From rforno at infowarrior.org Fri Aug 1 02:11:33 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 31 Jul 2008 22:11:33 -0400 Subject: [Infowarrior] - Sprint early termination fees are illegal, judge rules Message-ID: Sprint early termination fees are illegal, judge rules COURT: CALIFORNIA LAW FORBIDS EARLY TERMINATION CHARGES By Steve Johnson Mercury News Article Launched: 07/30/2008 01:31:13 AM PDT http://www.mercurynews.com/ci_10039461?source=email Californians fed up with being charged for ending their cell phone service prematurely won a major victory in a Bay Area court decision that concluded such fees violate state law. In a preliminary ruling Monday, Alameda County Superior Court Judge Bonnie Sabraw said Sprint Nextel must pay California mobile-phone consumers $18.2 million as part of a class-action lawsuit challenging early termination fees. Though the decision could be appealed, it's the first in the country to declare the fees illegal in a state and could affect other similar lawsuits, with broad implications for the nation's fast-growing legions of cell phone users. The judge - who is overseeing several other suits against telecommunications companies that involve similar fees - also told the company to stop trying to collect $54.7 million from other customers who haven't yet paid the charges they were assessed. The suit said about 2 million Californians were assessed the fee. Whether Sabraw's ruling will stand isn't clear. Experts say an appeal is likely, and the Federal Communications Commission is considering imposing a rule - backed by the wireless industry - which might decree that only federal authorities can regulate early termination fees. Sprint Nextel also argued in the lawsuit that such fees - which ranged from $150 to $200 - were outside the purview of California law. But Sabraw rejected that argument. "This is a terrific ruling," said Chicago attorney Jay Edelson, who was not part of the case but has filed about 50 other suits nationwide against various cell phone charges. "The phone companies have a tremendous amount of power," he added. "They lock you into long-term contracts and then they allow all these charges to be put on your bill. We have to make sure that consumers are protected." "We are disappointed," said Sprint Nextel spokesman Matthew Sullivan. But he added that Sabraw's ruling was tentative and that she has given Sprint Nextel's attorneys the opportunity to file a rebuttal before she considers making it permanent. Sullivan noted that similar suits have been filed in other states, but that Sabraw's decision was the first he knows of declaring such fees illegal. Several other industry experts agreed, including John Walls, a spokesman with the CTIA, a Washington-based organization that represents the wireless telecommunications industry. "I don't know of any state that has gone to this extent," he said, adding that his group believes it makes more sense to have such fees solely policed by the federal government. 'National framework' "A consistent, uniform, national framework of standards is the best- case scenario for consumers and for the industry to serve consumers," he said. "If you allow 50 states to regulate and legislate in 50 different ways, you can create a very confusing and obviously inefficient service." At a public hearing last month, FCC Chairman Kevin Martin sketched out a plan in which cancellation fees would be reduced over the life of the cell phone contract. Three companies - T-Mobile, AT&T and Verizon Wireless - already do that, and Sprint said it would begin prorating its fees next year. The commission also is trying to resolve whether states have any role in regulating early termination fees, which are among the biggest source of complaints among wireless consumers, said spokesman Robert Kenny. Fees or 'rates'? He said the agency may decide to define such fees as "rates," which are subject to federal regulation under federal law. But if that happened, it is unclear how that might affect lawsuits in California and other states, Kenny said. "That is something that will have to be addressed," he added, noting that the FCC hopes to resolve the issue by the end of the year. Chris Murray, senior legal counsel for Consumers Union, said he hoped the California court decision would "drive a stake through the heart" of the industry's desire to remove state courts and state regulators from overseeing the fees. That view was seconded by Scott Bursor, a lawyer for the victorious Sprint Nextel customers, who said the FCC likely would be persuaded by Sabraw's logic that states should have a role in policing the fees. If the FCC does limit state oversight, "it will get reversed" by the courts, he added. On June 12, a jury in the Alameda County lawsuit ruled in favor of Sprint Nextel, determining that its customers who canceled their service early had breached their contracts with the company and that early termination fees were warranted. But in overruling that decision, Sabraw said the jurors appear to have erred in assuming the fees were valid, and she took issue with the way Sprint Nextel determined that its customers owed the fees. "Sprint did no damage analysis that considered the lost revenue from contracts, the avoidable costs and Sprint's expected lost profits from contract terminations," she said. Nonetheless, Sabraw preserved a portion of the jury's verdict and used that to scale back the amount of refunds the suit initially had sought. Contact Steve Johnson at sjohnson at mercurynews.com or (408) 920-5043. From rforno at infowarrior.org Fri Aug 1 02:18:19 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 31 Jul 2008 22:18:19 -0400 Subject: [Infowarrior] - NASA Spacecraft Confirms Martian Water, Mission Extended Message-ID: NASA Spacecraft Confirms Martian Water, Mission Extended 07.31.08 http://www.nasa.gov/mission_pages/phoenix/news/phoenix-20080731.html TUCSON, Ariz. -- Laboratory tests aboard NASA's Phoenix Mars Lander have identified water in a soil sample. The lander's robotic arm delivered the sample Wednesday to an instrument that identifies vapors produced by the heating of samples. "We have water," said William Boynton of the University of Arizona, lead scientist for the Thermal and Evolved-Gas Analyzer, or TEGA. "We've seen evidence for this water ice before in observations by the Mars Odyssey orbiter and in disappearing chunks observed by Phoenix last month, but this is the first time Martian water has been touched and tasted." With enticing results so far and the spacecraft in good shape, NASA also announced operational funding for the mission will extend through Sept. 30. The original prime mission of three months ends in late August. The mission extension adds five weeks to the 90 days of the prime mission. "Phoenix is healthy and the projections for solar power look good, so we want to take full advantage of having this resource in one of the most interesting locations on Mars," said Michael Meyer, chief scientist for the Mars Exploration Program at NASA Headquarters in Washington. The soil sample came from a trench approximately 2 inches deep. When the robotic arm first reached that depth, it hit a hard layer of frozen soil. Two attempts to deliver samples of icy soil on days when fresh material was exposed were foiled when the samples became stuck inside the scoop. Most of the material in Wednesday's sample had been exposed to the air for two days, letting some of the water in the sample vaporize away and making the soil easier to handle. "Mars is giving us some surprises," said Phoenix principal investigator Peter Smith of the University of Arizona. "We're excited because surprises are where discoveries come from. One surprise is how the soil is behaving. The ice-rich layers stick to the scoop when poised in the sun above the deck, different from what we expected from all the Mars simulation testing we've done. That has presented challenges for delivering samples, but we're finding ways to work with it and we're gathering lots of information to help us understand this soil." Since landing on May 25, Phoenix has been studying soil with a chemistry lab, TEGA, a microscope, a conductivity probe and cameras. Besides confirming the 2002 finding from orbit of water ice near the surface and deciphering the newly observed stickiness, the science team is trying to determine whether the water ice ever thaws enough to be available for biology and if carbon-containing chemicals and other raw materials for life are present. The mission is examining the sky as well as the ground. A Canadian instrument is using a laser beam to study dust and clouds overhead. "It's a 30-watt light bulb giving us a laser show on Mars," said Victoria Hipkin of the Canadian Space Agency. A full-circle, color panorama of Phoenix's surroundings also has been completed by the spacecraft. "The details and patterns we see in the ground show an ice-dominated terrain as far as the eye can see," said Mark Lemmon of Texas A&M University, lead scientist for Phoenix's Surface Stereo Imager camera. "They help us plan measurements we're making within reach of the robotic arm and interpret those measurements on a wider scale." The Phoenix mission is led by Smith at the University of Arizona with project management at NASA's Jet Propulsion Laboratory in Pasadena, Calif., and development partnership at Lockheed Martin in Denver. International contributions come from the Canadian Space Agency; the University of Neuchatel, Switzerland; the universities of Copenhagen and Aarhus in Denmark; the Max Planck Institute in Germany; and the Finnish Meteorological Institute. For more about Phoenix, visit: http://www.nasa.gov/phoenix Media contacts: Guy Webster 818-354-6278 Jet Propulsion Laboratory, Pasadena, Calif. guy.webster at jpl.nasa.gov Sara Hammond 520-626-1974 University of Arizona, Tucson shammond at lpl.arizona.edu Dwayne Brown 202-358-1726 NASA Headquarters dwayne.c.brown at nasa.gov 08-195 From rforno at infowarrior.org Fri Aug 1 14:38:38 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 1 Aug 2008 10:38:38 -0400 Subject: [Infowarrior] - RD on USG laptop insecurity Message-ID: When even Readers' Digest starts to talk about the USG losing laptops......you know we have a problem! Outrageous! Government Carelessness The government keeps losing laptop computers containing its citizens' most personal information. By Michael Crowley http://tinyurl.com/5acxrk From rforno at infowarrior.org Fri Aug 1 14:43:54 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 1 Aug 2008 10:43:54 -0400 Subject: [Infowarrior] - DHS: Suspicion not required for border laptop seizures Message-ID: <8C2E6208-4BE7-4379-98A6-91FEEB842FFF@infowarrior.org> (The New Normal in America post-9/11: We're all considered guilty until proven guiltier. I called this back in 2003........rf) Travelers' Laptops May Be Detained At Border No Suspicion Required Under DHS Policies By Ellen Nakashima Washington Post Staff Writer Friday, August 1, 2008; A01 http://www.washingtonpost.com/wp-dyn/content/article/2008/08/01/AR2008080103030_pf.html Federal agents may take a traveler's laptop computer or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed. Also, officials may share copies of the laptop's contents with other agencies and private entities for language translation, data decryption or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement. "The policies . . . are truly alarming," said Sen. Russell Feingold (D- Wis.), who is probing the government's border search practices. He said he intends to introduce legislation soon that would require reasonable suspicion for border searches, as well as prohibit profiling on race, religion or national origin. DHS officials said the newly disclosed policies -- which apply to anyone entering the country, including U.S. citizens -- are reasonable and necessary to prevent terrorism. Officials said such procedures have long been in place but were disclosed last month because of public interest in the matter. Civil liberties and business travel groups have pressed the government to disclose its procedures as an increasing number of international travelers have reported that their laptops, cellphones and other digital devices had been taken -- for months, in at least one case -- and their contents examined. The policies state that officers may "detain" laptops "for a reasonable period of time" to "review and analyze information." This may take place "absent individualized suspicion." The policies cover "any device capable of storing information in digital or analog form," including hard drives, flash drives, cellphones, iPods, pagers, beepers, and video and audio tapes. They also cover "all papers and other written documentation," including books, pamphlets and "written materials commonly referred to as 'pocket trash' or 'pocket litter.' " Reasonable measures must be taken to protect business information and attorney-client privileged material, the policies say, but there is no specific mention of the handling of personal data such as medical and financial records. When a review is completed and no probable cause exists to keep the information, any copies of the data must be destroyed. Copies sent to non-federal entities must be returned to DHS. But the documents specify that there is no limitation on authorities keeping written notes or reports about the materials. "They're saying they can rifle through all the information in a traveler's laptop without having a smidgen of evidence that the traveler is breaking the law," said Greg Nojeim, senior counsel at the Center for Democracy and Technology. Notably, he said, the policies "don't establish any criteria for whose computer can be searched." Customs Deputy Commissioner Jayson P. Ahern said the efforts "do not infringe on Americans' privacy." In a statement submitted to Feingold for a June hearing on the issue, he noted that the executive branch has long had "plenary authority to conduct routine searches and seizures at the border without probable cause or a warrant" to prevent drugs and other contraband from entering the country. Homeland Security Secretary Michael Chertoff wrote in an opinion piece published last month in USA Today that "the most dangerous contraband is often contained in laptop computers or other electronic devices." Searches have uncovered "violent jihadist materials" as well as images of child pornography, he wrote. With about 400 million travelers entering the country each year, "as a practical matter, travelers only go to secondary [for a more thorough examination] when there is some level of suspicion," Chertoff wrote. "Yet legislation locking in a particular standard for searches would have a dangerous, chilling effect as officers' often split-second assessments are second-guessed." In April, the U.S. Court of Appeals for the 9th Circuit in San Francisco upheld the government's power to conduct searches of an international traveler's laptop without suspicion of wrongdoing. The Customs policy can be viewed at: http://www.cbp.gov/linkhandler/cgov/travel/admissability/search_authority.ctt/search_authority.pdf . From rforno at infowarrior.org Fri Aug 1 16:45:03 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 1 Aug 2008 12:45:03 -0400 Subject: [Infowarrior] - Bill Would Bar Secret Changes to Executive Orders Message-ID: Senate Bill Would Bar Secret Changes to Executive Orders http://www.fas.org/blog/secrecy/2008/08/secret_changes.html http://www.fas.org/blog/secrecy/?p=1856 The President would no longer be able to secretly modify or revoke a published executive order if a new bill introduced in the Senate yesterday becomes law. The bill, sponsored by Sen. Russ Feingold and Sen. Sheldon Whitehouse, responds to a Justice Department Office of Legal Counsel opinion that was revealed last year by Senator Whitehouse on the Senate floor. According to that unreleased opinion, ?There is no constitutional requirement for a President to issue a new Executive order whenever he wishes to depart from the terms of a previous Executive order. Rather than violate an Executive order, the President has instead modified or waived it.? What this means is that any published executive order may or may not actually be in effect. It may or may not correspond to the legal framework that governs the executive branch. The public has no way of knowing. ?No one disputes that a President can withdraw or revise an Executive Order at any time,? said Senator Feingold yesterday. ?That is every President?s prerogative. But abrogating a published Executive order without any public notice works a secret change in the law.? ?Worse,? he said, ?because the published Order stays on the books, it actively misleads Congress and the public as to what the law is.? To remedy that problem, the new bill requires notification of any change. ?If the President revokes, modifies, waives, or suspends a published Executive Order or similar directive, notice of this change in the law must be placed in the Federal Register within 30 days. The notice must specify the Order or the provision that has been affected; whether the change is a revocation, a modification, a waiver, or a suspension; and the nature and circumstances of the change.? ?The bill does not require the publication of classified information about intelligence sources and methods or similar information. The basic fact that the published law is no longer in effect, however, cannot be classified,? Sen. Feingold said. ?On rare occasions, national security can justify elected officials keeping some information secret,? he said, ?but it can never justify lying to the American people about what the law is. Maintaining two different sets of laws, one public and one secret, is just that? deceiving the American people about what law applies to the government?s conduct.? See Sen. Feingold?s July 31 introduction of the Executive Order Integrity Act of 2008 (S. 3405). At an April 30 hearing of Sen. Feingold Senate Judiciary subcommittee, I testified on the various categories of secret law, including the problem of ?reversible executive orders.? That testimony is available here (pdf). From rforno at infowarrior.org Sat Aug 2 01:25:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 1 Aug 2008 21:25:46 -0400 Subject: [Infowarrior] - Peter Swire: No, You Can't Search My Laptop Message-ID: <0FC45C15-1F47-4EB9-ADBB-EDF32B04D71A@infowarrior.org> http://www.americanprogress.org/issues/2008/06/laptop_testimony.html No, You Can't Search My Laptop Testimony to the Senate Judiciary Subcommittee on the Constitution By Peter Swire | June 25, 2008 Peter Swire is a Senior Fellow at the Center for American Progress Action Fund and a professor at the Moritz College of Law the Ohio State University. In recent months I have become increasingly aware of what I consider a deeply flawed policy. The U.S. Customs and Border Patrol now takes the position that it can seize and copy the contents of a laptop or other computing device for a traveler entering the United States, based simply on its authority to do traditional border searches. The government seems to believe that, if they can open a suitcase at the border, then they can open a laptop as well. This simplistic legal theory ignores the massive factual differences between a quick glance into a suitcase and the ability to copy a lifetime of files from someone?s laptop, and then examine those files at the government?s leisure. This issue has come into sharp focus since the April decision of the Ninth Circuit Court of Appeals in U.S. v. Arnold. That panel clearly ruled that CPB can seize a laptop computer at the border, and examine its contents, without any reasonable suspicion of unlawful activity. Affidavits in that case and other credible reports show that agents at the border are going further?they are requiring travelers to reveal their passwords or encryption keys so that government agents can examine the full content of the laptop or other computing device. Other witnesses today will go into depth about crucial objections to these laptop border searches, including constitutional prohibitions under the First and Fourth Amendments, ethnic profiling, and severe impact on commercial and individual travelers who are forced to reveal confidential records to the government. My focus is different, drawing on my personal involvement in the encryption policy battles from a decade ago. My thesis is that laptop border searches bear a striking similarity to the federal encryption policy that was attempted during the 1990s but reversed in 1999. My testimony presents a brief history of these ?crypto wars,? as they were called. In particular, the testimony describes the so-called ?Clipper Chip,? where the government hoped to gain the encryption keys in advance for telecommunications devices. The testimony then examines eight precise analogies between the failed encryption policy of the 1990s and laptop border searches. For each of the eight critiques, the testimony explains how the critique applied to encryption policy and how the same argument applies to today?s border searches: 1. Traditional legal arguments apply badly to new facts about computing 2. Government forces disclosure of encryption keys 3. Severe violation of computer security best practices 4. U.S. policy creates bad precedents that totalitarian and other regimes will follow 5. Severe harm to personal privacy, free speech, and business secrets 6. Disadvantaging the U.S. economy 7. Political coalition of civil liberties groups and business 8. Technical futility of U.S. policy Since I became aware of the issue of laptop border searches I have spoken to an array of businesspeople, computer security experts, civil liberties advocates, and ordinary people who hear what the government is doing. The