID, and the state legislature won't even meet again until next January. "I am pleased that Montanans were not arbitrarily penalized under the law, truthfully," he told Baker, "but I really fail to see what this exercise actually accomplished other than to leave the details of Real ID to the next administration." Baker said Homeland Security has tried to be flexible by giving extensions to states like Maine and Montana that said they're implementing certain security features in their driver's licenses "without insisting on some kind of pledge of allegiance to Real ID." Baker also encountered questions, mainly from Democrats, about the lack of detailed security rules under Real ID. Akaka asked why Homeland Security didn't set out specific security requirements for the databases that states will share. Baker said the agency is requiring states to have "security plans" for their data but wanted to "leave room for states to make choices (about) what works for them." Tester inquired about why the administration isn't requiring the information encoded on the Real ID cards' bar codes to be encrypted. Baker said Homeland Security decided on that approach because police were concerned about an inability to read the information off cards rapidly during traffic stops. Baker also noted that the machine-readable zone will contain little more than a person's name, address, and date of birth. "That's information that's very hard to hide in an Internet age," he told the committee. "The notion that somehow because it's on a machine readable zone it'll become more available to identity thieves, I think, is pretty speculative." From rforno at infowarrior.org Tue Apr 29 20:07:47 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Apr 2008 16:07:47 -0400 Subject: [Infowarrior] - Rogue SG trader becomes infosec consultant Message-ID: April 29, 2008 11:02 AM PDT Rogue trader lands job in computer security Posted by Robert Vamosi | Post a comment http://www.news.com/8301-10789_3-9931402-57.html Jerome Kerviel, a former high-risk trader at France's Societe Generale, last week started a new job at Lemaire Consultants & Associates, a computer security and system development company. Kerviel remains under investigation for one of the largest bank frauds in history. In January 2008, Societe Generale accused 31-year-old Kerviel of being a computer genius who took on trades far beyond what he was authorized to do. As a result, the company has declared a loss of $7.6 billion. In his defense, Kerviel told investigators he did nothing more than what others were doing. On March 18, he was released from jail, and last week started work at Lemaire Consultants & Associates, a computer security and system development company. Jean-Raymond Lemairer, the company's founder, reportedly made the job offer before Kerviel served his sentence. The New York Times reported that until last week Lemaire was on a list of those Kerviel was barred from contacting. The Times also reports that in his new job, Kerviel is forbidden to set foot inside a trading room or an exchange and may not engage in any activities related to financial markets. From rforno at infowarrior.org Tue Apr 29 23:15:05 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Apr 2008 19:15:05 -0400 Subject: [Infowarrior] - Court Rejects RIAA "Making Available" Theory Message-ID: April 29th, 2008 Big Victory in Atlantic v. Howell: Court Rejects RIAA "Making Available" Theory Posted by Fred von Lohmann http://www.eff.org/deeplinks/2008/04/big-victory-atlantic-v-howell-court-rej ects-making The district court in Atlantic v. Howell today denied the recording industry's motion for summary judgment against Mr. and Mrs. Howell, two lawyer-less defendants caught up in RIAA's litigation campaign against file-sharers. EFF filed an amicus brief on their behalf in the case and participated in oral argument. In its order, the court delivers the most decisive rejection yet of the recording industry's "making available" theory of infringement (i.e., if someone could have downloaded it from you, you've violated copyright, even if no one ever did). Citing to the recent ruling in London-Sire v. Doe 1, the court concludes that "[t]he general rule, supported by the great weight of authority, is that infringement of the distribution right requires an actual dissemination of either copies or phonorecords." The court goes on to conclude that downloads by the recording industry's own investigator, MediaSentry, are not enough to establish distribution, at least based on the facts of this case (Mr. Howell maintains that, unbeknowst to him, the Kazaa software was sharing his entire hard drive). Finally, the court also suggests that P2P file-sharing may not implicate the distribution right at all, reasoning that what is