reaction has been uniform: ?The government is doing that? They are just stopping people at the border, opening people?s laptops and making copies of what?s inside? It could happen to anyone, even if they?ve done nothing wrong? That is simply not right.? I hope today?s hearing will be an important step toward curbing the current practices. Read the full testimony (pdf) http://www.americanprogress.org/issues/2008/06/pdf/swire_laptop_testimony.pdf Peter Swire is a Senior Fellow at the Center for American Progress Action Fund and a professor at the Moritz College of Law the Ohio State University. From rforno at infowarrior.org Sat Aug 2 01:27:07 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 1 Aug 2008 21:27:07 -0400 Subject: [Infowarrior] - JPEG Patent's Single Claim Rejected Message-ID: <17D701AE-FDAC-4619-AC6F-748BC8CEB1AA@infowarrior.org> JPEG Patent's Single Claim Rejected (And Smacked Down For Good Measure) We've been covering the ongoing saga of an old patent we've referred to as the "JPEG Patent." This actually isn't the first patent we've called the JPEG Patent, because multiple people claimed to hold patents over the technology that goes into a JPEG image. But, this one was rather special. The patent had been used, repeatedly, by lawyer Ray Niro, against a wide range of opponents, including a patent system critic. The end result was a drawn out review process where all of the original claims were rejected, but a single new claim was added to the patent, which Niro insisted covered JPEGs on a website. Earlier this year, the Patent Office agreed to re-examine that claim. On top of that, a judge overseeing one of the lawsuits involving the patent decided to put the suit on hold pending the outcome of the re- exam. Of course, the re-exam will take some time, but the initial re- exam came out recently and it does not look good for this patent: < - > http://techdirt.com/articles/20080731/0337491852.shtml From rforno at infowarrior.org Sat Aug 2 15:54:39 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 2 Aug 2008 11:54:39 -0400 Subject: [Infowarrior] - EFF Releases "Switzerland" ISP Testing Tool Message-ID: <1244E627-E420-46F1-8400-2B550BB58404@infowarrior.org> http://www.eff.org/press/archives/2008/07/31 August 1st, 2008 EFF Releases "Switzerland" ISP Testing Tool Empowers Internet Users on Eve of FCC Comcast Action San Francisco - Hours before the Federal Communications Commission (FCC) is expected to take action against Comcast for violating the FCC's net neutrality principles, the Electronic Frontier Foundation (EFF) is releasing "Switzerland," a software tool for customers to test the integrity of their Internet communications. The FCC action, expected later today, is a response to formal complaints regarding efforts by Comcast to interfere with its subscribers' use of BitTorrent to share files over the Internet. These interference efforts were first documented and disclosed in October 2007 by EFF, the Associated Press, and a concerned Internet user, Robb Topolski. EFF subsequently urged the FCC to declare Comcast's efforts inconsistent with the Commission's 2005 "Internet Policy Statement," which sets a benchmark for neutral treatment of Internet traffic. "The sad truth is that the FCC is ill-equipped to detect ISPs interfering with your Internet connection," said Fred von Lohmann, EFF Senior Intellectual Property Attorney. "It's up to concerned Internet users to investigate possible network neutrality violations, and EFF's Switzerland software is designed to help with that effort. Comcast isn't the first, and certainly won't be the last, ISP to meddle surreptitiously with its subscribers' Internet communications for its own benefit." "Until now, there hasn't been a reliable way to tell if somebody -- a hacker, an ISP, corporate firewall, or the Great Firewall of China -- is modifying your Internet traffic en route," said Peter Eckersley, EFF Staff Technologist and designer of Switzerland. "The few tests available have been for narrow and specific kinds of interference, or have required tremendous amounts of advanced forensic labor. Switzerland is designed to make general-purpose ISP testing faster and easier." Part of EFF's "Test your ISP" project, Switzerland is an open source, command-line software tool designed to detect the modification or injection of packets of data by ISPs. Switzerland detects changes made by software tools believed to be in use by ISPs such as Sandvine and AudibleMagic, advertising systems like FairEagle, and various censorship systems. Although currently intended for use by technically sophisticated Internet users, development plans aim to make the tool increasingly easy to use. For more information and to download the Switzerland software: http://www.eff.org/testyourisp/switzerland For more about EFF's "Test Your ISP" Project: http://www.eff.org/testyourisp Contacts: Fred von Lohmann Senior Intellectual Property Attorney Electronic Frontier Foundation fred at eff.org Peter Eckersley Staff Technologist Electronic Frontier Foundation pde at eff.org From rforno at infowarrior.org Sun Aug 3 23:09:43 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 3 Aug 2008 19:09:43 -0400 Subject: [Infowarrior] - RIP, Alexander Solzhenitsyn Message-ID: Soviet Dissident Writer Solzhenitsyn Dies at 89 Reuters Sunday, August 3, 2008; 7:03 PM MOSCOW -- Alexander Solzhenitsyn, the Soviet dissident writer and Nobel literature prize winner who revealed the horror of Stalin's camps to the world, died late on Sunday aged 89, Russian news agencies reported. Itar-Tass news agency quoted Solzhenitsyn's son Stepan as saying the writer died of heart failure in his home outside Moscow at 11:45 p.m. (1945 GMT). Interfax news agency quoted literary sources as saying Solzhenitsyn died of a stroke. "President Dmitry Medvedev expressed his condolences to Solzhenitsyn's family," a Kremlin spokesman said. Members of the writer's family could not be contacted immediately. For more than 20 years, the bearded World War Two veteran, who spent eight years in Stalin's camps for criticising the Soviet dictator, became a symbol of intellectual resistance to the Communist rule. His monumental work "The Gulag Archipelago", written in secrecy in the Soviet Union and published in Paris in three volumes between 1973 and 1978, is the definitive work on Stalin's forced labour camps, where tens of millions perished. A short-lived policy of de-Stalinisation by the then Soviet leader Nikita Khrushchev made possible the publication in 1962 of Solzhenitsyn's "One Day in the Life of Ivan Denisovich", which described the horrifying routine of labour camp life. Other literary works, including a series of historical novels and political pamphlets, were banned from publication in the Soviet Union, where their distribution was made a criminal offence. Major works including "The First Circle" and "Cancer Ward" brought Solzhenitsyn world admiration and the Nobel Literature Prize in 1970. Four years later, he was stripped of his citizenship and put on a plane to West Germany for refusing to keep silent about his country's past, and became an icon of resistance to the communist system from his American home in Vermont, where he remained until his triumphant return in 1994. RETURN JOURNEY In 1989, the last Soviet leader, Mikhail Gorbachev, allowed the publication of Solzhenitsyn's works as part of his "perestroika" reforms and restored his Soviet citizenship. However, Solzhenitsyn refused to return to Russia until after the Soviet Union collapsed, marking his comeback in 1994 with a long train journey from Vladivostok on the Pacific coast to Moscow. Russia's post-Soviet leadership paid great respect to Solzhenitsyn, who lived in seclusion outside Moscow. Solzhenitsyn remained critical of what he saw as the decadence of post- Soviet Russia and had little time for Western-style democracy, which he felt was not a solution for his homeland. "The main achievement is that Russia has revived its influence in the world," Solzhenitsyn said in his last television interview last year. "But morally we are too far from what is needed. This cannot be achieved by the state, through parliamentarianism ... "As far as the state, the public mind and the economy is concerned, Russia is still far away from the country of which I dreamed." ? 2008 Reuters From rforno at infowarrior.org Sun Aug 3 23:22:29 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 3 Aug 2008 19:22:29 -0400 Subject: [Infowarrior] - FBI seizes local Md. library computers Message-ID: FBI seizes local Md. library computers August 3, 2008 - 9:41am http://wtopnews.com/?nid=598&sid=1452848 The FBI removed computer records from the C. Burr Artz Library this week, a library official confirmed Saturday. Darrell Batson, director of Frederick County Public Libraries, said two FBI employees came to the downtown Frederick library either Wednesday or Thursday. The agents removed two public computers from the library's second floor. They told him they were taking the units back to their office in Washington, D.C., Batson said. Batson expected the computers would be returned early this week, he said. Debbie Weierman, spokeswoman for the FBI's Washington field office, would not comment Saturday on whether the agency had removed records from the library. This was the third time in his 10 years with FCPL that the FBI has come to the library seeking records, Batson said. It was the first time they came without a court order. The library's procedure for such requests usually requires a court order, however after the agent described the case and the situation, he was persuaded to give them access, Batson said. "They had an awful lot of information," he said, but he was not allowed to discuss specifics. "It was a decision I made on my experience and the information given to me," he said. C. Burr Artz Library has several dozen public computers. The agents seemed to know which ones they needed access to, he said. Anyone with a library card and a PIN number can use FCPL computers. Without a library card, a person can get a temporary pass to go online. Batson said the agents made no mention of Bruce Ivins, anthrax or Fort Detrick. "Obviously it coincided with the events everyone is talking about," he said. (Copyright 2008 The Frederick News-Post. All rights reserved.) also on wtopnews.com * Guyana Muslims: FBI pursuing alleged terror plot * 5 nominated reality hosts to preside over Emmys * Library confrontation points up privacy dilemma also on the web * FBI Withdraws Unconstitutional National Security Letter * Mobile technology connects, communicates at C. Burr Artz The FBI removed computer records from the C. Burr Artz Library this week, a library official confirmed Saturday. Darrell Batson, director of Frederick County Public Libraries, said two FBI employees came to the downtown Frederick library either Wednesday or Thursday. The agents removed two public computers from the library's second floor. They told him they were taking the units back to their office in Washington, D.C., Batson said. Batson expected the computers would be returned early this week, he said. Debbie Weierman, spokeswoman for the FBI's Washington field office, would not comment Saturday on whether the agency had removed records from the library. This was the third time in his 10 years with FCPL that the FBI has come to the library seeking records, Batson said. It was the first time they came without a court order. The library's procedure for such requests usually requires a court order, however after the agent described the case and the situation, he was persuaded to give them access, Batson said. "They had an awful lot of information," he said, but he was not allowed to discuss specifics. "It was a decision I made on my experience and the information given to me," he said. C. Burr Artz Library has several dozen public computers. The agents seemed to know which ones they needed access to, he said. Anyone with a library card and a PIN number can use FCPL computers. Without a library card, a person can get a temporary pass to go online. Batson said the agents made no mention of Bruce Ivins, anthrax or Fort Detrick. "Obviously it coincided with the events everyone is talking about," he said. (Copyright 2008 The Frederick News-Post. All rights reserved.) related story tags From rforno at infowarrior.org Mon Aug 4 12:44:41 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 4 Aug 2008 08:44:41 -0400 Subject: [Infowarrior] - College class teaches virus-writing Message-ID: <4227E859-502D-4450-889C-EAF0A7A10EBE@infowarrior.org> This Bug Man Is a Pest George Ledin teaches students how to write viruses, and it makes computer-security software firms sick. By Adam B. Kushner | NEWSWEEK Published Aug 2, 2008 From the magazine issue dated Aug 11, 2008 http://www.newsweek.com/id/150465 In a windowless underground computer lab in California, young men are busy cooking up viruses, spam and other plagues of the computer age. Grant Joy runs a program that surreptitiously records every keystroke on his machine, including user names, passwords, and credit-card numbers. And Thomas Fynan floods a bulletin board with huge messages from fake users. Yet Joy and Fynan aren't hackers?they're students in a computer-security class at Sonoma State University. And their professor, George Ledin, has showed them how to penetrate even the best antivirus software. The companies that make their living fighting viruses aren't happy about what's going on in Ledin's classroom. He has been likened to A.Q. Khan, the Pakistani scientist who sold nuclear technology to North Korea. Managers at some computer-security companies have even vowed not to hire Ledin's students. The computer establishment's scorn may be hyperbolic, but it's understandable. "Malware"?the all-purpose moniker for malicious computer code?is spreading at an exponential rate. A few years ago, security experts tracked about 5,000 new viruses every year. By the end of this year, they expect to see triple that number every week, with most designed for identity theft or spam, says George Kurtz, a senior vice president at antivirus software maker McAfee. "You've got a whole business model built up around malware," he says. Ledin insists that his students mean no harm, and can't cause any because they work in the computer equivalent of biohazard suits: closed networks from which viruses can't escape. Rather, he's trying to teach students to think like hackers so they can devise antidotes. "Unlike biological viruses, computer viruses are written by a programmer. We want to get into the mindset: how do people learn how to do this?" says Ledin, who was born to Russian parents in Venezuela and trained as a biologist before coming to the United States and getting into computer science. "You can't really have a defense plan if you don't know what the other guy's offense is," says Lincoln Peters, a former Ledin student who now consults for a government defense agency. That doesn't mean Ledin isn't trying to create a little mischief. His syllabus is partly a veiled attack on McAfee, Symantec and their ilk, whose $100 consumer products he sees as mostly useless. If college students can beat these antivirus programs, he argues, what good are they for the people and businesses spending nearly $5 billion a year on them? Antivirus software makers say Ledin's critique is misleading, and that they are a step ahead of him?and the hackers. "We've changed the game, and viruses have changed in recent years because of the protection we're putting into place," says Zulfikar Ramzan, the technical director of Symantec's security team. Still, beneath Ledin's critique lies a powerful polemic. Ledin compares the companies' hold over antivirus technology (under the Digital Millennium Copyright Act of 1998, the companies' codes are kept secret) to cryptography decades ago, when the new science of scrambling data was largely controlled by the National Security Agency. Slowly, the government opened the field to universities and companies, and now there are thousands of minds producing encryption that is orders of magnitude more complex than code from just a decade ago. That's why you can safely transmit your credit-card numbers online. "Why should we shy away from learning something that is important to everyone?," Ledin asks. "Yes, you could inflict some damage on society, but you could inflict damage with chemistry and physics, too." He hopes one day to share antivirus techniques. But that would require infrastructure and financial support, which the federal government so far has declined to give. Until then, Ledin will have to live with his reputation as the guy who gave away the secrets to the Internet's bomb. ? 2008 From rforno at infowarrior.org Mon Aug 4 22:31:25 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 4 Aug 2008 18:31:25 -0400 Subject: [Infowarrior] - New Details on the National Cyber Security Initiative Message-ID: <1C989D4D-FCEB-4EB3-8410-12A0DEC06F31@infowarrior.org> Almost everything about the Comprehensive National Cyber Security Initiative (CNCI), established by National Security Presidential Directive 54 and Homeland Security Presidential Directive 23, is classified. But following a classified March 2008 hearing on the subject, Senators Joe Lieberman and Susan Collins of the Senate Homeland Security and Governmental Affairs Committee teased out a few unclassified details about the effort. ?The response (pdf) includes information on the National Cyber Security Center, how privacy will be protected under the CNCI, how success of the initiative will be measured, and how the Department views the private sector?s role in the initiative,? the Senators noted in a news release. ?The Department chose to redact information relating to contracting at the National Cyber Security Division (NCSD). The senators have asked DHS explain their reasons for the redactions.? < - > http://www.fas.org/blog/secrecy/2008/08/cyber-sec_init.html From rforno at infowarrior.org Tue Aug 5 01:09:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 4 Aug 2008 21:09:46 -0400 Subject: [Infowarrior] - Hacker Court @ Blackhat Message-ID: <2037B0F6-7157-42C1-A80A-4F21DF6F6A25@infowarrior.org> (Disclosure: I know the HC folks quite well, have participated in HC at BH Federal, and consider these folks good securitygeek friends.....but having said that, it's still a fun and quite informative event!! -rf) http://blog.tenablesecurity.com/2008/08/hacker-court-at.html Hacker Court at Black Hat! Hacker Court is once again returning to the Black Hat Briefings! For our seventh Black Hat presentation, we will be conducting a mock court trial focused on the issues of entrapment, journalist privilege and wiretapping, titled "Hack MyFace." What is "Hacker Court?" Hacker Court is a loose organization of attorneys, security professionals and hackers with the goal of demonstrating the dynamics, frustrations and complexity of computer crime trials. Teaching Points The Hacker Court mock trials endeavor to teach a technical audience the reality of computer crime trials. Before joining Tenable, I was a free-lance security consultant and developed a particular interest in computer crime cases after personal experience in dealing with an intrusion. I thought I knew a lot about the process, but it wasn?t until I actually worked on a case with the Federal Defender?s Office in NY that I realized just how na?ve I was on how the legal system really worked. The defendant was even more na?ve and honestly thought that a ?jury of his peers? meant that people like Simple Nomad, Jericho and Rain Forest Puppy would serve on the jury. After all - his ?peers? were hackers! Since then, I?ve been involved in other cases and these are a few of the major lessons I?ve learned: 1. Defendants lie, even to their own defense team 2. Admissibility of evidence is up to the judge, not the technology or its merit 3. A jurist with an infosec background would be disqualified from serving on a computer crime case 4. Defense experts cannot talk about the case no matter how much the defendant smears them to his friends 5. There are no ?Matlock? moments 6. The trial is all about the attorneys? performances 7. Technical evidence is boring, especially to the jury 8. A case will most likely not be prosecuted unless there is a 95 chance of a conviction. Corollary: if you go to trial, you're probably going down. 9. Cross examination of witnesses is brutal 10. The trial may take place years after the crime The most important (and scary) lesson I learned is that the case will be won or lost by the side that makes their story compelling and interesting. Technical details are neither. How it's Done The Hacker Court mock trials demonstrate these points by enacting a courtroom environment where the audience is the jury. There is no pre- set outcome and we take great pains to make the sure the deck is pretty evenly stacked (which differs from most trials where the prosecution usually wins). Although we work out the facts of the case ahead of time, much of the testimony from witnesses is ad-libbed, often with amusing results. Hacker Court differs from an actual trial in that we streamline the process and have some fun with it. An actual trial can take weeks - we have 2 hours, which normally wouldn?t cover the opening remarks. Most trials are also extremely boring, despite what you may see on TV. We take many liberties to make it fun, which no judge in his right mind would tolerate in an actual trial. For example, our 2004 presentation ?Pirates of the Potomac: The Curse of the Bl4ck Perl? featured Simple Nomad as ?Captain Jack Hack? (aka ?Cracker Jack?), a hacker accused of ?war-sailing? up the Potomac. This Year's Case This year?s presentation will once again feature Simple Nomad as the defendant, a ?l33t? hacker who frequently posts to a blog run by a journalist who investigates cases of identity theft and exposure of personal information. Nomad claims to have a zero-day exploit that will work on any social networking site and is goaded by another blog poster to prove it by exploiting a social networking site called ?MyFace.? A more complete case summary, along with Speaker bios, may be found at the Black Hat site. From rforno at infowarrior.org Tue Aug 5 17:59:29 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 5 Aug 2008 13:59:29 -0400 Subject: [Infowarrior] - "Clear" Air-Travel Pass Data Stolen From SFO Message-ID: <7A06AEBF-AAA7-4944-B4DB-06CA5AC2099F@infowarrior.org> Brilliant. --rf * Aug 5, 2008 10:40 am US/Pacific http://cbs5.com/local/tsa.security.clear.2.788083.html Security Breached At SFO Due To Stolen Laptop SAN FRANCISCO (CBS 5 / KCBS) ? The Transportation Security Administration says a laptop containing the sensitive personal information of 33,000 applicants to an airport security prescreening program has gone missing. T.S.A. spokesperson Ann Davis told CBS an unencrypted computer storing the personal information on the cards went missing from SFO on July 26th, but the agency was not notified until Sunday. The TSA has suspended new enrollments in the program, known as Clear, which allows passengers to pay to use special "fast lanes" at airport security checkpoints. The laptop belonged to a privately run company known as Verified Identity Pass Inc., which operates the program at 17 airports nationwide. An agency spokesman says the company must notify all affected applicants and show it has installed encryption on all its computers before it can restart enrollments. Current Clear customers will still be able to use their cards while the breach is sorted out. (? MMVIII, CBS Broadcasting Inc. All Rights Reserved.) From Our Partners From rforno at infowarrior.org Tue Aug 5 18:00:30 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 5 Aug 2008 14:00:30 -0400 Subject: [Infowarrior] - MS giving partners heads-up on security vulnerabilities Message-ID: Microsoft to give partners heads-up on security vulnerabilities Posted by Elinor Mills 2 comments http://news.cnet.com/8301-1009_3-10006325-83.html?hhTest=1&part=rss&subj=news&tag=2547-1_3-0-20 Microsoft will be giving companies that sell security software and services to its customers a sneak peek at the technical details of the vulnerabilities in Microsoft software before the company releases its monthly "Patch Tuesday" updates. The new Microsoft Active Protections Program, set to be announced at the Black Hat security conference on Tuesday, is designed to give software vendors a chance to prepare updates to their software before attackers have a chance to reverse engineer Microsoft's security patch and create an exploit. "It's essentially a race between the attackers and the protectors," said Andrew Cushman, who runs the Microsoft Security Response Center. The program will "give a head start to software providers delivering security features to our mutual customers." "It will save (vendors) the work of reverse engineering the patch and identifying where the vulnerability is and what triggers the exploitability," he said. Cushman did not say how vendors would be notified or how much lead time they would get. Software companies that provide protection against host-based or network-based attacks will have to apply for membership to the program and be accepted. They and Microsoft will then be under mutual non-disclosure agreements, he said. "The goal is to give it to them so they can have updates available as close to 10 a.m. as possible" on the second Tuesday of every month, Cushman said. The program will begin in October. Microsoft has already floated the idea by IBM/ISS, TippingPoint and Juniper, he said. Microsoft also will be providing an Exploitability Index in its monthly security bulletins beginning in October that will help organizations prioritize vulnerabilities by assigning one of three ratings to each one based on the likelihood of exploits being developed. The ratings from most severe to least severe are: "exploitation is likely to occur and to be reliable," "exploitation is likely to occur but with inconsistent reliability" and "exploitation is unlikely to occur," according to Cushman. From rforno at infowarrior.org Tue Aug 5 18:03:00 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 5 Aug 2008 14:03:00 -0400 Subject: [Infowarrior] - Gartner warns on iPhone security, battery issues Message-ID: <76458718-C188-4715-9909-4242CC19D62C@infowarrior.org> Gartner: 'Caveats apply' for enterprise iPhone use Battery life, security issues could affect custom business apps By Matt Hamblen http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111526&pageNumber=1 August 4, 2008 (Computerworld) After three weeks of testing and reviewing Apple Inc.'s new iPhone 2.0 firmware and an iPhone 3G for use in large businesses, analyst firm Gartner Inc. said the device can be supported by IT shops ? but only for a narrow set of uses such as voice, e-mail, Web browsing and the storage of personal information. The reason for the restrictions? Security concerns. The newest iPhone "does not deliver sufficient security for [running] custom applications" commonly used on handhelds in enterprise settings, Gartner analyst Ken Dulaney wrote in a nine-page research note. The report, "iPhone 2.0 Is Ready for the Enterprise, but Caveats Apply," concludes: "Enterprises should approach expanded use of the iPhone slowly and with close examination." Users considering adoption of the device should also be aware that iPhone data usage can incur high international roaming charges, Dulaney said. Also, the iPhone 3G's battery might not even last through a full day of e-mail use, he added. Dulaney made the security warning despite Apple's inclusion of password controls and a "remote wipe" capability. Remote wipe enables an IT administrator to wipe data on the device from a remote location should an iPhone carrying sensitive data be lost or stolen. Dulaney noted a concern other analysts have raised: Data apparently cannot be encrypted on the device itself, even though he said Apple officials assured him that there is an API in the firmware to provide encryption. The problem seems to be that third-party software vendors need to write such an encryption application; the vendors have complained about blocked access to the iPhone API needed to build such a product, Dulaney said. If such an encryption application is available, Dulaney said he has not been able to judge whether it is viable or how much it uses the iPhone's processor or drains the battery. Apple officials have touted the iPhone 2.0 firmware update and the iPhone 3G, launched July 11, as offering business-ready features, including access to Exchange e-mail. But Gartner's analysis seems to indicate that the device could be business-ready under the right circumstances. In general, the new Gartner analysis is not aimed at small-business users of the iPhone or prosumers who might need both personal and business functions on one device. Gartner's advice is primarily targeted at IT managers of larger organizations who may be asked to distribute and support hundreds or even thousands of iPhones to workers while following corporate security policies and government regulations designed to keep data out of the wrong hands. Dulaney also noted that iTunes must be installed on end-user desktops to receive firmware updates for the iPhone. But automatically allowing firmware updates to be installed that way means an IT manager would not be able to verify what Apple has delivered. While Apple offers an iTunes registry update to control the functions the application can perform, Dulaney "strongly" suggested that enterprises instead use existing management tools to lock down the registry and disable firmware updates and file transfers that "could inject unwanted content into the enterprise." Dulaney suggested that in the future, Apple should create processes for managing the iPhone as Microsoft Corp. and Research in Motion Ltd. did for Windows Mobile and BlackBerry devices, respectively. Dulaney also urged IT managers to warn users who might sign up for a two-year commitment to the product to assess several factors ? including how much they travel internationally, since international roaming rates for data usage could be high. Data-roaming costs have become an issue for at least one major global manufacturer who found that because the iPhone makes browsing and data usage so easy, travelers can incur thousands of dollars in data costs on a single trip. Another concern is battery life, Dulaney said. In Gartner's testing using default settings on the iPhone 3G, the battery "seldom experienced a full day of use," he said. That happened while using Exchange ActiveSync, some limited browsing and no telephone calls, he said. The drain on the battery may be caused by using the iPhone in a Wi-Fi network, or it might be Apple's implementation of ActiveSync that requires more power to stay constantly connected to the network to deliver new mail. Also, users might like to know that the iPhone does not support the ability to edit attachments in email and that attachments take time to download, he said. And he noted that e-mail users can't cut and paste details from an e-mail into an appointment application. "The quickest way to do this on the iPhone today is to write the details down on a piece of paper and re-enter them," Dulaney wrote. From rforno at infowarrior.org Wed Aug 6 13:05:58 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 6 Aug 2008 09:05:58 -0400 Subject: [Infowarrior] - 41 million credit/debit card numbers compromised Message-ID: <70F7013F-F688-483E-81C2-6EF2E10A4F7B@infowarrior.org> 11 charged in connection with credit card fraud By ANNE D'INNOCENZIO ? 16 hours ago http://ap.google.com/article/ALeqM5iL9Fn3VNKRc00RHOLhI-cC-qEVwwD92CBBI80 NEW YORK (AP) ? The Department of Justice announced Tuesday that it had charged 11 people in connection with the hacking of nine major U.S. retailers and the theft and sale of more than 41 million credit and debit card numbers. It is believed to be the largest hacking and identity theft case ever prosecuted by the Department of Justice. The charges include conspiracy, computer intrusion, fraud and identity theft. The indictment returned Tuesday by a federal grand jury in Boston alleges that the people charged hacked into the wireless computer networks of retailers including TJX Cos., BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. "While technology has made our lives much easier it has also created new vulnerabilities," U.S. Attorney Michael J. Sullivan said in a statement. "This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results." The indictment alleges that the hackers installed programs to capture card numbers, passwords and account information, and then concealed the data in computer servers that they controlled in the U.S. and Eastern Europe. "They used sophisticated computer hacking techniques, that would allow them to breach security systems and install programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves," said Attorney General Michael Mukasey in a press conference. "And in total, they caused widespread loses by banks, retailers, and consumers." Mukasey said the total dollar amount of the alleged theft is "impossible to quantify at this point." Sullivan said officials still haven't identified all the victims who had a credit or debit card number stolen. "I suspect that a lot of people are unaware that their identifying information has been compromised," he said. Sullivan said the alleged thieves weren't computer geniuses, just opportunists who used a technique called "wardriving," which involved cruising through different areas with a laptop computer and looking for accessible wireless Internet signals. Once they located a vulnerable network, they installed so-called "sniffer programs" that captured credit and debit card numbers as they moved through a retailer's processing networks. The information was stored on two servers in Ukraine and Latvia ? one with more than 25 million credit and debit card numbers and another with more than 16 million numbers, Sullivan said. The heist was a black eye for retailers like TJX. The company, which initially disclosed the data breach in January 2007, said a few months later that at least 45.7 million cards were exposed to possible fraud in a breach of its computer systems that began in July 2005. Court filings by some banks that sued TJX put the number of cards affected at more than 100 million, based on estimates by officials with Visa and MasterCard, who were deposed in the suit. In May, TJX said it won support from Mastercard-issuing banks for a settlement that will pay them as much as $24 million to cover costs from the data breach. A similar agreement reached last November with Visa-card issuing banks also was overwhelmingly approved. That agreement set aside as much as $40.9 million to help banks cover costs including replacing customers payment cards and covering fraudulent charges. Under the indictments unsealed Tuesday, three of the defendants are U.S. citizens, one is from Estonia, three are from Ukraine, two are from China and one is from Belarus. One individual is only known by an alias online, and his place of origin is unknown. In the Boston indictment, Albert "Segvec" Gonzalez of Miami, who is accused of leading the scheme, was charged with computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy. Gonzalez, who is in custody in New York, faces a maximum penalty of life in prison if he is convicted of all the charges. Indictments were unsealed Tuesday in San Diego against Maksym "Maksik" Yastremskiy of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov of Sillamae, Estonia. The indictments charge them with crimes related to the sale of the stolen credit card data. Furthermore, indictments against Hung-Ming Chiu and Zhi Zhi Wang, both of China, and a person known only by the online nickname "Delpiero" were also unsealed in San Diego. Officials did not say whether any other suspects were in custody, or give an arraignment date for Gonzalez. Associated Press writer Rodrique Ngowi contributed to this story from Boston. From rforno at infowarrior.org Wed Aug 6 13:08:59 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 6 Aug 2008 09:08:59 -0400 Subject: [Infowarrior] - E-Mail Hacking Case Could Redefine Online Privacy Message-ID: <59E5AFF4-6CC1-48E0-89AC-DD0F9D688AE2@infowarrior.org> E-Mail Hacking Case Could Redefine Online Privacy By Ellen Nakashima Washington Post Staff Writer Wednesday, August 6, 2008; D01 http://www.washingtonpost.com/wp-dyn/content/article/2008/08/05/AR2008080503421_pf.html A federal appeals court in California is reviewing a lower court's definition of "interception" in the digital age, in a case that some legal experts say could weaken consumer privacy protections online. The case, Bunnell v. Motion Picture Association of America, involves a hacker who in 2005 broke into a file-sharing company's server and obtained copies of company e-mails as they were being transmitted. He then e-mailed 34 pages of the documents to an MPAA executive, who paid the hacker $15,000 for the job, according to court documents. The issue boils down to the judicial definition of an intercept in the electronic age, in which packets of data move from server to server, alighting for milliseconds before speeding onward. The ruling applies only to the 9th District, which includes California and other Western states, but could influence other courts around the country. In August 2007, Judge Florence-Marie Cooper, in the Central District of California, ruled that the alleged hacker, Rob Anderson, had not intercepted the e-mails in violation of the 1968 Wiretap Act because they were technically in storage, if only for a few instants, instead of in transmission. "Anderson did not stop or seize any of the messages that were forwarded to him," Cooper said in her decision, which was appealed by Valence Media, a company incorporated in the Caribbean island of Nevis but whose officers live in California. "Anderson's actions did not halt the transmission of the messages to their intended recipients. As such, under well-settled case law, as well as a reading of the statute and the ordinary meaning of the word 'intercept,' Anderson's acquisitions of the e-mails did not violate the Wiretap Act." Anderson was a former business associate of an officer for Valence Media, which developed TorrentSpy, a search engine that helped users find "torrents," or special data files on the Internet that can be used to help download free audio, software, video and text. According to court documents, Anderson configured the "copy and forward" function of Valence Media's server so that he could receive copies of company e-mail in his Google mail account. He then forwarded a subset to an MPAA executive. The documents sent to the MPAA included financial statements and spreadsheets, according to court papers. "The information was obtained in a legal manner from a confidential informant who we believe obtained the information legally," MPAA spokeswoman Elizabeth Kaltman said. Valence Media alleged that the MPAA wanted those documents to gain an advantage in a copyright infringement lawsuit against the company and its officers. "The case is alarming because its implications will reach far beyond a single civil case," wrote Kevin Bankston, a senior attorney for the Electronic Frontier Foundation in a friend-of-the-court brief filed Friday. If upheld, the foundation argued, "law enforcement officers could engage in the contemporaneous acquisition of e-mails just as Anderson did, without having to comply with the Wiretap Act's requirements." Those requirements are strict, including a warrant based on probable cause as well as high-level government approvals and proof alternatives would not work. Cooper's ruling also has implications for non-government access to e- mail, wrote Bankston and University of Colorado law professor Paul Ohm in EFF's brief. "Without the threat of liability under the Wiretap Act," they wrote, "Internet service providers could intercept and use the private communications of their customers, with no concern about liability" under the Stored Communications Act, which grants blanket immunity to communications service providers where they authorize the access. Individuals could monitor others' e-mail for criminal or corporate espionage "without running afoul of the Wiretap Act," they wrote. "It could really gut the wiretapping laws," said Orin S. Kerr, a George Washington University law professor and expert on surveillance law. "The government could go to your Internet service provider and say, 'Copy all of your e-mail, but make the copy a millisecond after the email arrives,' and it would not be a wiretap." In August, 2007, Valence Media shut down TorrentSpy access to the United States due in part to concern that U.S. law was not sufficiently protective of people's privacy, according to its attorney, Ira Rothken. The Electronic Privacy Information Center also filed a friend-of-the- court brief Friday, arguing that Congress intended to cover the sort of e-mail acquisition Anderson engaged in. From rforno at infowarrior.org Wed Aug 6 13:14:37 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 6 Aug 2008 09:14:37 -0400 Subject: [Infowarrior] - 'Clear' traveller laptop found .. in the same office Message-ID: <329725B3-BBB5-49D0-ABC0-DB0DA0B1B7F4@infowarrior.org> Lost laptop found in SFO office Deborah Gage, Chronicle Staff Writer Wednesday, August 6, 2008 http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/08/05/BU2V125HTF.DTL&tsp=1 (08-05) 15:37 PDT SAN FRANCISCO INTERNATIONAL AIRPORT -- A laptop containing personal information on 33,000 travelers enrolled in a fast pass program at San Francisco International Airport turned up Tuesday in the same airport office from which it had been reported missing more than a week ago. Still, the Transportation Security Administration has halted signups for the program, called Clear, while the incident is investigated. Travelers already enrolled in the program are not affected by the suspension. The machine belongs to Verified Identity Pass, which has a contract with the TSA to run Clear, a service that speeds registered travelers through airport security lines. Verified Identity operates the program at about 20 airports nationwide. The laptop was reported missing to airport police and the San Mateo County Sheriff's Office on July 26 and to the TSA on July 28, according to Allison Beer, senior vice president for corporate development of Clear. A preliminary investigation shows that the information was not compromised, she said. The computer held names, addresses and birthdates for people applying to the program, as well as driver's license, passport and green card information. But, she said, the computer contained no Social Security numbers, credit card numbers, fingerprints, facial images or other biometric information. "Yes, it was sensitive privacy information, but not the stuff that was most sensitive," she said. According to Beer, someone downloaded the information from a company server onto the laptop, which was part of a kiosk that was taken to companies and downtown locations and used to enroll travelers in the Clear program. The information was encrypted on the server, but not on the laptop, although it should have been, Beer said. However, it was protected by two levels of passwords. The laptop was found Tuesday in the same airport office, but not in the same location from which it had been discovered missing, according to the sheriff's office, which is helping with the investigation. Beer said the airport office is always locked, so if the laptop was removed, someone would have needed a key to return it. Travelers in the Clear program pay to have the TSA verify their identities. In return, they receive a card that gives them access to special security lanes in airports so they can avoid standing in line to go through security. Verified Identity was approved by the TSA in January 2007 as a Registered Traveler service provider and charges $128 a year for Clear. The TSA said in a statement that Verified Identity was out of compliance with the administration's procedures because the information on the laptop was not properly encrypted. Now the company must undergo a third-party audit before Clear can resume, the TSA said. Beer said Clear expected to resume "in a matter of days." She said software on all laptops at all airports associated with the program is being encrypted and that affected travelers are being notified. "We take this very seriously," she said. E-mail Deborah Gage at dgage at sfchronicle.com. From rforno at infowarrior.org Wed Aug 6 18:02:49 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 6 Aug 2008 14:02:49 -0400 Subject: [Infowarrior] - IBM patents "paper or plastic?" Message-ID: Words fail me...... (c/o KP) http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1 &u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=7,407,089.PN.