really going on is a series of reproductions. The likely next stop for Mr. and Mrs. Howell is a bench trial (neither party asked for a jury trial) in Phoenix, probably in September. EFF will continue to try to find them counsel. From rforno at infowarrior.org Tue Apr 29 23:16:42 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Apr 2008 19:16:42 -0400 Subject: [Infowarrior] - DOJ banned from Wikipedia Message-ID: US Department of Justice banned from Wikipedia CAMERA and The Electronic Intifada By Cade Metz in San Francisco ? More by this author Published Tuesday 29th April 2008 20:42 GMT http://www.theregister.co.uk/2008/04/29/wikipedia_blocked_doj_ip/ Wikipedia has temporarily blocked edits from the US Department of Justice after someone inside the government agency tried to erase references to a particularly-controversial Wiki-scandal. Early last week, the Boston-based Committee for Accuracy in Middle East Reporting in America (CAMERA) was accused of organizing a secret campaign to influence certain articles on the "free encyclopedia anyone can edit". Just days later, the DoJ's IP range was used to edit the site's entry on the Pro-Israel "media-monitoring group," lifting a new section that detailed the controversy. The DoJ did not respond to our requests for comment. But odds are, the edits were made by a single individual acting independently. Wikipedia's ban on the department's IP is due to be lifted today. On April 21, the Pro-Palestine site Electronic Intifada published a series of emails in which CAMERA Senior Research Analyst Gilead Ini seems to enlist volunteers to help "keep Israel-related entries on Wikipedia from becoming tainted by anti-Israel editors". Ini asks these volunteers to avoid forwarding his emails to the news media and invites them onto a Google Group called "Isra-pedia." In an email to The Reg, Ini declined to say if the messages published by Electronic Intifada were genuine, but he acknowledged that CAMERA recently ran an email campaign meant to promote edits that "ensure accuracy" on certain Wikipedia articles. Electronic Intifada On the alleged Isra-pedia thread - also published by Electronic Intifada - one longtime Wikipedia editor gives volunteers a primer on how to become a site administrator. "There is in Wikipedia the ability by an administrator to set significant limits on other editor [sic]," he writes. "One or more of you who want to take this route should stay away from any Israel realted [sic] articles for month [sic] until they [sic] interact in a positive way with 100 Wikipedia editors who would be used later to vote you as an administrator." This Wikipedia editor, known as "Zeq," and several others involved with the CAMERA emails were subsequently sanctioned. Some were barred from editing topics involving the Arab-Israeli conflict, and at least one - "Gni," believed to be Ini - was banned from the site entirely. In the wake of these sanctions, a paragraph on the scandal was added to Wikipedia's CAMERA article, and on two separate occasions, someone inside the DoJ tried to remove it. The user also made a few questionable edits to other articles, and the DoJ's entire IP was banned for four days. This ongoing affair brings up all the old questions about the social experiment that is Wikipedia. On one level, the site is working hard to police its own content. But on another, you have to wonder if all this back and forth is really necessary. Longtime contributor Christiano Moreschi sees the CAMERA crackdown as Wikipedia at its best. "This was an amateur and quite pathetic attempt to subvert the purpose of Wikipedia," he told The Reg. "I have no doubt these chaps were genuine - they were genuinely trying to slant articles towards a pro-Israel point of view, but were massively incompetent at doing so. "Even if their emails had not been leaked to Electronic Intifada I don't think we would have had much trouble dealing with them as individuals...Once EI had published the emails, the response of the Wikipedia administrative corps was swift, competent, and professional." 'Capricious' But Gilead Ini sees things differently. Declining to say whether he's behind the Gni account, he argues that Wikipedia is banning contributors without sufficient evidence. "Wikipedia notes that 'Revealing the names of pseudonymous editors is in all cases against basic policy,'" he told us. "Some Wikipedia administrators - editors elected to a position of power in Wikipedia - are capriciously banning Wikipedia accounts based on nothing more than speculation about who owns that account." Ini insists that his email campaign adhered to Wikipedia's rules - which he sees as vague and only intermittently enforced. Some have accused him of creating "sockpuppets" and "meatpuppets" - extra accounts used to