&OS=PN/ 7,407 ,089&RS=PN/7,407,089 United States Patent 7,407,089 Patrick August 5, 2008 System and method for determining packaging preference Abstract There is disclosed a method and system for determining packaging preference of a customer by identifying the customer using a customer identifier, and retrieving available packaging preference information using the customer identifier. In an embodiment, the customer's packaging preference information for a particular identified item is retrieved and graphically communicated. In another embodiment, customer packaging preference information based on a quantity of items is retrieved and graphically communicated. Customer packaging preference information based on both the identified items and the quantity of items may also be retrieved and graphically communicated. Inventors: Patrick; Kyle N. (British Columbia, CA) Assignee: International Business Machines Corporation (Armonk, NY) Appl. No.: 11/490,412 Filed: July 20, 2006 Foreign Application Priority Data Aug 24, 2005 [CA] 2517060 From rforno at infowarrior.org Wed Aug 6 18:03:56 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 6 Aug 2008 14:03:56 -0400 Subject: [Infowarrior] - TSA to Allow Laptops in Approved Bags Message-ID: <3D032763-6E1F-4A8C-893E-C0A241E7880E@infowarrior.org> TSA to Allow Laptops in Approved Bags By AP (WASHINGTON) - There's a new option for people annoyed at having to take their laptops out of their bags at airport security. The Transportation Security Administration will now allow travelers to leave their computers inside "checkpoint friendly" cases. The new rules, announced Tuesday and set to take effect Aug. 16, are intended to help streamline the X-ray inspection lines. TSA said it reached out to bag manufacturers this year to design laptop cases that would provide a clear, unobstructed image of the computer as it passed through an X-ray machine. The agency said the new bags will be available for purchase this month. To qualify as "checkpoint friendly," a bag must have a designated laptop-only section that unfolds to lie flat on the X-ray machine belt and contains no metal snaps, zippers or buckles and no pockets. Among the manufacturers selling TSA-approved laptop bags are Mobile Edge, Skooba Design and Targus Inc. * Find this article at: * http://www.time.com/time/business/article/0,8599,1829687,00.html From rforno at infowarrior.org Wed Aug 6 19:59:30 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 6 Aug 2008 15:59:30 -0400 Subject: [Infowarrior] - Lessig and the rumored "i-PATRIOT Act" Message-ID: (True or not, I wouldn't put anything past anyone these days..........and perhaps some informed paranoia is warranted here given the INSANE levels of security associated with the National Cybersecurity Initiative. These days you really have to wonder what evil is being cooked up and/or being implemented in the name of "homeland security' -- sounds like "please trust us" is being used again to quickly get controversial things enacted w/o public scrutiny. Now, I can understand secrecy to protect sources and methods, but my gut-check tells me the INSANE levels of hush-hush over this "sweeping cybersecurity initiative" likely is to cover up another suspect and potentially-illegal public-private powergrab in the name of 'security' as done so frequently by this Administration. -- but is there a connection between what I suggest here and Lessig's comments? You be the judge. -rf) Law Professor: Counter Terrorism Czar Told Me There Is Going To Be An i-9/11 And An i-Patriot Act Stanford Law professor Lawrence Lessig details government plans to overhaul and restrict the Internet Steve Watson Infowars.net Tuesday, August 5, 2008 http://www.infowars.net/articles/august2008/050808i911.htm Amazing revelations have emerged concerning already existing government plans to overhaul the way the internet functions in order to apply much greater restrictions and control over the web. Lawrence Lessig, a respected Law Professor from Stanford University told an audience at this years Fortune?s Brainstorm Tech conference in Half Moon Bay, California, that "There?s going to be an i-9/11 event" which will act as a catalyst for a radical reworking of the law pertaining to the internet. Lessig also revealed that he had learned, during a dinner with former government Counter Terrorism Czar Richard Clarke, that there is already in existence a cyber equivalent of the Patriot Act, an "i- Patriot Act" if you will, and that the Justice Department is waiting for a cyber terrorism event in order to implement its provisions. During a group panel segment titled "2018: Life on the Net", Lessig stated: There?s going to be an i-9/11 event. Which doesn't necessarily mean an Al Qaeda attack, it means an event where the instability or the insecurity of the internet becomes manifest during a malicious event which then inspires the government into a response. You've got to remember that after 9/11 the government drew up the Patriot Act within 20 days and it was passed. The Patriot Act is huge and I remember someone asking a Justice Department official how did they write such a large statute so quickly, and of course the answer was that it has been sitting in the drawers of the Justice Department for the last 20 years waiting for the event where they would pull it out. Of course, the Patriot Act is filled with all sorts of insanity about changing the way civil rights are protected, or not protected in this instance. So I was having dinner with Richard Clarke and I asked him if there is an equivalent, is there an i-Patriot Act just sitting waiting for some substantial event as an excuse to radically change the way the internet works. He said "of course there is". Watch Lessig reveal the details at 4.30 into the following video: Lessig is the founder of Stanford Law School's Center for Internet and Society. He is founding board member of Creative Commons and is a board member of the Electronic Frontier Foundation and of the Software Freedom Law Center. He is best known as a proponent of reduced legal restrictions on copyright, trademark and radio frequency spectrum, particularly in technology applications. These are clearly not the ravings of some paranoid cyber geek. The Patriot Act, as well as its lesser known follow up the Domestic Security Enhancement Act 2003, also known as USA Patriot Act II, have been universally decried by civil libertarians and Constitutional scholars from across the political spectrum. They have stripped back basic rights and handed what have been described by even the most moderate critics as "dictatorial control" over to the president and the federal government. Many believed that the legislation was a response to the attacks of 9/11, but the reality was that the Patriot Act was prepared way in advance of 9/11 and it sat dormant, awaiting an event to justify its implementation. In the days after the attacks it was passed in the House by a majority of 357 to 66. It passed the Senate by 98 to 1. Congressman Ron Paul (R- Tex) told the Washington Times that no member of Congress was even allowed to read the legislation. Now we discover that exactly the same freedom restricting legislation has already been prepared for the cyber world. An i-9/11, as described by Lawrence Lessig, would provide the perfect pretext to implement such restrictions in one swift motion, as well as provide the justification for relegating and eliminating specific content and information on the web. Such an event could come in the form of a major viral attack, the hacking of a major city's security or transport systems, or some other vital systems, or a combination of all of these things. Considering the amount of unanswered questions regarding 9/11 and all the indications that it was a covert false flag operation, it isn't hard to imagine such an event being played out in the cyber world. However, regardless of any i-9/11 or i-Patriot Act, there is already a coordinated effort to stem the reach and influence of the internet. We have tirelessly warned of this general movement to restrict, censor, control and eventually completely shut down the internet as we know it, thereby killing the last real vestige of free speech in the world today and eliminating the greatest communication and information tool ever conceived. Our governments have reams of legislation penned to put clamps on the web as we know it. Legislation such as the PRO-IP Act of 2007: H.R. 4279, that would create an IP czar at the Department of Justice and the Intellectual Property Enforcement Act of 2007: S. 522, which would create an entire ?Intellectual Property Enforcement Network?. These are just two examples. In addition, we have already seen how the major corporate websites and social networks are decentralizing and coming together to implement overarching identification, verification and access systems that have been described by Facebook founder Mark Zuckerberg as "the beginning of a movement and the beginning of an industry.? Some of these major tech companies have already joined efforts in projects such as the Information Card Foundation, which has proposed the creation of a system of internet ID cards that will be required for internet access. Of course, such a system would give those involved the ability to track and control user activity much more effectively. This is just one example. In addition, as we reported yesterday, major transportation hubs like St. Pancras International, as well as libraries, big businesses, hospitals and other public outlets that offer wi-fi Internet, are blacklisting alternative news websites and making them completely inaccessible to their users. These precedents are merely the first indication of what is planned for the Internet over the next 5-10 years, with the traditional web becoming little more than a vast spy database that catalogues people?s every activity and bombards them with commercials, while those who comply with centralized control and regulation of content will be free to enjoy the new super-fast Internet 2. We must speak out about this rampant move to implement strict control mechanisms on the web NOW before it is too late, before the spine of the free internet is broken and its body essentially becomes paralyzed beyond repair. From rforno at infowarrior.org Wed Aug 6 20:01:44 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 6 Aug 2008 16:01:44 -0400 Subject: [Infowarrior] - Expert clones 'secure' passports Message-ID: <0EA05B4E-A506-4B82-A215-0537C5609D0B@infowarrior.org> Expert clones 'secure' passports 06.08.08 http://www.thisislondon.co.uk/standard/article-23527207-details/Expert+clones+%27secure%27+passports/article.do Microchipped passports were cloned in tests exposing "a serious safety flaw", it was reported. A computer researcher cloned the chips on two passports and implanted digital images of Osama bin Laden and a suicide bomber, according to The Times. The chips were then recognised as genuine by the passport reader software used at airports. Britain introduced e-passports in March 2006 to combat terrorism and organised crime. Tens of millions of microchipped passports have been issued worldwide. Jeroen van Beek, from the University of Amsterdam, conducted the tests for the newspaper. He said: "We're not claiming that terrorists are able to do this to all passports today or that they will be able to do it tomorrow. But it does raise concerns over security that need to be addressed in a more public and open way." The tests could have implications for the Government's ?4 billion identity card scheme, which relies on the same biometric technology. The Times claims they could also undermine claims that 3,000 blank passports stolen last week were worthless because they could not be forged. A Home Office spokesman said: "We take security and privacy very seriously, which is why the British biometric passport meets international standards as set out by the International Civil Aviation Organisation and we remain confident that it is one of the most secure passports available. "Continuing investment in biometric technology and enhanced security measures will help ensure that passport security is maintained now and in the future." From rforno at infowarrior.org Wed Aug 6 20:05:10 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 6 Aug 2008 16:05:10 -0400 Subject: [Infowarrior] - DHS Exec Responds to Laptop Search Outcry Message-ID: <3EC60CDC-278C-4885-8619-44743FDAE05B@infowarrior.org> Answering Questions on Border Laptop Searches Jayson Ahern Deputy Commissioner, U.S. Customs and Border Protection Blog post: http://www.dhs.gov/journal/leadership/ From rforno at infowarrior.org Thu Aug 7 11:53:14 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 7 Aug 2008 07:53:14 -0400 Subject: [Infowarrior] - Wired interview with DHS Secy Chertoff Message-ID: <20339978-2FF3-4E62-8504-FFAB889990A4@infowarrior.org> Chertoff: I'm Listening to the Internet (Not in a Bad Way) http://blog.wired.com/27bstroke6/2008/08/chertoff.html Homeland Security chief Michael Chertoff sat down with Threat Level on Monday in Silicon Valley to talk about laptop searches at the border, the government's new-found interest in computer security, and the continuing saga of overeager terrorist watch lists. Among the revelations: It seems blog comments inspired him to propose a laptop-tracking application for those who had their computers seized at the border. He also explained why watch-list mismatches are the airlines' fault, and why the government is too secret. < - > From rforno at infowarrior.org Thu Aug 7 12:18:20 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 7 Aug 2008 08:18:20 -0400 Subject: [Infowarrior] - Superbugs Message-ID: Superbugs The new generation of resistant infections is almost impossible to treat. by Jerome Groopman August 11, 2008 In August, 2000, Dr. Roger Wetherbee, an infectious-disease expert at New York University?s Tisch Hospital, received a disturbing call from the hospital?s microbiology laboratory. At the time, Wetherbee was in charge of handling outbreaks of dangerous microbes in the hospital, and the laboratory had isolated a bacterium called Klebsiella pneumoniae from a patient in an intensive-care unit. ?It was literally resistant to every meaningful antibiotic that we had,? Wetherbee recalled recently. The microbe was sensitive only to a drug called colistin, which had been developed decades earlier and largely abandoned as a systemic treatment, because it can severely damage the kidneys. ?So we had this report, and I looked at it and said to myself, ?My God, this is an organism that basically we can?t treat.? ? < - > http://www.newyorker.com/reporting/2008/08/11/080811fa_fact_groopman?printable=true From rforno at infowarrior.org Thu Aug 7 12:26:47 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 7 Aug 2008 08:26:47 -0400 Subject: [Infowarrior] - iPhone can phone home and kill apps? Message-ID: <80100A44-2B6C-432F-84CE-E4FE1B1E7EDF@infowarrior.org> (yet another reason why I won't ever own one of these things....how can you trust your device? will Apple reimburse you for apps you paid for that they decided to nix? I doubt it.......again, this is Apple dictating how they think you should use their devices and do things online........--rf) http://www.iphoneatlas.com/ iPhone can phone home and kill apps? Posted 6 August 2008 @ 11am in News Apple has apparently included a blacklisting mechanism in iPhone OS 2.x via which the device can phone home, check for unauthorized applications, and disable them. The OS includes a URL that points to a page containing a list of unauthorized applications, specifically: https://iphone-services.apple.com/clbl/unauthorizedApps Per Jonathan Zdziarski, author of the book iPhone Open Application Development and an iPhone Forensics manual: ?This suggests that the iPhone calls home once in a while to find out what applications it should turn off. At the moment, no apps have been blacklisted, but by all appearances, this has been added to disable applications that the user has already downloaded and paid for, if Apple so chooses to shut them down. ?I discovered this doing a forensic examination of an iPhone 3G. It appears to be tucked away in a configuration file deep inside CoreLocation.? From rforno at infowarrior.org Thu Aug 7 15:55:31 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 7 Aug 2008 11:55:31 -0400 Subject: [Infowarrior] - Kaminsky: DNS bug worse than feared Message-ID: <3AED5579-93F2-4E04-875F-F6C7E1BFF2C0@infowarrior.org> Net address bug worse than feared By Maggie Shiels Technology reporter, BBC News, Silicon Valley http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/2/hi/technology/7546557.stm A recently found flaw in the internet's addressing system is worse than first feared, says the man who found it. Dan Kaminsky made his comments when speaking publicly for the first time about his discovery at the Black Hat conference in Las Vegas. He said fixes for the flaw in the net's Domain Name System (DNS) had focused on web browsers but it could be abused by hackers in many other ways. "Every network is at risk," he said. "That's what this flaw has shown." The DNS acts as the internet's address books and helps computers translate the website names people prefer (such as bbc.co.uk) into the numbers computers use (212.58.224.131). Mr Kaminsky discovered a way for malicious hackers to hijack DNS and re-direct people to fake pages even if they typed in the correct address for a website. In his talk Mr Kaminsky detailed 15 other ways for the flaw to be exploited. Via the flaw hi-tech criminals or pranksters could target FTP services, mail servers, spam filters, Telnet and the Secure Socket Layer (SSL) that helps to make web-based transactions more secure. "There are a ton of different paths that lead to doom," he said. 'Hype' But the DNS threat was played down by net giant VeriSign which issues many of the security certificates used in SSL. It told BBC News its system was "not vulnerable". The Silicon Valley company looks after two of the net's 13 DNS root servers. It also controls the computers that contain the master list of domain name suffixes such as .com and .net Ken Silva, chief technology officer at Verisign, said: "We have anticipated these flaws in DNS for many years and we have basically engineered around them." He believed there had been "some hype" around how the DNS flaw will affect consumers. He added that while it was an interesting way to exploit DNS on weak servers, there were other ways to misdirect people that remained. Mr Silva said he was concerned that people would read too much into the doom and gloom headlines that have surrounded the discovery of the DNS flaw. "It's been overplayed in a sense. I think it has served to confuse the consumer into believing there is somehow now a way to misdirect them to a wrong site. "The fact of the matter is that there have been many ways like phishing attacks to misdirect them for a long time and this is just yet another of those ways that will be surgically exploited." Security gap Mr Kaminsky kept news of the flaw out of the public domain for months after its discovery to give companies time to patch servers. Mr Kaminsky said that 75% of Fortune 500 companies have fixed the problem while around 15% have done nothing. Major vendors like Microsoft, Cisco, Sun Microsystems and others have issued patches to close the security hole. "The industry has rallied like we've never seen the industry rally before," said Mr Kaminsky. DNS attacks are not new but Mr Kaminsky is credited with discovering a way to link some widely known weaknesses in the system so that the attack now takes seconds instead of days or hours. "Quite frankly, all the pieces of this have been staring us in the face for decades," said Paul Vixie, president of the Internet Systems Consortium, a non-profit that makes the software run by many of the world's DNS servers. Mr Silva at VeriSign said even though patches have been put in place, this doesn't mean users can sit back and relax. "The biggest gap in security rests between the keyboard and the back of the chair," he said. "The look and feel of a website is not what a consumer should trust. They should trust the security behind that website and do simple things like use more secure passwords and change their password regularly." Mr Silva said education is fundamental in making the net a safer place. "We have been trained since we were young to lock the door to our house, our car. We take these sensible security measures in the environment we are functioning in. "Yet when it comes to computer safety we forget to look both ways before crossing the internet highway." Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/7546557.stm Published: 2008/08/07 09:00:54 GMT ? BBC MMVIII From rforno at infowarrior.org Fri Aug 8 16:09:27 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 8 Aug 2008 12:09:27 -0400 Subject: [Infowarrior] - Web delivers new worry for parents: Digital drugs Message-ID: Some Friday fear-mongering....after all, won't someone PLEASE think of the children?? -rf Web delivers new worry for parents: Digital drugs We all know that music can alter your mood. Sad songs can make you cry. Upbeat songs may give you an energy boost. But can music create the same effects as illegal drugs? This seems like a ridiculous question. But websites are targeting your children with so-called digital drugs. These are audio files designed to induce drug-like effects. All your child needs is a music player and headphones. < - > Find this article at: http://www.usatoday.com/tech/columnist/kimkomando/2008-08-07-digital-drugs_N.htm?csp=34 From rforno at infowarrior.org Fri Aug 8 16:15:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 8 Aug 2008 12:15:46 -0400 Subject: [Infowarrior] - CCC's USB Dongle Breaches Great Firewall of China Message-ID: <2C9298A9-D458-48D6-B5A1-D0E847323CA0@infowarrior.org> USB Dongle Breaches Great Firewall of China By Charlie Sorrel August 08, 2008 | 6:36:13 AMCategories: Security http://blog.wired.com/gadgets/2008/08/usb-dongle-brea.html There's no doubt that the Chinese Olympics are high-tech. From the underwater, HD torpedo cam to the China Police Segway Division, the amount of gadgetry involved makes the Tour de France look like a kids' bike race. But what of that notorious anti-freedom surveillance system, the so-called Great Firewall of China? Journalists inside the country will have their access to certain websites blocked and, depending on your level of paranioa, they might even have their internet usage tracked. The Freedom Stick gets around this problem. This ?20 ($30) USB dongle is pre-loaded with software which will secure the communications of any computer it is slotted into. Made available by Germany's Chaos Computer Club, the stick uses the TOR (The Onion Router) network to cloak your connections, routing traffic around the world through anonymous computers, thus avoiding detection. The stick will only be available throughout the duration of the games, so this is probably more of a propaganda exercise than anything else. You don't necessarily need to use a hardware solution -- TOR can be accessed with software only -- but sticking a thumbdrive into a public PC is a lot less suspicious than reconfiguring network settings and installing browser extensions. From rforno at infowarrior.org Fri Aug 8 17:50:17 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 8 Aug 2008 13:50:17 -0400 Subject: [Infowarrior] - Court: DMCA doesn't apply to USG Message-ID: http://www.schneier.com/blog/archives/2008/08/dmca_does_not_a.html According to a recent court ruling, we are all subject to the provisions of the DMCA, but the government is not: he Court of Federal Claims that first heard the case threw it out, and the new Appellate ruling upholds that decision. The reasoning behind the decisions focuses on the US government's sovereign immunity, which the court describes thusly: "The United States, as [a] sovereign, 'is immune from suit save as it consents to be sued . . . and the terms of its consent to be sued in any court define that court's jurisdiction to entertain the suit.'" In the case of copyright law, the US has given up much of its immunity, but the government retains a few noteworthy exceptions. The one most relevant to this case says that when a government employee is in a position to induce the use of the copyrighted material, "[the provision] does not provide a Government employee a right of action 'where he was in a position to order, influence, or induce use of the copyrighted work by the Government.'" Given that Davenport used his position as part of the relevant Air Force office to get his peers to use his software, the case fails this test. But the court also addressed the DMCA claims made by Blueport, and its decision here is quite striking. "The DMCA itself contains no express waiver of sovereign immunity," the judge wrote, "Indeed, the substantive prohibitions of the DMCA refer to individual persons, not the Government." Thus, because sovereign immunity is not explicitly eliminated, and the phrasing of the statute does not mention organizations, the DMCA cannot be applied to the US government, even in cases where the more general immunity to copyright claims does not apply. It appears that Congress took a "do as we say, not as we need to do" approach to strengthening digital copyrights. From rforno at infowarrior.org Sat Aug 9 02:43:54 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 8 Aug 2008 22:43:54 -0400 Subject: [Infowarrior] - Pilots: Airlines Forcing Us To Fly Low On Fuel Message-ID: Pilots: To Cut Costs, Airlines Forcing Us To Fly Low On Fuel JOAN LOWY | August 8, 2008 12:23 PM EST | AP http://www.huffingtonpost.com/2008/08/08/pilots-to-cut-costs-airli_n_117872.html WASHINGTON ? Pilots are complaining that their airline bosses, desperate to cut costs, are forcing them to fly uncomfortably low on fuel. Safety for passengers and crews could be compromised, they say. The situation got bad enough three years ago, even before the latest surge in fuel prices, that NASA sent a safety alert to federal aviation officials. No action. Since then, pilots, flight dispatchers and others have continued to sound off with their own warnings, yet the Federal Aviation Administration says there is no reason to order airlines to back off their effort to keep fuel loads to a minimum. "We can't dabble in the business policies or the personnel policies of an airline," said FAA spokesman Les Dorr. He said there was no indication safety regulations were being violated. The September 2005 safety alert was issued by NASA's confidential Aviation Safety Reporting System, which allows air crews to report safety problems without fear their names will be disclosed. "What we found was that because they carried less fuel on the airplane, they were getting into situations where they had to tell air traffic control, 'I need to get on the ground,'" said Linda Connell, director of the NASA reporting system. Story continues below advertisement With fuel prices now their biggest cost, airlines are aggressively enforcing new policies designed to reduce consumption. In March, for example, an airline pilot told NASA he landed his regional jet with less fuel than required by FAA regulations. "Looking back," he said, "I would have liked more gas yesterday." He also complained that his airline was "ranking" captains according to who landed with the least amount. A month earlier, a Boeing 747 captain reported running low on fuel after meeting strong headwinds crossing the Atlantic en route to John F. Kennedy International Airport in New York. He said he wanted to stop to add fuel but continued on to Kennedy after consulting his airline's operations manager, who told him there was adequate fuel aboard the jet. When the plane arrived at Kennedy, the captain said it had so little fuel that had there been any delay in landing, "I would have had to declare a fuel emergency" _ a term that tells air traffic controllers a plane needs immediate priority to land. The last major U.S. air crash attributed to low fuel was on Jan. 25, 1990, when an Avianca Boeing 707 ran out while waiting to land at Kennedy. Seventy-three of 158 aboard were killed. FAA regulations require airliners to take off with enough fuel to reach their destination or an alternate airport, plus another 45 minutes of flight. The regulations also say it's up to dispatchers and pilots to decide the size of fuel loads, with pilots making the final call. Spare fuel beyond the minimum required by FAA is often added to airliners to allow for weather or airport delays. That adds weight, which burns more fuel and increases a plane's operating cost. A Washington-to-Los Angeles flight by an Airbus 320 with 150 passengers burns about 29,500 pounds, or 4,300 gallons, of fuel. That costs about $14,600. Adding an additional 1,500 pounds, about 219 gallons, would cost about $750 more. Complaints about airlines scrimping on fuel aren't limited to those submitted to the NASA system. Labor unions at two major airlines _ American Airlines and US Airways _ have filed complaints with FAA, saying the airlines are pressuring members not to request spare fuel for flights. American notified dispatchers on July 7 that their records on fuel approved for flights would be monitored, and dispatchers not abiding by company guidelines could ultimately be fired. American said its fuel costs this year were expected to increase to $10 billion, a 52 percent over 2007. "The additional cost of carrying unnecessary fuel adversely affects American's financial success," the airline told dispatchers in a letter. Union officials responded that "it appears safety has become a second thought" for the company. At US Airways, the pilots' union took out an ad in USA Today on July 16 charging that eight senior captains had been singled out by the company for requesting extra fuel and had been required to attend training sessions. The union said the training order was a message to other pilots not to request extra fuel. American and US Airways blame the complaints on heated labor negotiations _ both are in contract talks with the complaining unions. "It's not a safety issue; it's a contract issue," said John Hotard, a spokesman for American. US Airways said in a statement to its employees that the eight captains had been adding fuel "well in excess of the norm." FAA spokeswoman Laura Brown said the agency has conducted several analyses of airline fuel practices but found no instances of the minimum being violated or pilots' fuel requests being denied. "We didn't see any proposed changes we thought needed to be made," Brown said. Department of Transportation Inspector General Calvin Scovel recommended in April that the FAA take a nationwide look at airline fuel practices. Five months later, the agency is still developing a survey to send to its inspectors at each airline and has no schedule for sending it out. Scovel also said the number of pilots reporting low fuel on approach to Newark Liberty International Airport tripled from 2005 to 2007. More than half were Continental Airlines flights, the dominant carrier at Newark. He suggested the airline was pressuring pilots "to either not stop for fuel when needed or to carry insufficient amounts of fuel." His letter cited two bulletins from Continental's management urging pilots and flight crews to cut back on fuel, including one that noted "adding fuel indiscriminately reduces profit sharing and possibly pension funding." But Scovel's review of 20 Newark-bound flights _ out of 151 reporting low fuel on approach in 2007 _ found none with less than 45-minutes worth of spare fuel. Former National Transportation Safety Board Chairman Jim Hall said the situation merits an industrywide investigation by Scovel. "It's a safety-of-flight issue and it needs to be treated as such," said Hall, now a transportation safety consultant. "If dispatchers and pilots are saying the airlines are pressuring them, and it's having a chilling effect on the decisions they make every day in regard to the fuel loads, and it looks it's like eroding the authority of the pilot in command, then that issue needs the attention of the government regulators who are there to oversee the system." ___ Associated Press Writer David Koenig in Dallas contributed to this report. From rforno at infowarrior.org Sat Aug 9 02:56:53 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 8 Aug 2008 22:56:53 -0400 Subject: [Infowarrior] - Vista security 'rendered useless' by researchers Message-ID: <9DE52E91-36F4-4F7E-B817-A81DF614D96E@infowarrior.org> Windows Vista security 'rendered useless' by researchers By Dennis Fisher, Executive Editor 07 Aug 2008 | SearchSecurity.com http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1324395,00.html LAS VEGAS -- Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system, an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks. In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they've found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers. By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user's machine. Researchers who have read the paper that Dowd and Sotirov wrote on the techniques say their work is a major breakthrough and there is little that Microsoft can do to address the problems. The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista's fundamental architecture and the ways in which Microsoft chose to protect it. "The genius of this is that it's completely reusable," said Dino Dai Zovi, a well-known security researcher and author. "They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over. "What this means is that almost any vulnerability in the browser is trivially exploitable," Dai Zovi added. "A lot of exploit defenses are rendered useless by browsers. ASLR and hardware DEP are completely useless against these attacks." Researchers develop lightweight Cisco IOS rootkit Black Hat: Building on previous research against IOS, Core Security researchers have theoretically shown the plausibility of an IOS rootkit attack. Mozilla to release Firefox threat-modeling data: The Mozilla Foundation's security chief says it will soon publicly release threat- modeling data for the next version of the Firefox Web browser. Valuable lesson emerges from DNS flaw handling Any effort to prevent others in the legitimate security community from working out the problem is a waste of time. Many of the defenses that Microsoft added to Vista and Windows Server 2008 are designed to stop host-based attacks. ASLR, for example, is meant to prevent attackers from predicting target memory addresses by randomly moving things such as a process's stack, heap and libraries. That technique is useful against memory-corruption attacks, but Dai Zovi said that against Dowd's and Sotirov's methods, it would be of no use. "This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista," Dai Zovi said. "If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they're safe because they're .NET objects, you see that Microsoft didn't think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force." Microsoft officials have not responded to Dowd's and Sotirov's findings, but Mike Reavey, group manager of the Microsoft Security Response Center, said Wednesday that the company is aware of the research and is interested to see it once it becomes public. Dai Zovi stressed that the techniques Dowd and Sotirov use do not rely on specific vulnerabilities. As a result, he said, there may soon be similar techniques applied to other platforms or environments. "This is not insanely technical. These two guys are capable of the really low-level technical attacks, but this is simple and reusable," Dai Zovi said. "I definitely think this will get reused soon, sort of like heap spraying was." From rforno at infowarrior.org Sat Aug 9 14:55:10 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 9 Aug 2008 10:55:10 -0400 Subject: [Infowarrior] - Massachusetts Agency Sues To Stop Presentation Message-ID: Paul's hit the nail on the head here -- suing won't stop the knowledge from getting out, it'll only draw more attention to your "problem" and motivate others to try and exploit it. And the requested TRO? What a joke. --rf From: Paul Ferguson -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Via El Reg. [snip] A transit agency in New England has filed a federal lawsuit to stop three Massachusetts Institute of Technology grad students from publicly presenting research at Defcon demonstrating gaping security holes in two of the agency's electronic payment systems. The Massachusetts Bay Transit Authority (MBTA) also named MIT in the 17-page complaint, which seeks unspecified monetary damages for violation of the computer fraud and abuse act, negligent supervision and other causes of action. It also requests a temporary order preventing the students from "publicly stating or indicating that the security or integrity" of the MBTA's systems has been compromised. [snip] More: http://www.theregister.co.uk/2008/08/09/defcon_speakers_sued/ Anyone ever heard of "The Streisand Effect"? http://en.wikipedia.org/wiki/Streisand_effect From rforno at infowarrior.org Sat Aug 9 14:57:03 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 9 Aug 2008 10:57:03 -0400 Subject: [Infowarrior] - Court Order Sought to Halt DefCon Talk about Transit Card Vulnerability Message-ID: (Here we go again....cluelessness + Streissand effect, indeed. --rf) Court Order Sought to Halt DefCon Talk about Transit Card Vulnerability By Kim Zetter EmailAugust 08, 2008 | 2:45:00 AMCategories: DefCon http://blog.wired.com/27bstroke6/2008/08/injunction-requ.html LAS VEGAS -- The Massachusetts Bay Transportation Authority filed a suit in federal court on Friday seeking a temporary restraining order to prevent three undergraduate students from the Massachusetts Institute of Technology from presenting a talk at the DefCon hacker conference this weekend about security vulnerabilities in payment systems used in the Massachusetts mass transit system. The transit authority, known as the MBTA, is seeking to prevent the students from "publicly stating or indicating" that electronic passenger tickets used on the transit system have been compromised until the MBTA can fix security flaws in the system. It further seeks to bar the students from releasing any tools or providing any information that would allow someone to hack the transit system and obtain free rides. The MBTA says disclosure of the flaws, before it has a chance to fix them, will cause irreparable harm to the transit system. The three student researchers, Zack Anderson, R.J. Ryan and Alessandro Chiesa, are scheduled to give a talk Sunday afternoon entitled "The Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of Ticketing Systems." According to a description of the talk posted on the conference web site, the students plan to discuss vulnerabilities in the fare collection system of Boston's T subway system and to demonstrate how they reverse engineered the mag stripe on paper passenger tickets known as the CharlieTicket as well as how they cracked the smartcard tickets known as the CharlieCard. They also plan to release several open source tools that they created in the course of their transit card research. The MBTA, which oversees the T subway, operates the fifth largest transit system in the United States, servicing 175 towns and cities. It uses both the CharlieTicket and the CharlieCard in its passenger payment system. The CharlieCard, which was first used in January 2007, provides the MBTA with nearly $500,000 in revenue per weekday, according to the court documents. More than 68 percent of passengers use it to pay their fare. The CharlieCard is a MiFare Classic card, which was the subject of much controversy earlier this year after Dutch researchers showed how they were able to hack the cards. But the MBTA says in the court papers that it has substantially enhanced the security of its MiFare cards with proprietary encryption, making previously reported flaws with the MiFare Classic card irrelevant to the CharlieCard. The MBTA filed its suit in the U.S. District Court in Massachusetts against the three students and their university, stating that the students violated the Computer Crime and Fraud Act in accessing protected MBTA computers without authorization to conduct their research. The MBTA also asserts that MIT and the student's supervisor, computer science professor Ron Rivest, failed to properly supervise the students to prevent them from attacking and harming the transit system. The MBTA first became aware of the researchers' talk on July 30 when one of its vendors pointed it to the DefCon web site where the talk was listed on the conference schedule. A description of the talk began with the provocative line, "Want free subway rides for life?" and discussed how the researchers social engineered transit employees to accomplish their hack of the transit cards. On August 5th, the court documents reveal, a detective with the transit police and an FBI agent met with the MIT students, Rivest, and an MIT lawyer to discuss their concerns and inquire about what the students would disclose in their talk. But the students would not provide the MBTA with a copy of the materials they planned to present in their talk or information about the security flaws they found in the transit system. After that meeting, however, the MBTA says the description of the talk on the conference web site was altered to delete the reference to "free subway rides for life" and alter the comment about social engineering transit employees. (The image below right, taken from the court document, shows changes made to the description of the talk. Text with a line through it indicates deletions; underlined words indicate additions. The original description still appears in the printed version of the schedule that is being handed out to conference attendees.) The MBTA asserted in the court filing that it sought the restraining order on Friday after again requesting, and failing to receive from the