push his own point of view - but he's adamant this is not the case. "A meat puppet is described as 'one who edits on behalf of or as proxy for another editor,'" he said. "Nobody who participated in [his email group] was expected to be a 'proxy' for me or anybody else. They were encouraged to learn about, and if they are moved to do so, participate in, Wikipedia." You may think Ini is talking rubbish. But as we've said before, Wikipedia invites such controversy in giving editors the right to anonymity. If users were required to identify themselves, puppetry wouldn't be the problem it is - and the site could suppress a single voice without blocking the DoJ's entire IP range. But there's another question worth asking: If Wikipedia is right to ban someone who merely attempted to game the site, why hasn't it banned others who've actually succeeded? ? From rforno at infowarrior.org Wed Apr 30 02:41:22 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Apr 2008 22:41:22 -0400 Subject: [Infowarrior] - McAfee 'Hacker Safe' cert sheds more cred Message-ID: McAfee 'Hacker Safe' cert sheds more cred Rubber stamp factory exposed By Dan Goodin in San Francisco ? More by this author Published Tuesday 29th April 2008 23:50 GMT http://www.theregister.co.uk/2008/04/29/mcafee_hacker_safe_sites_vulnerable/ Comment More than three months after security bugs were documented in more than 60 ecommerce sites certified by McAfee as "Hacker Safe," a security researcher has unveiled a fresh batch of vulnerable websites. Russ McRee, a security consultant for HolisticInfoSec.org, documented cross-site scripting (XSS) errors in five sites that prominently carry a logo declaring them to be Hacker Safe. As McRee documented in a blog post and accompanying video, the bugs make it possible for attackers to steal authentication credentials and redirect visitors to malicious websites. All five of the sites subscribe to McAfee's HackerSafe certification service, which audits the security of websites on a daily basis to give visitors confidence they'll be safe when doing business there. Yet McRee was able to find the bugs by using advanced Google searches to pinpoint vulnerable web applications, and in at least one case, the XSS vulnerability has been on the customer's site since January. "There's a responsibility to the consumer that really seems to be missing in that service," McRee told us. "The average consumer assumes that because I see that label I must be safe." The five vulnerable sites include Alsto.com, Delaware Express, BlueFly, Improvements Catalog and Delightful Deliveries. We asked all five for comment but only one of them, Delightful Deliveries, responded. "As the #1 leading seller of Gift Baskets, security is a top priority to us and our customers, we will work with HackerSafe and our development team to resolve this issue," a representative said. He is unaware of any breaches affecting the site, he added. A McAfee spokeswoman said the company rates XSS vulnerabilities less severe than SQL injections and other types of security bugs. "Currently, the presence of an XSS vulnerability does not cause a web site to fail HackerSafe certification," she said. "When McAfee identifies XSS, it notifies its customers and educates them about XSS vulnerabilities." These are only the latest Hacker Safe sites to be outed. In January, researchers from XSSed.com, documented 62 websites subscribing to the service that were vulnerable to XSS vulnerabilities. A Hacker Safe spokesman told InformationWeek at the time the bugs couldn't be used to hack a server. The vulnerabilities also raise the question of so-called payment card industry (PCI) requirements for businesses that process credit card payments. Websites that contain XSS vulnerabilities almost certainly don't comply, McRee says, and yet most of the sites continue to accept credit cards. But we'll leave deficiencies in that set of requirements for another day. McAfee has had three months to fix the deficiencies of this program, but so far we see no evidence it's done so. We're all for services that help websites stay on top of rapidly moving security threats. But there's a term for programs that declare their customers Hacker Safe while failing to catch easily spotted XSS flaws. It's called a rubber stamping, and it's time it stopped. ? From rforno at infowarrior.org Wed Apr 30 11:55:26 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 Apr 2008 07:55:26 -0400 Subject: [Infowarrior] - Air marshals' names tagged on 'no-fly' list In-Reply-To: Message-ID: (c/o WK) http://www.washingtontimes.com/apps/pbcs.dll/article?AID=/20080429/NATION/78 2525487/1001 By Audrey Hudson The Washington Times April 29, 2008 Some federal air marshals have been denied entry to flights they are assigned to protect when