students, a copy of their presentation materials. Efforts to reach the three students and the MBTA for comment were unsuccessful. A spokeswoman for the DefCon conference said she was aware that the MBTA had met with the students to discuss the talk but thought the meeting had satisfied the MBTA's concerns. She was not aware that the MBTA had gone to court to halt the talk. From rforno at infowarrior.org Sat Aug 9 15:04:23 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 9 Aug 2008 11:04:23 -0400 Subject: [Infowarrior] - Surfing Google may be harmful to your security Message-ID: <3B5199A2-4AC3-4FD8-9B0F-825747AA3155@infowarrior.org> Surfing Google may be harmful to your security When gadgets attack By Dan Goodin in Las Vegas ? More by this author Published Saturday 9th August 2008 13:02 GMT http://www.theregister.co.uk/2008/08/09/google_gadget_threats/ Defcon A well-known researcher specializing in website security has strongly criticized safety on Google, arguing the world's biggest search engine needlessly puts its millions of users at risk. "Google is and will be and always has been vulnerable," Robert Hansen, CEO of secTheory, told a standing-room-only audience at the Defcon security conference in Las Vegas. "They haven't been open with consumers. Ultimately, this all comes down the the fact that they just want to track you guys." At issue is Google's policy of hosting untested third-party applications that users can automatically embed into personalized Google home pages. During a talk titled "Xploiting Google Gadgets: Gmalware & Beyond," Hansen and fellow researcher Tom Stracener laid out a variety of attacks that can be unleashed using the programs. The most devastating is the ability of Google gadgets to immediately redirect victims who log into iGoogle.com to a page under the control of an attacker. This creates a phishing hazard, particularly for less tech-savvy users who don't know to check the browser bar. Even if they do, the bar shows up at gmodules.com, an address many mistakenly believe is safe because it is maintained by Google. Hansen, who frequently goes by the moniker Rsnake, said he discussed the vulnerability with Google security engineers, and they told him the redirection was a feature rather than a flaw. Google gadgets make other attacks possible, including: the ability to: * carry out port scanning on a victim's internal network to conduct surveillance * use cross-site request forgery techniques to force victim PCs to follow links to malicious sites (for instance, those that host child pornography) and * cause a victim's browser to access a home router and change domain name system server addresses or other sensitive settings. Hansen and Stracener acknowledged that in-the-wild attacks that use Google gadgets are rare, but they said that's likely to change. "Once money actually starts flowing through, once the financial incentive for malware exists, then you're going to start seeing more of this type of thing pop up," Stracener said. Google representatives didn't respond to an email requesting comment for this story. They told the Associated Press that the company regularly scans gadgets for malicious code, and in the "very rare" occasions bad applications are found, they are immediately quarantined. The speakers took strong exception to Google's claim. They've had several proof-of-concept gadgets hosted for months on Google, and so far they've never been removed, they said. ? From rforno at infowarrior.org Sat Aug 9 15:06:48 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 9 Aug 2008 11:06:48 -0400 Subject: [Infowarrior] - Email and Cell Phone Privacy Threatened in Two Separate Court Cases Message-ID: EFF Battles Dangerous Attempts to Circumvent Electronic Privacy Law Email and Cell Phone Privacy Threatened in Two Separate Court Cases San Francisco - The Electronic Frontier Foundation (EFF) has filed friend-of-the-court briefs in two key electronic privacy cases that threaten to expand the government's spying authority. In the first case, Bunnell v. Motion Picture Association of America (MPAA), EFF filed a brief with the 9th U.S. Circuit Court of Appeals arguing that federal wiretapping law protects emails from unauthorized interception while they are temporarily stored on the email servers that transmit them. This case was brought against the MPAA by the owners and operators of TorrentSpy, a search engine that let Internet users locate files on the BitTorrent peer-to-peer network. After a business dispute, one of TorrentSpy's independent contractors hacked into the company email server and configured it to copy and forward all incoming and outgoing email to his personal account and then sold the information to the MPAA. However, the federal district court ruled that because the emails were stored on the mail server for several milliseconds during transmission, they were not technically "intercepted" under the federal Wiretap Act. In its amicus brief filed Friday, EFF argues that this dangerous ruling is incorrect as a matter of law and must be overturned in order to prevent the government from engaging in similar surveillance without a court order. "The district court's decision, if upheld, would have dangerous repercussions far beyond this single case," said EFF Senior Staff Attorney Kevin Bankston. "That court opinion -- holding that the secret and unauthorized copying and forwarding of emails while they pass through an email server is not an illegal interception of those emails -- threatens to wholly eviscerate federal privacy protections against Internet wiretapping and to authorize the government to conduct similar email surveillance without getting a wiretapping order from a judge." The second case concerns a request by the Department of Justice (DOJ) to a federal magistrate judge in Pennsylvania for authorization to obtain cell phone location tracking information from a mobile phone provider without probable cause. The magistrate instead demanded that the DOJ obtain a search warrant based on probable cause, and the DOJ appealed that decision to the federal district court in the Western District of Pennsylvania. In an amicus brief filed Thursday, EFF urged the district court to uphold the magistrate's ruling and protect cell phone users' location privacy. "Location information collected by cell phone companies can provide an extraordinarily invasive glimpse into the private lives of cell phone users. Courts have the right under statute -- and the duty under the Fourth Amendment -- to demand that the government obtain a search warrant based on probable cause before seizing such sensitive information," said Bankston. "This is only the latest of many cases where EFF has been invited to brief judges considering secret surveillance requests that aren't supported by probable cause. We hope this court recognizes the serious Fourth Amendment questions that are raised by warrantless access to cell phone location information and affirms the magistrate's denial of the government's surveillance request." The American Civil Liberties Union (ACLU), the ACLU-Foundation of Pennsylvania, and the Center for Democracy and Technology (CDT) also joined EFF's brief. For the full amicus brief in Bunnell v. MPAA: http://www.eff.org/files/filenode/Bunnell_v_MPAA/BunnellAmicus.pdf For the full amicus brief in the cell phone records case: http://www.eff.org/files/filenode/celltracking/LenihanAmicus.pdf For more on cell phone tracking: http://www.eff.org/issues/cell-tracking Contacts: Kevin Bankston Senior Staff Attorney Electronic Frontier Foundation bankston at eff.org Marcia Hofmann Staff Attorney Electronic Frontier Foundation marcia at eff.org Matt Zimmerman Senior Staff Attorney Electronic Frontier Foundation mattz at eff.org From rforno at infowarrior.org Sat Aug 9 15:07:36 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 9 Aug 2008 11:07:36 -0400 Subject: [Infowarrior] - New US security head advocates partnership at Black Hat Message-ID: New US security head advocates partnership at Black Hat By Joel Hruska | Published: August 08, 2008 - 12:44PM CT http://arstechnica.com/news.ars/post/20080808-new-security-head-keynotes-black-hat-advocates-partnership.html The head of the newly formed National Cyber Security Center, Rod Eckstrom, was one of Black Hat's keynote speakers this year, even though he's not actually a cyber security expert. Eckstrom is the co- author of a book entitled The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations, and was presumably tapped to lead the NCSC based on his book's insights into the function of centralized organizations vs. decentralized organizations. Organizational principles might not seem to have very much to do with cyber security, but the two issues align more readily than may be immediately apparent. The rise of the Internet over the past decade has fueled the growth of a number of decentralized organizations and structures, many of which now challenge older, centralized systems. Wikipedia has tussled with Encyclopedia Britannica, and the RIAA has fought the dispersal of digital content distribution tooth and nail, to name just two examples. Beckman's ideas map quite well to both real-world and online security concerns. In the 20th century, nation-states were seen as the primary security threat against which other nation states defended themselves. In the post Cold War era, this has changed; terrorist cells and paramilitary forces are now the primary threats against which nations defend themselves. Conventional, centralized military tactics are of limited effectiveness against such a decentralized groups, as has been demonstrated by America's struggle to gain control of Iraq and Afghanistan. Cyber security threats have evolved in a similar manner. When Clifford Stoll began his investigation into a 75 cent billing error while working at the Lawrence Berkeley National Laboratory in the mid-1980s, he uncovered the trail of hacker Marcus Hess, a West German citizen who ultimately proved to be in the employ of the KGB. Twenty years later, governments may still employ their own black hat teams for various covert operations, but the vast, vast majority of the Trojans shoveled out into the Internet every day are deployed for profit, not espionage. What was once a nation-to-nation attack vector has now decentralized, diffused. Chinese gold farmers are far more interested in the contents of my World of Warcraft account than the Chinese government is interested in the contents of my hard drive. Because of the diffuse threat, securing United States interests against potential cyber security risks will require cooperation across the entire security industry. Beckstrom's role, and the NCSC's mandate, is to foster this type of decentralized approach. In his speech at Black Hat, Beckstrom praised the work of security companies and organizations that have coordinated the industry-wide effort to repair the DNS problem, and implied that such efforts are an absolute necessity for tackling future security issues. Beckstrom called for investment in protocol security, saying it "may be the cheapest security dollars we can invest," and referred to the recent DNS vulnerability as an example of how an insecure protocol can continue to cause problems even after repeated attempts to repair the damage. The NCSC is just four months old, and Beckstrom's lack of technical knowledge could prove to be a problem down the road, but his perception of modern security as a struggle between centralized and decentralized forces seems spot-on. These conflicts may be inevitable as society evolves to make use of modern technology, but there seems little question that cyber security would benefit from cooperation between the government and the various facets of the white (or even gray) hat security industry. From rforno at infowarrior.org Sat Aug 9 15:15:47 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 9 Aug 2008 11:15:47 -0400 Subject: [Infowarrior] - 'Cybersecurity commission' to proffer advice to next president Message-ID: <4D983E5C-A92D-4326-8A37-0526BAC94509@infowarrior.org> 'Cybersecurity commission' to proffer advice to next president Posted by Declan McCullagh 4 comments http://news.cnet.com/8301-13578_3-10009603-38.html LAS VEGAS--Transitions between presidential administrations are typically influence-peddling, power-consolidating, appointee-vetting exercises run by Washington insiders. Perhaps that's why the quintessential Washington think tank, the Center for Strategic and International Studies, is trying to insert itself into the process. The private organization, which has close ties to the U.S. military and counts Henry Kissinger on its payroll, has gathered about 35 people and awarded them the official-sounding title of "Commission on Cyber Security for the 44th Presidency." Adding to the formality are some closed-to-the-public meetings and ex-officio members from federal agencies, congressional offices, and the nebulous "intelligence community." The group's mandate is unusually broad: developing a "forward-looking framework for organizing and prioritizing government efforts to secure cyberspace." But four of its members indicated on Wednesday that the commission is focused on compiling no more than five recommendations and will not be proposing legislation or suggesting dramatic changes. Marcus Sachs, Verizon's director of national security policy, a former government official, and a commission member, said that stealthy cyberintrusions were a real threat to the security of today's networks. "In the transition between the Clinton and Bush presidencies in late 2000, there was no group doing what we're doing now...trying to tee up cybersecurity as an agenda item," Sachs said during a panel discussion at the Black Hat security conference here. "What we're really trying to figure out is how to collaborate" between government and industry, said Peter Allor, an IBM security program manager and a commission member. "Information sharing is broken. It's a one-way send." Marcus Sachs, who helped create the National Strategy to Secure Cyberspace and now an executive director for government affairs at Verizon, talks at Black Hat 2008 about the origin of the Commission on Cyber Security and the challenges it will face with a new presidential administration. (Credit: Elinor Mills/CNET News) Download video! Of course, calling for better information-sharing is like promising to clean up Washington: everyone says it's a good idea, but nothing ever seems to happen. (CNET News, for example, published an interview in 2002 in which the head of the Partnership for Critical Infrastructure Security said better "information sharing" was a "strategic area." In a 2004 follow-up, a senator said "we need a complete system of information sharing" between the private sector and the government.) One panelist said that the FBI's "InfraGard" information-sharing relationships with the private sector shouldn't change. "We're not recommending to do away with InfraGard," said Jerry Dixon, director of analysis at the Team Cymru research firm, a former Homeland Security official, and a commission member. "That's something that the executive departments have set up... We're certainly not recommending to do away with those different partnerships because they belong to the different departments." The CSIS panel is composed mostly of industry, government, and ex- government types. Among the other members: Mary Ann Davidson, Oracle's chief security officer; Doug Maughan, a Homeland Security program manager; Will Pelgrin of New York's cybersecurity office; Phil Reitinger, a Microsoft security strategist; and Amit Yoran, chairman of NetWitness and a former Homeland Security official. The commission plans to publish the final report in "early November" and, perhaps, an earlier draft for public comment. "It has to be elevated to the highest echelons of this government and internationally," Tom Kellermann, a vice president at Core Security Technologies, a former World Bank security official, and a commission member, said, referring to cybersecurity topics. "We're losing the war. It's essential. That's the key theme of the recommendations that will come out." The difficulty is making sure a President McCain or President Obama pays attention to them. The ACLU, for example, presented the incoming President Clinton with a briefing book called "Restoring Civil Liberties: A Blueprint for Action." As it turned out, Clinton embraced the notorious Clipper chip, mandatory wiretapping rules, and attempts to ban encryption products without backdoors for government surveillance. Then again, even if the CSIS commission finds its recommendations ignored, the identities of its members may not be. In Washington, joining commissions like this one serves a convenient secondary purpose: it just happens to circulate your biography to the people who are doing the hiring for the new president. From rforno at infowarrior.org Sat Aug 9 15:24:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 9 Aug 2008 11:24:46 -0400 Subject: [Infowarrior] - =?windows-1252?q?F=2EB=2EI=2E_Says_It_Obtained_Re?= =?windows-1252?q?porters=92_Phone_Records?= Message-ID: F.B.I. Says It Obtained Reporters? Phone Records By THE NEW YORK TIMES Published: August 8, 2008 http://www.nytimes.com/2008/08/09/washington/09inquire.html WASHINGTON ? The Federal Bureau of Investigation said Friday that it had improperly obtained the phone records of reporters for The New York Times and The Washington Post in the newspapers? Indonesia bureaus in 2004. Robert S. Mueller III, director of the F.B.I., disclosed the episode in a phone call to Bill Keller, the executive editor of The Times, and apologized for it. He also spoke with Leonard Downie Jr., the executive editor of The Washington Post, to apologize. F.B.I. officials said the incident came to light as part of the continuing review by the Justice Department inspector general?s office into the bureau?s improper collection of telephone records through ?emergency? records demands issued to phone providers. The records were apparently sought as part of a terrorism investigation, but the F.B.I. did not explain what was being investigated or why the reporters? phone records were considered relevant. The Justice Department places a high bar on the collection of reporters? records in investigations because of First Amendment concerns, and obtaining such records requires the approval of the deputy attorney general. That requirement was not followed when the F.B.I. obtained the records of two reporters for The Times in Indonesia, Raymond Bonner and Jane Perlez, as well as two reporters there for The Post, Ellen Nakashima and Natasha Tampubolon, officials said. ?The F.B.I. is committed to protecting the news media consistent with the First Amendment and Department of Justice policies, and we very much regret that this situation occurred,? Valerie Caproni, general counsel for the bureau, wrote in a letter to Mr. Keller faxed Friday. Ms. Caproni said the telephone records, which list the numbers that were called but do not show the calls? content, had been purged from the F.B.I.?s databases. She also said the records were not used as part of any investigation. But Mr. Downie said it was not clear to him why the F.B.I. was interested in his reporters? records in the first place. ?I want to find more about what this is about,? he said. ?We will be asking our general counsel to advise us on what more we should be doing about this.? Mr. Keller said: ?I told the director that it was gracious of him to apologize. Of course, we?d still like to know more about how this happened and how the bureau is securing against similar violations in the future.? An initial report by the inspector general last year found that the F.B.I. had violated its own policies in tens of thousands of cases by obtaining phone records in terrorism investigations through what are known as national security letters, without first getting needed approval or meeting other standards. In some cases, the F.B.I. used a whole new class of demands ? emergency or ?exigent? letters ? that are not authorized by law. The emergency records were used in the Indonesian episode. The inspector general?s findings have prompted outrage in Congress, with leading lawmakers calling for greater checks on the F.B.I.?s ability to gather private information in terrorism investigations. But bureau officials say they have instituted internal reforms to solve the problem. http://www.nytimes.com/2008/08/09/washington/09inquire.html From rforno at infowarrior.org Sat Aug 9 15:40:21 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 9 Aug 2008 11:40:21 -0400 Subject: [Infowarrior] - How Commercialism is Over-Running the Olympics Message-ID: <7B84C52C-AF5D-4B6D-BE91-45D06F3F4F1C@infowarrior.org> Interesting commentary on the biggest media hype of the year short of the US presidential elections. -rf Summary: How Commercialism is Over-Running the Olympics The Commercial Games http://www.counterpunch.org/weissman08062008.html Full Report: ?The Commercial Games? is available at: http://www.multinationalmonitor.org/2008olympics/TheCommercialGames.pdf . From rforno at infowarrior.org Sat Aug 9 16:52:44 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 9 Aug 2008 12:52:44 -0400 Subject: [Infowarrior] - Army creates team to review security at biolab Message-ID: <1CDF502F-B6CC-4570-A18F-00EC2B1D4FD8@infowarrior.org> Army creates team to review security at biolab Associated Press Published: Friday August 8, 2008 http://rawstory.com/news/2008/Army_creates_team_to_review_security_0808.html WASHINGTON -- The Army has created a team of medical and other military experts to review security measures at the research laboratory where the scientist linked to the anthrax mailings worked. Army Secretary Pete Geren has asked at least a dozen military and civilian officials to scrutinize safety procedures, quality controls and other policies and practices at the biodefense lab at Fort Detrick, Md., Army spokesman Paul Boyce said Friday. To date, the Army has offered no explanation for how its biosecurity system, which is set up to catch mentally troubled workers, failed to flag scientist Bruce Ivins for years. Ivins, the microbiologist accused of sending anthrax-laced letters in 2001 that killed five people, committed suicide last week as the FBI began closing in on him. Boyce said Friday that Geren met with military officials on Thursday night, then traveled to the high-security Army Medical Research Institute of Infectious Diseases, known as USAMRIID, at Fort Detrick on Friday morning to talk with leaders there. Boyce said the team, which is only now being formed, is not targeting individuals but instead will be reviewing documents, procedures and other safety measures to ensure security at the military biodefense lab. The facility has come under intense public scrutiny as more details have spilled out about therapists' concerns that in recent years Ivins had become paranoid, delusional and bent on violence. Investigators said that between 2000 and 2006, Ivins had been prescribed antidepressants, antipsychotics and anti-anxiety drugs. By 2005 the government had matched anthrax in his lab to the strain that killed five people. It wasn't until November 2007, after the FBI raided his home, that Fort Detrick revoked Ivins laboratory access. Army officials have declined to discuss any other efforts to either watch Ivins more closely or put other restriction on him prior to the November action. Instead, they have stressed that safety procedures at the lab have included ongoing personnel evaluations, which rely largely on employee self-reporting medical or criminal problems and observations by other workers and supervisors. Boyce said the impending review will be headed by a two-star general, and will include representatives from the medical research command, the Army's surgeon general, and Army operations. From rforno at infowarrior.org Sun Aug 10 00:01:41 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 9 Aug 2008 20:01:41 -0400 Subject: [Infowarrior] - More on ... Defcon talk cancellation shenanigans Message-ID: <2AD393E3-151A-45FA-994A-BB0910FEB193@infowarrior.org> Wired's Kim Zetter updates us....... http://blog.wired.com/27bstroke6/2008/08/injunction-requ.html UPDATE: The Electronic Frontier Foundation is representing the students. A hearing in the case occurred this morning in Massachusetts and a judge issued the restraining order. Jennifer Granick, an attorney with the Electronic Frontier Foundation, said through a DefCon spokeswoman that EFF advised the students to pull their talk. UPDATE II: Among the documents the MTBA filed with its declaration to the court today is a vulnerability assessment report (.pdf) that the three students gave the MTBA about the flaws in its system. The document is dated August 8, the day the MTBA filed its lawsuit against the students, and is essentially the information the students declined to give the MTBA before it filed its lawsuit. Ironically, the document reveals more about the vulnerability in the MTBA system than the slides that the restraining order sought to suppress contain. The vulnerability assessment report is now available for anyone to download from the Massachusetts court's electronic records system. The EFF will be holding a press conference at DefCon this afternoon to discuss the case. From rforno at infowarrior.org Sun Aug 10 04:43:42 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 10 Aug 2008 00:43:42 -0400 Subject: [Infowarrior] - Defcon MBTA Presentation Mirror Message-ID: <580090F8-96B2-46F0-9DB9-F5C35DDB9879@infowarrior.org> For those interested, here is the "controversial" MBTA presentation from DefCon this weekend (PDF), along with the MBTA's *public* court filings related to the TRO, and a copy of a confidential report made to the MBTA by the same presenters that apparently is dated 8 August as shown on Wired's website late this afternoon. http://infowarrior.org/users/rforno/mirror/ More info: Wired's coverage: http://feeds.feedburner.com/~r/wired27b/~3/360219474/injunction- requ.html Chris Wysopal's Veracode Blog http://www.veracode.com/blog/?p=189 Alternate Mirror: http://www.cryptome.org/ The Streissand Effect strikes again -- same stuff, different year. -rick infowarrior.org From rforno at infowarrior.org Sun Aug 10 14:21:59 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 10 Aug 2008 10:21:59 -0400 Subject: [Infowarrior] - Federal Judge in DefCon Case Equates Speech with Hacking Message-ID: Federal Judge in DefCon Case Equates Speech with Hacking By Kim Zetter EmailAugust 10, 2008 | 6:55:40 AM http://blog.wired.com/27bstroke6/2008/08/eff-to-appeal-r.html LAS VEGAS -- Lawyers with the Electronic Frontier Foundation said a federal judge who granted a temporary restraining order on Saturday to halt a scheduled conference talk about security vulnerabilities came to "a very, very wrong conclusion." They said the judge's order constituted illegal prior restraint, which violated the speakers' First Amendment right to discuss important and legitimate academic research. "When you discuss security issues, if you are telling the truth, that should be something protected at the core of the First Amendment," said Kurt Opsahl, senior staff attorney for the non-profit EFF. "If you are truthfully telling the world about a dangerous situation, and (it is) a situation which is dangerous not because the security researcher exposes the vulnerability (but) because the person who made the product . . . made the vulnerability, (then) this should be core speech." Opsahl was speaking at a press conference at the DefCon hacker conference in Las Vegas on Saturday after District Judge Douglas Woodlock of the U.S. District Court in Massachusetts granted a temporary restraining order requested by the Massachusetts Bay Transit Authority. The MBTA sought to bar three students enrolled at the Massachusetts Institute of Technology -- Zack Anderson, R.J. Ryan and Alessandro Chiesa -- from presenting a talk at DefCon about vulnerabilities in magnetic stripe tickets and RFID cards that are used in the MBTA's payment system. The MBTA feared that the students planned to teach the audience how to fraudulently add credit to a payment ticket or card in order to ride the transit system for free. Opsahl said the judge, in making his decision, misinterpreted a part of the federal Computer Fraud and Abuse Act that refers to computer intruders or hackers. Such a person is described in part in the statute as someone who "knowingly causes the transmission of a program, information, code, or command to a computer or computer system." Opsahl says the judge, during the hearing, likened the students' conference presentation to transmitting code to a computer. "The statute on its face appears to be discussing sending code or similar types of information to a computer," Opsahl said. "It does not appear to contemplate somebody who is giving a talk to humans. Nevertheless, the court . . . believed that the act of giving a presentation to a group of humans was covered by the computer fraud, computer intrusion statute. We believe this is wrong." EFF staff attorney Marcia Hoffman told reporters that the decision set a very dangerous precedent. "Basically, what the court is suggesting here is that giving a presentation involving security to other security researchers is a violation of federal law," she said. "As far as I know, this is completely unprecedented, and it has a tremendous chilling effect on sharing this sort of research. . . . And we intend to fight it with everything we've got." The students were scheduled to present their talk on Sunday about vulnerabilities in the subway's fare collection system. According to a description of the talk in a printed program given to conference attendees, the students planned to demonstrate how they reverse- engineered the mag stripe on CharlieTickets and cracked the encryption on RFID-enabled CharlieCards that are used in the Boston system. They also planned to release several open source tools that they created in the course of their research. But the MBTA contended that disclosure of the flaws, before the MBTA had a chance to fix them, would cause irreparable harm to the transit system, particularly if it allowed someone to increase the amount of funds stored on a card or ticket and ride the transit system for free. The MBTA filed its motion for a restraining order on Friday, August 9th, but Opsahl and Hofmann said that rather than make an immediate decision, District Judge Woodlock ordered a hearing for Saturday morning and allowed the EFF, which represented the students, to participate by telephone from San Francisco, even though none of the non-profit's lawyers is licensed to practice in Massachusetts. The court's restraining order bars the students from disclosing any information for ten days that could allow someone to defraud the transit system and ride the subway for free. EFF lawyers and the students refused to discuss details of the now- cancelled presentation but did provide a timeline of events leading up to the MBTA's suit and also shed light on how the matter unfolded, disputing claims in the MBTA's court filings that the students had refused to give the MBTA information about the vulnerabilities they discovered. According to MBTA's court filings, the agency first learned about the planned presentation on July 30th. The next day the agency contacted MIT computer science professor Ron Rivest, the students' instructor, and told him that the FBI was investigating the issue. "We didn't find that to be a very pleasing way to start a nice dialogue with them<" Anderson said. "We got a little concerned about what was happening." A few days later on Monday, August 4, a detective with the transit police and an FBI agent met with the MIT students, Rivest, and an MIT lawyer to discuss their concerns and inquire about the nature of the student's talk. The students say when they left that meeting they believed, due to verbal comments made to them during the meeting, that the issue had been resolved, and that the MBTA no longer had a problem with their talk. [Note: A previous story said the parties had met on August 5th, a date listed in MBTA's court filings. The students said that date was a misprint.] The FBI's Boston office did not respond to a call asking to confirm if there is an ongoing investigation of the students, but Opsahl said as far as he knows, there is no FBI investigation. Efforts to reach the MBTA for comment were not successful, but according to the MBTA's court filings, the students failed to respond to a request to provide the transit authority with copies of the conference presentation or with details about the vulnerabilities they found in the payment card system, and this was the reason for taking the students to court. But the students say this isn't true. They say the MBTA did ask for some material -- not a copy of their conference presentation -- which they provided on Friday, around the same time the MBTA was heading to the courthouse to request the restraining order. The material, it turns out, was a confidential vulnerability assessment report (.pdf) describing, in a more substantial way than the conference presentation slides do, the flaws in the MTBA payment system. The report became a public document on Saturday when the MBTA included it among other papers it submitted to the court on Saturday. The students maintain they didn't understand that the MBTA was expecting a copy of their presentation until Friday, when they learned the MBTA was filing for a restraining order. "And at that point we declined to provide the slides until we had an opportunity to see what the complaint said," Hofmann said. Even though the MBTA received the vulnerability assessment report at that point, the students point out, it did not withdraw the lawsuit. The students say they had intended to contact the MBTA a week prior to July 30th, when the transit authority was still apparently unaware of the presentation. They refused to say what occurred at that time to prompt them to want to make contact with the MBTA, but said their intent was to provide the MBTA with details that they wouldn't be discussing in their public talk. Ultimately, however, they didn't act on the impulse because Rivest, who agreed to facilitate the contact, was out of town at a conference. Shortly thereafter, the MBTA discovered the talk and contacted Rivest. The students maintain that they never intended to teach audience members how to de-fraud the transit system, despite provocative comments they wrote in the published description of their talk. A description of their talk that is printed in the conference program schedule begins with the sentence "Want free subway rides for life?" The line was removed from an online version of the description after the MBTA met with the students on August 4th, but the students wouldn't comment about why the change was made. Opsahl called the provocative language "rhetoric" and said it was always the students' intention to hold back key details from their talk that would help someone attack the MBTA system. "Please understand that, rhetoric aside, the intention was to provide an interesting and useful talk, but not one that would enable people to defraud the Massachusetts Bay Transit System," he said. As it stands now, the next step, before the temporary restraining order expires, will be to determine whether or not it should become a preliminary injunction to extend the gag for longer, Opsahl said. Hofmann said it's unclear right now whether the EFF will continue to represent the students if further litigation is pursued, given that they have no one on staff who can practice in Massachusetts. They will have to evaluate the situation when and if it comes up. As for the students' 1 pm speakers' slot on Sunday, DefCon has apparently already found a replacement. Brenno de Winter, a Dutch journalist and security consultant, told reporters on Saturday that he has offered to fill in -- essentially to give the same or a similar talk about vulnerabilities with transit fare cards, thought without the focus on the Boston transit system. From rforno at infowarrior.org Sun Aug 10 21:12:23 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 10 Aug 2008 17:12:23 -0400 Subject: [Infowarrior] - RIP, Isaac "Chef" Hayes Message-ID: <1B7B39E1-D79E-4676-93AF-7D88AD11A188@infowarrior.org> Isaac Hayes, Deep-Voiced Soul Icon, Is Dead at 65 By THE ASSOCIATED PRESS Filed at 4:28 p.m. ET MEMPHIS, Tenn. (AP) -- Isaac Hayes, the pioneering singer, songwriter and musician whose relentless ''Theme From Shaft'' won Academy and Grammy awards, has been found dead at home. He was 65. The Shelby County Sheriff's Office says a family member found Hayes unresponsive near a treadmill on Sunday. He was pronounced dead about an hour later at Baptist East Hospital in Memphis. The cause of death was not immediately known. In the early 1970s, Hayes laid the groundwork for disco, for what became known as urban-contemporary music and for romantic crooners like Barry White. And he was rapping before there was rap. His career hit another high in 1997 when he became the voice of Chef, the sensible school cook and devoted ladies man on the animated TV show ''South Park.'' http://www.nytimes.com/aponline/us/AP-Obit-Isaac-Hayes.html?hp=&pagewanted=print From rforno at infowarrior.org Mon Aug 11 02:47:18 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 10 Aug 2008 22:47:18 -0400 Subject: [Infowarrior] - Poof! Scientists closer to invisibility cloak Message-ID: <36C01E45-370A-4B76-B98B-48084E05E32D@infowarrior.org> (Paging Harry Potter.....--rf) Poof! Scientists closer to invisibility cloak http://ap.google.com/article/ALeqM5gnrH1I5OMi2psDdZ2cWrmQlVfyXgD92FPIOG0 WASHINGTON (AP) ? Scientists say they are a step closer to developing materials that could render people and objects invisible. Researchers have demonstrated for the first time they were able to cloak three-dimensional objects using artificially engineered materials that redirect light around the objects. Previously, they only have been able to cloak very thin two-dimensional objects. The findings, by scientists at the University of California, Berkeley, led by Xiang Zhang, are to be released later this week in the journals Nature and Science. The new work moves scientists a step closer to hiding people and objects from visible light, which could have broad applications, including military ones. People can see objects because they scatter the light that strikes them, reflecting some of it back to the eye. Cloaking uses materials, known as metamaterials, to deflect radar, light or other waves around an object, like water flowing around a smooth rock in a stream. Metamaterials are mixtures of metal and circuit board materials such as ceramic, Teflon or fiber composite. They are designed to bend visible light in a way that ordinary materials don't. Scientists are trying to use them to bend light around objects so they don't create reflections or shadows. It differs from stealth technology, which does not make an aircraft invisible but reduces the cross-section available to radar, making it hard to track. The research was funded in part by the U.S. Army Research Office and the National Science Foundation's Nano-Scale Science and Engineering Center. From rforno at infowarrior.org Mon Aug 11 02:53:03 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 10 Aug 2008 22:53:03 -0400 Subject: [Infowarrior] - =?windows-1252?q?Understanding_the_IT_Lobby=3A_An?= =?windows-1252?q?_Insider=92s_Guide?= Message-ID: <5F5BE774-EC3C-4A44-AF39-8A1628811841@infowarrior.org> Understanding the IT Lobby: An Insider?s Guide http://www.actonline.org/library/rcpg61911proof.pdf From rforno at infowarrior.org Mon Aug 11 03:01:35 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 10 Aug 2008 23:01:35 -0400 Subject: [Infowarrior] - International Journal of Cyber Criminology Message-ID: International Journal of Cyber Criminology (IJCC) is a peer reviewed online (open access) interdisciplinary journal published biannually and devoted to the study of cyber crime, cyber criminal behavior, cyber victims, cyber laws and cyber investigations. IJCC will focus on all aspects of cyber/computer crime: Forms of Cyber Crime, Impact of Cyber crimes in the real world, Policing Cyber space, Cyber- terrorism, International Perspectives of Cyber Crime, developing cyber safety policy, intrusion investigations, information security, Cyber Victims, Cyber Psychopathology, Geographical aspects of Cybercrime, Cyber offender behavior, cyber crime law, Cyber Pornography, Physical Computer Security, Privacy & Anonymity on the Net, Internet Fraud & Identity Theft, Mobile Phone Safety, Online Gambling, Copyright and Intellectual property Law, and Detection of Distributed Denial of Service Attacks. As the discipline of Cyber Criminology approaches the future, facing the dire need to document the literature in this rapidly changing area has become more important than ever before. The IJCC will be a nodal centre to develop and disseminate the knowledge of cyber crimes to the academic and lay world. The journal publishes theoretical, methodological, and applied papers, as well as book reviews. The journal is available at http://www.cybercrimejournal.co.nr/ From rforno at infowarrior.org Mon Aug 11 12:22:56 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 11 Aug 2008 08:22:56 -0400 Subject: [Infowarrior] - Leaks in Patch for Web Security Hole References: Message-ID: Begin forwarded message: > From: Monty Solomon > > Leaks in Patch for Web Security Hole > > By JOHN MARKOFF > The New York Times > August 9, 2008 > > SAN FRANCISCO - Faced with the discovery of a serious flaw in the > Internet's workings, computer network administrators around the world > have been rushing to fix their systems with a cobbled-together patch. > Now it appears that the patch has some gaping holes. > > On Friday, a Russian physicist demonstrated that the emergency fix to > the basic Internet address system, known as the Domain Name System, > is vulnerable and will almost certainly be exploited by criminals. > > The flaw could allow Internet traffic to be secretly redirected so > thieves could, for example, hijack a bank's Web address and collect > customer passwords. > > In a posting on his blog, the physicist, Evgeniy Polyakov, wrote that > he had fooled the software that serves as the Internet's telephone > book into returning an incorrect address in just 10 hours, using two > standard desktop computers and a high-speed network link. Internet > experts who reviewed the posting said the approach appeared to be > effective. > > ... > > http://www.nytimes.com/2008/08/09/technology/09flaw.html?partner=rssuserland&emc=rss&pagewanted=all From rforno at infowarrior.org Tue Aug 12 12:44:11 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Aug 2008 08:44:11 -0400 Subject: [Infowarrior] - NYPD's 'Operation Sentinel' To Track EVERYTHING Message-ID: NYPD's 'Operation Sentinel' To Track EVERYTHING Radiation Censors, Surveillance Cameras Used To Screen & Follow Every Vehicle Entering Lower Manhattan Plan Aims To Provide Security Blanket Against Terrorist Attack http://wcbstv.com/cbs2crew/operation.sentinel.nypd.2.793133.html Reporting Deborah Garcia NEW YORK (CBS) ? The NYPD is working on a plan to track every single vehicle that enters Manhattan. The initiative, called "Operation Sentinel," is aimed at preventing terror attacks. With the use of cameras and radiation