their names matched those on the terrorist no-fly list, and the agency says it's now taking steps to make sure their agents are allowed to board in the future. The problem with federal air marshals (FAM) names matching those of suspected terrorists on the no-fly list has persisted for years, say air marshals familiar with the situation. One air marshal said it has been "a major problem, where guys are denied boarding by the airline." "In some cases, planes have departed without any coverage because the airline employees were adamant they would not fly," the air marshal said. "I've seen guys actually being denied boarding." A second air marshal says one agent "has been getting harassed for six years because his exact name is on the no-fly list." Earlier this month the agency issued a new security directive (SD) "to address those situations where air carriers deny FAMs boarding based on 'no-fly list' names matches." The memo was issued April 23 from the assistant director of the office of flight operations. Gregory Alter, spokesman for the Federal Air Marshal Service, said the new directive "mitigates any misidentification concerns by empowering airlines to quickly clear an air marshal's status after positively identifying their law enforcement status." "In rare instances air marshals, like all travelers, are occasionally misidentified as being on a watch because of name or personal identifier similarities to individuals actually on the lists," Mr. Alter said. The air marshal service does not release how many agents are employed, and declined to specify the number of agents whose names are similar to those of wanted or suspected terrorists. The new procedures are classified as .sensitive security information. and address both domestic and international check-in procedures. "FAMs may encounter situations where this SD has not yet reached every air carrier customer service representative (CSR)," the memo said. "If a FAM is denied boarding based on 'no fly list' issues, FAMS should request to speak to an air carrier supervisory CSR. If the air carrier continues to deny the FAM a boarding pass, FAMS should contact (their supervisor) as soon as possible for assistance," the memo said. From rforno at infowarrior.org Wed Apr 30 12:04:54 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 Apr 2008 08:04:54 -0400 Subject: [Infowarrior] - 'Manufacturing' added to DHS NIPP Critical Infra Sector List Message-ID: 30 April 2008 Related: Critical Infrastructure Partnership Advisory Council: http://www.dhs.gov/xprevprot/committees/editorial_0843.shtm [Federal Register: April 30, 2008 (Volume 73, Number 84)] [Notices] [Page 23476-23478] >From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr30ap08-106] ----------------------------------------------------------------------- DEPARTMENT OF HOMELAND SECURITY [Docket No. DHS-2008-0038] Designation of the National Infrastructure Protection Plan Critical Manufacturing Sector AGENCY: National Protection and Programs Directorate, DHS. ACTION: Notice and request for comments. ----------------------------------------------------------------------- SUMMARY: This notice informs the public that the Department of Homeland Security (DHS) has designated Critical Manufacturing as an additional critical infrastructure sector under the National Infrastructure Protection Plan (NIPP) and, as part of a comprehensive national review process, solicits public comment on the actions necessary to incorporate this sector into the NIPP framework. < - > http://cryptome.org/dhs043008.htm From rforno at infowarrior.org Wed Apr 30 12:16:05 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 Apr 2008 08:16:05 -0400 Subject: [Infowarrior] - San Diego GOP chairman co-founded international piracy ring In-Reply-To: <2B4702EB-5319-4906-A3A1-F57628AC0A6C@fminc.co.uk> Message-ID: (I know I'll take some flack for posting this, but it's too amusing to pass up this morning........rf) San Diego GOP chairman co-founded international piracy ring 04/29/2008 @ 10:55 am Filed by Miriam Raftery Any job applicant knows that background checks are routine ? especially for jobs involving authority or oversight of money. So why didn?t the San Diego Republican Party do a simple Google search before naming Tony Krvaric as its chairman? Online research reveals that Krvaric is the co-founder of Fairlight, a band of software crackers which later evolved into an international video and software piracy group that law enforcement authorities say is among the world?s largest such crime rings. After co-founding Fairlight in Sweden, Krvaric established U.S. operations for the organization, including an arm headquartered in Southern California?a major center for the computer and video game industry. Krvaric has also been appointed by California Republican Party Chairman Ron Nehring to head up the state party?s budget committee. RAW STORY's investigation reveals the California GOP has put an alleged pirate in charge of its treasure trove. An e-mail sent anonymously this week to a conservative listserv operator in San Diego County revealed an attached document titled ?The Secret Life of Tony Krvaric.? The attachment alleged that Krvaric, using the alias ?Strider,? founded Fairlight ?to illegally crack and distribute copyrighted software.? Fairlight evolved from ?an adolescent obsession into a full fledged multinational criminal enterprise,? the e-mail claimed. < - > http://rawstory.com/news/2008/San_Diego_GOP_chairman_cofounded_international _0425.html From rforno at infowarrior.org Wed Apr 30 12:43:34 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 Apr 2008 08:43:34 -0400 Subject: [Infowarrior] - Albert Hoffman, LSD's 'dad' dies at a mind-blowing 102 Message-ID: Albert Hoffman, LSD's 'dad' dies at a mind-blowing 102 The Associated Press Wednesday, April 30th 2008, 4:00 AM Albert Hoffman, the father of the mind-altering drug LSD whose medical discovery grew into a notorious "problem child," died Tuesday. He was 102. Hofmann died of a heart attack at his home in Basel, Switzerland, according to Rick Doblin, president of the Multidisciplinary Association for Psychedelic Studies, in a statement posted on the association's Web site. Hofmann's hallucinogen inspired - and arguably corrupted - millions in the 1960s hippie generation. For decades after LSD was banned in the late 1960s, Hofmann defended his invention. "I produced the substance as a medicine. ... It's not my fault if people abused it," he once said. http://www.nydailynews.com/news/us_world/2008/04/30/2008-04-30_albert_hoffma n_lsds_dad_dies_at_a_mindbl.html From rforno at infowarrior.org Wed Apr 30 13:12:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 Apr 2008 09:12:46 -0400 Subject: [Infowarrior] - Kudos to Fox News! Message-ID: (Yes, you read that correctly. And, no -- I am not under the influence of any strange vegetation at the moment) Kudos to Fox News!!!! Fox News is Responsive to the Linux Community. http://tinyurl.com/5f5eva This is in stark contrast to CNBC's treatment of its Web viewers, who despite their much-ballyhooed "interactive" and "useful" site makeover in 2006, still precludes folks from viewing their website videos using non-Microsoft browsers, thus making their website LESS interactive and LESS useful to a growing segment of the community. Folks have complained about it for two years, with no success. >From the CNBC FAQ: > http://www.cnbc.com/id/15839052/site/14081545/#supportfirefox > > Does CNBC.com support the use of Firefox browsers? > > Yes. A plugin is currently required to view video on CNBC.com using > Firefox version 1.5. Click here to access the plugin. It's quite clear CNBC could care less about this matter: the so-called Firefox plug-in is a few years out of date, designed for an old version of Firefox, and there is none available for Firefox 2.0. How's that for showing how much CNBC cares? Granted, I don't watch CNBC-TV now that I have Bloomberg. CNBC got too sensational, political, and cheerlead-y as it began to compete with the upstart Fox Biz Channel. As a result, I really think CNBC's more about providing 'investotainment' to the amateurs than useful 'business news' for serious investors. Even though I don't watch their network or visit their website very often, bravo to Fox News for listening to their viewers tech concern -- and, boo to CNBC for doing the exact opposite. -rick Infowarrior.org Disclosure: there's one CNBC analyst in Chicago (Rick Santelli) whose views, opinions, and analysis I do respect, and would love to be able to keep receiving via the Web. But as for the rest of the network.....bleh. From rforno at infowarrior.org Wed Apr 30 17:35:32 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 Apr 2008 13:35:32 -0400 Subject: [Infowarrior] - Google diving into 3D mapping of oceans Message-ID: April 30, 2008 4:00 AM PDT Google diving into 3D mapping of oceans Posted by Elinor Mills | 1 comment http://www.news.com/8301-10784_3-9931412-7.html We've got Google Earth and Google Sky. Next up will be a map of the world below sea level--Google Ocean. The company has assembled an advisory group of oceanography experts, and in December invited researchers from institutions around the world to the Mountain View, Calif., Googleplex. There, they discussed plans for creating a 3D oceanographic map, according to sources familiar with the matter. The tool--for now called Google Ocean, the sources say, though that name could change--is expected to be similar to other 3D online mapping applications. People will be able to see the underwater topography, called bathymetry; search for particular spots or attractions; and navigate through the digital environment by zooming and panning. (The tool, however, is not to be confused with the "Google Ocean" project by France-based Magic Instinct Software that uses Google Earth as a visualization tool for marine data.) Asked to comment on Google Ocean, a Google spokeswoman said the company had "nothing to announce right now." Oceanography researchers, however, say such a tool would be incredibly useful. "There is no real terrain or depth model for the ocean in Google Earth," said Tim Haverland, a geospatial application developer at the Fisheries Service of the National Oceanic and Atmospheric Administration (NOAA). "You can't get in a submarine and in essence fly through the water and explore ocean canyons yet." Google Ocean will feature a basic layer that shows the depth of the sea floor and will serve as a spatial framework for additional data, sources said, adding that Google plans to try to fill in some areas of the map with high-resolution images for more detail. Additional data will be displayed as overlying layers that depict phenomena like weather patterns, currents, temperatures, shipwrecks, coral reefs, and algae blooms, much like the National Park Service and NASA provide additional data for Google Earth and Google Sky. "Google will basically just provide the field and then everyone will come flocking to it," predicted Stephen P. Miller, head of the Geological Data Center at the Scripps Institution of Oceanography. "There will be peer pressure to encourage people to get their data out there." This is an image of a bathymetry map that shows the depth of the sea floor. It is based on sparse ship soundings and satellite altimeter measurements of subtle bumps and dips in the ocean surface which are produced by tiny variations in the pull of gravity. (Credit: David Sandwell and Walter Smith/Scripps Institute of Oceanography) While satellite imagery has the entire globe covered, as well as a good amount of known outer space, much less is known about the bodies of water that cover about 70 percent of the planet. Only a small percentage of the sea floor has been mapped in detail by sonar. "It would take about 100 ship years to map the oceans at high resolution," said Dave Sandwell, a professor of geophysics at the Scripps Institution of Oceanography. Sandwell speculated that Google will get at least some of the basic sea floor data from Scripps' Predicted Depth Map. Created from ship sonar soundings and satellites, it infers the depth of the sea floor based on the tiny bumps and dips in the ocean's surface. To bring more clarity to the sea floor, Sandwell and others said, Google will likely use high-resolution grids from oceanographic institutions showing the depths of select areas of the seas and paste them in. Data for those grids, which cover a very small portion of the sea floor, are created by ships using multibeam sonar. One possible source for Google Ocean data are detailed "tiles" from multibeam and predicted topography compiled by the Lamont-Doherty Earth Observatory (LDEO) of Columbia University. Tiles are high-resolution sun-shaded images as well as digital elevation models covering the entire global ocean that allow for interactivity similar to Google Earth, where you can get different views by zooming in and out and by tilting the planet's surface. "Our application gets data from databases over the Internet without the user having to know the name of the database or how to connect to it. Google could talk to our databases," said William B. F. Ryan, an earth and environmental studies professor at Columbia's LDEO. Ryan cautioned that "Google would have to put the tiles on their servers because their public of millions would bring the servers at Columbia University to their knees." On top of the depth map, and in addition to the select high-resolution tiled areas, there will likely be various layers of specialized data from different sources. For example, NOAA already has made public visual information for Google Earth related to sea hotspots around coral reefs, Gulf of Mexico marine debris, surface temperatures and wave heights in the Great Lakes, and shipwrecks. In addition to the "wow factor" Google Ocean will no doubt have for amateur oceanographers, marine enthusiasts, and anyone fascinated by the movie 20,000 Leagues Under the Sea, the project has the potential to promote more collaboration and advance research. "We hope that one of the outcomes of Google Ocean will be an understanding of how much remains to be explored," said Miller of Scripps. "We know far more about the surface of Mars from a few weeks of radar surveying in orbit than we know of the bottom of the ocean after two centuries."