censors, police plan to track anything and everything that enters the Big Apple. The New York Police Department wants to photograph the license plates of every vehicle coming into Manhattan and keep the image and information in a database. The proposal is part of a multimillion dollar plan to secure lower Manhattan. It includes cameras, license plate readers and radiation detectors. They would be set up at 7 vehicle crossings, which include 4 tunnels and 3 bridges: -The Brooklyn-Battery Tunnel -Holland Tunnel -Lincoln Tunnel -Queens-Midtown Tunnel -George Washington Bridge -Henry Hudson Bridge -Triborough Bridge Smaller bridges like the Willis Avenue and Macombs Dam will also be included in the proposal. It is unclear exactly when "Operation Sentinel" would be complete, but the lower Manhattan initiative part of the plan to secure the city's financial area, is expected to be in place by 2010. If after a month a registered license plate number is of no use to the police, it will be erased from the system. From rforno at infowarrior.org Tue Aug 12 16:09:54 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Aug 2008 12:09:54 -0400 Subject: [Infowarrior] - Alert: Some VMWare machines going "boom!" tomorrow Message-ID: <0A782D99-1397-45C3-B4BD-2E09DFA6456A@infowarrior.org> (Reposted from the blog in its entirety since it may be Slashdotted) - rf http://www.deploylinux.net/matt/2008/08/all-your-vms-belong-to-us.html All your VM's belong to us By Matthew Marlowe on August 11, 2008 9:48 PM | Permalink | Comments (4) | TrackBacks (0) As of tomorrow morning, VM's running on all hosts with ESX 3.5U2 in enterprise configurations will not power on. Boom. Apparently, there is some bug in the vmware license management code. VMware is scrambling to figure out what happened and put out a patch. There is a major discussion going on in the vmware communities about it: http://communities.vmware.com/thread/162377?tstart=0 OK, while we're all remaining calm....just imagine the implications that bugs like this can occur and get past QA testing....5 years down the road, nearly all server apps worldwide pretty much running in VM's (pretty easy prediction)......some country decides to initiate cyberwarfare and manages to get a backdoor into whatever is the prevaling hypervisor of the day.....boom. All your VM's belong to us. I honestly think a lot of the new hype about products dedicated to the new industry of vm security is crap, but honestly -- god protect us if the baseline code for critical hypervisors like ESX isn't kept secure and regularly audited. I'd love to find out what happened here. Don't they do any regression testing on new releases to check for date based bugs? I thought that would be pretty obvious. UPDATE: Frank Wegner has posted the following suggestions: You can see the latest status here: http://kb.vmware.com/kb/ 1006716 Please check back often, because it will notify you when this issue has been fixed. Until then the best workaround I can think of is: * Do nothing * Turn DRS off * Avoid VMotion * Avoid to power off VM's I'd council against turning DRS off as that actually deletes resource pool settings....instead, set sensitivity to 5 which should effectively disable it w/ minimal impact. UPDATE 2: VMware Website appears to be having trouble keeping up with people requesting updates. UPDATE 3: VMware has stated they will have fixes available in 36hrs at the earliest. UPDATE 4: Anand Mewalal comments: We used the following workaround to power on the VM's. Find the host where a VM is located run ' vmware-cmd -l ' to list the vms. issue the commands: service ntpd stop date -s 08/01/2008 vmware-cmd /vmfs/volumes/ service ntpd start UPDATE 5: Apparently, there are no easily seen warnings in logs/etc or VC prior to hitting the bug. VC will continue to show the hosts as licensed and no errors will appear in vmkernel log file until you try to start up a new vm, reboot a vm, or reboot the host. UPDATE 6: Welcome Slashdot readers! I've temporarily disabled comments to allow the server vm to handle the load. Apparently Movable Type 4.1 executes a seperate perl cgi script to handle comments on each page load. Load times might have been slow for the last 45 minutes, but should be OK now. From rforno at infowarrior.org Tue Aug 12 18:28:48 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Aug 2008 14:28:48 -0400 Subject: [Infowarrior] - Senate Report Scrutinizes the State Secrets Privilege Message-ID: <39008A1B-87DB-409C-A230-1D26CBD669E0@infowarrior.org> Senate Report Scrutinizes the State Secrets Privilege http://www.fas.org/blog/secrecy/2008/08/state_secrets.html http://www.fas.org/blog/secrecy/?p=1871 A new report from the Senate Judiciary Committee examines the use of the state secrets privilege by the executive branch and describes the intent of new legislation to strengthen judicial review of its use in civil litigation. The 53 page report summarizes the latest legal scholarship on the state secrets privilege, as well as the controversy that has surrounded it. ?In recent years, the executive branch has asserted the privilege more frequently and broadly than before, typically to seek dismissal of lawsuits at the pleadings stage. Facing allegations of unlawful Government conduct ranging from domestic warrantless surveillance, to employment discrimination, to retaliation against whistleblowers, to torture and ?extraordinary rendition,? the Bush-Cheney administration has invoked the privilege in an effort to shut down civil suits against both Government officials and private parties. Courts have largely acquiesced,? the report states. ?While there is some debate over the extent to which this represents a quantitative or qualitative break from past practice, ?[w]hat is undebatable ? is that the privilege is currently being invoked as grounds for dismissal of entire categories of cases challenging the constitutionality of Government action,? and that a strong public perception has emerged that sees the privilege as a tool for Executive abuse.? ?In response to the growing concerns about the state secrets privilege, Senator Kennedy, Senator Specter, and Senator Leahy introduced the State Secrets Protection Act to provide a systematic approach to the privilege and thereby bring stability, predictability, and clarity to this area of the law and restore the public trust in Government and the courts.? The new report includes dissenting views from several Republican members of the Judiciary Committee, who argue that the existing arrangements already strike the ?right balance between openness, justice and national security.? See ?State Secrets Protection Act,? Senate Judiciary Committee Report 110-442, August 1. Another new report from the Senate Judiciary Committee addresses court- ordered secrecy, and would limit judicial authority to seal court records pertaining to public health and safety. The report describes pending legislation that ?requires judges to consider the public?s interest in disclosure of health and safety information before issuing a protective order or an order to seal court records or a settlement agreement.? See ?Sunshine in Litigation Act,? Senate Judiciary Committee Report 110-439, August 1. From rforno at infowarrior.org Tue Aug 12 18:39:08 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Aug 2008 14:39:08 -0400 Subject: [Infowarrior] - RIAA and the Universities Clash Message-ID: (via IP) Antipiracy Campaign Exasperates Colleges But attempts to break with recording industry run into legal hurdles < - > http://chronicle.com/free/v54/i49/49a00104.htm From rforno at infowarrior.org Tue Aug 12 22:14:28 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Aug 2008 18:14:28 -0400 Subject: [Infowarrior] - Some Web Firms Say They Track Behavior Without Explicit Consent Message-ID: Some Web Firms Say They Track Behavior Without Explicit Consent By Ellen Nakashima Washington Post Staff Writer Tuesday, August 12, 2008; D01 http://www.washingtonpost.com/wp-dyn/content/article/2008/08/11/AR2008081102270_pf.html Several Internet and broadband companies have acknowledged using targeted-advertising technology without explicitly informing customers, according to letters released yesterday by the House Energy and Commerce Committee. And Google, the leading online advertiser, stated that it has begun using Internet tracking technology that enables it to more precisely follow Web-surfing behavior across affiliated sites. The revelations came in response to a bipartisan inquiry of how more than 30 Internet companies might have gathered data to target customers. Some privacy advocates and lawmakers said the disclosures help build a case for an overarching online-privacy law. "Increasingly, there are no limits technologically as to what a company can do in terms of collecting information . . . and then selling it as a commodity to other providers," said committee member Edward J. Markey (D-Mass.), who created the Privacy Caucus 12 years ago. "Our responsibility is to make sure that we create a law that, regardless of the technology, includes a set of legal guarantees that consumers have with respect to their information." Markey said he and his colleagues plan to introduce legislation next year, a sort of online-privacy Bill of Rights, that would require that consumers must opt in to the tracking of their online behavior and the collection and sharing of their personal data. But some committee leaders cautioned that such legislation could damage the economy by preventing small companies from reaching customers. Rep. Cliff Stearns (R-Fla.) said self-regulation that focuses on transparency and choice might be the best approach. Google, in its letter to committee Chairman John Dingell (D-Mich.), Markey, Stearns and Rep. Joe L. Barton (R-Tex.), stressed that it did not engage in potentially the most invasive of technologies -- deep- packet inspection, which companies such as NebuAd have tested with some broadband providers. But Google did note that it had begun to use across its network the "DoubleClick ad-serving cookie," a computer code that allows the tracking of Web surfing. Alan Davidson, Google's director of public policy and government affairs, stated in the letter that users could opt out of a single cookie for both DoubleClick and the Google content network. He also said that Google was not yet focusing on "behavioral" advertising, which depends on Web site tracking. But on its official blog last week, Google touted how its recent $3.1 billion merger with DoubleClick provides advertisers "insight into the number of people who have seen an ad campaign," as well as "how many users visited their sites after seeing an ad." "Google is slowly embracing a full-blown behavioral targeting over its vast network of services and sites," said Jeffrey Chester, executive director of the Center for Digital Democracy. He said that Google, through its vast data collection and sophisticated data analysis tools, "knows more about consumers than practically anyone." Microsoft and Yahoo have disclosed that they engage in some form of behavioral targeting. Yahoo has said it will allow users to turn off targeted advertising on its Web sites; Microsoft has yet to respond to the committee. More than a dozen of the 33 companies queried said they do not conduct targeted advertising based on consumers' Internet activities. But, Chester said, a number of them engage in sophisticated interactive marketing. Advertisers on Comcast.net's site, for instance, are able to target advertising based on "over 3 billion page views" from "15 million unique users." Comcast spokeswoman Sena Fitzmaurice stressed that the data are gathered exclusively for advertising on that site. In their letters, Broadband providers Knology and Cable One acknowledged that they recently ran tests using deep-packet-inspection technology provided by NebuAd to see whether it could help them serve up more relevant ads, but their customers were not explicitly alerted to the test. Cable One is owned by The Washington Post Co. Both companies said that no personally identifiable information was used and that they have ended the trials. Cable One has no plans to adopt the technology, spokeswoman Melany Stroupe said. "However, if we do," she said, "we want people to be able to opt in." Ari Schwartz, vice president of the Center for Democracy and Technology, said lawmakers are beginning to understand the convergence across platforms. "People are starting to see: 'Oh, we have these different industries that are collecting the same types of information to profile individuals and the devices they use on the network," he said. "Internet. Cellphones. Cable. Any way you tap into the network, concerns are raised." Markey said yesterday that any legislation should generally require explicitly informing the consumer of the type of information that is being gathered and any intent to use it for a different purpose, and a right to say 'no' to the collection or use. The push for overarching legislation is bipartisan. "A broad approach to protecting people's online privacy seems both desirable and inevitable," Barton said. "Advertisers and data collectors who record where customers go and what they do want profit at the expense of privacy." As of yesterday evening, the committee had posted letters from 25 companies on its Web site. From rforno at infowarrior.org Wed Aug 13 13:02:20 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Aug 2008 09:02:20 -0400 Subject: [Infowarrior] - WaPo OpEd: Search and Replace (Laptops) Message-ID: <214B002D-0B91-4E21-AC38-C730C34DD521@infowarrior.org> Search and Replace Congress needs to set the rules for how border agents can delve into travelers' laptops. http://www.washingtonpost.com/wp-dyn/content/article/2008/08/12/AR2008081202744_pf.html Wednesday, August 13, 2008; A14 WHEN ATTEMPTING to enter or reenter the United States, noncitizens and citizens alike have become accustomed to all manner of searches. Luggage is examined at international airports by agents looking for illegal drugs, smuggled fruit, explosive devices and other forms of contraband. At the border, agents routinely search vehicles even when they don't have reasonable suspicion of wrongdoing. The Supreme Court has upheld such searches and unanimously concluded that the government's "interest in preventing the entry of unwanted persons and effects is at its zenith at the international border." Border searches, the justices have said, "are reasonable simply by virtue of the fact that they occur at the border." Recently, the Department of Homeland Security disclosed that it is using the same broad authority to search travelers' laptop computers and other electronic devices. This may very well be legal under existing laws; two federal appeals courts have concluded as much. But it should not remain U.S. policy. Laptops have become the repository of people's most private thoughts, their most sensitive financial, medical and professional documents. Unlike a hard-copy book or notebook, the entire contents of a laptop -- including a history of Web sites visited -- can be copied with a push of a button. These copies can then be disseminated to various government agencies. This capacity to store a vast array of information opens up possibilities for mischief that do not exist with more traditional receptacles of information; it also makes laptops potentially invaluable tools for law enforcement. The Department of Homeland Security argues that it has the right to search and seize a laptop without a warrant or even suspicion. Yet it concedes that it is impossible for it to conduct searches on every laptop that enters the country. As a result, the department says it already applies a "reasonable suspicion" standard to determine which laptops to search. For security reasons, the department declines to say what triggers such "reasonable suspicion." But the standard is generally so low that it can be triggered by a traveler's appearing nervous or giving inconsistent answers to routine questions, such as how long and where he or she will be staying while in the country. The reasonable-suspicion standard should be written into law. Legislation should also specify that owners of laptops must be present while an agent conducts a preliminary search. Line agents should be required to get approval from a supervisor before copying files from or seizing a laptop and must be able to articulate, at that point, that there is probable cause to believe the laptop owner may have violated U.S. law. These reasonable compromises should in no way impede the government's ability to search laptops for such things as child pornography or terrorist plans. But they would go a long way toward giving the average, innocent traveler some protection against frivolous or mischievous intrusions. From rforno at infowarrior.org Wed Aug 13 13:16:41 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Aug 2008 09:16:41 -0400 Subject: [Infowarrior] - MIT students: Mass. agency 'misrepresents' what led to lawsuit Message-ID: <4344C998-C299-42EE-9D81-784AE4F496D5@infowarrior.org> MIT students: Mass. agency 'misrepresents' what led to lawsuit Posted by Declan McCullagh 2 comments http://news.cnet.com/8301-1009_3-10016113-83.html?hhTest=1&part=rss&subj=news&tag=2547-1_3-0-20 Three MIT students are disputing the Massachusetts transit agency's version of the events that led to the state filing a lawsuit last week--and obtaining a restraining order against their talk on subway card security scheduled for Sunday. The latest dispute originates in comments made by to CNET News by Massachusetts Bay Transportation Authority spokesman Joe Pesaturo in in a report published Monday. In his e-mail to us, he said the students "agreed to provide the MBTA with a copy of the presentation" scheduled for the Defcon hacker conference on Sunday but never did. A response posted Tuesday by the Electronic Frontier Foundation, which is representing the students, said MBTA "misrepresents" the situation: After the Monday meeting, the students understood that the MBTA's concerns were resolved, and that the students were to provide a confidential vulnerability assessment by the end of the week. Contrary to the MBTA statement, the students did not believe that the MBTA wanted to see a copy of the presentation slides, and they did not agree to provide them to the MBTA. (It is undisputed that the students--Zack Anderson, R.J. Ryan, and Alessandro Chiesa--wrote a separate analysis (PDF) for the MBTA marked "confidential" and presented it to the agency.) Opposing parties in lawsuits often tell different stories. Human memories are imperfect. People may honestly remember the same sequence of events differently. So why is this particular dispute important? One reason is that the judge in this lawsuit has until August 19 to renew the restraining order (by turning it into a preliminary injunction) or let it expire. Whoever can reasonably claim to have acted in good faith will have a better chance of prevailing. It's unclear who's telling the truth; if the lawsuit continues, e- mails and spoken testimony will probably answer these questions. But it does seem likely that the MBTA requested a copy of the Defcon presentation--they knew it was scheduled; why would they not want to see it?--and never received it. The defendants would have had a very good reason for this; the slides are prepared with a hacker audience in mind and include warnings like "AND THIS IS VERY ILLEGAL!" Oops. This is what lawyers call an "admission against interest." Another bit of unresolved intrigue is that the MBTA told us on Monday that it wanted to meet with the students again. EFF has steadfastly refused to say whether it would consider such a meeting--making it, uncharacteristically, even less forthcoming than a bunch of government bureaucrats. From rforno at infowarrior.org Wed Aug 13 15:23:23 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Aug 2008 11:23:23 -0400 Subject: [Infowarrior] - 'Gitmo On The Platte' - Holding Cell For DNC Message-ID: <39FAEA07-72D2-4EB9-BA23-AF211D0019BF@infowarrior.org> 'Gitmo On The Platte' Set As Holding Cell For DNC Written By Rick Sallinger http://cbs4denver.com/denver2008/denver.protesters.arrested.2.793930.html DENVER (CBS4) ? CBS4 News has learned if mass arrests happen at the Democratic Convention, those taken into custody will be jailed in a warehouse owned by the City of Denver. Investigator Rick Sallinger discovered the location and managed to get inside for a look. The newly created lockup is on the northeast side of Denver. Inside are dozens are metal cages. They are made out of chain link fence material and topped by rolls of barbed wire. "This is a secured environment," Capt. Frank Gale of the Denver Sheriff's Department told CBS4. "We're concerned about how that's going to be utilized by people who will be potentially disruptive." In past conventions, mass arrests have taken place. With Denver's jails already overflowing, new space had to be created and officers trained. Each of the fenced areas is about 5 yards by 5 yards and there is a lock on the door. A sign on the wall reads "Warning! Electric stun devices used in this facility." CBS4 showed its video to leaders of groups that plan to demonstrate during the convention. "Very bare bones and very reminiscent of a political prisoner camp or a concentration camp," said Zoe Williams of Code Pink. Williams was one of those arrested at the Republican Convention in New York in 2004. "That's how you treat cattle," said Adam Jung of the group Tent State University. "You showed the sign where it said stun gun in use and you just change the word gun for bolt and it's a meat processing plant." Gale would not discuss the facility at this time. "We want to make sure we got our game plan set," he said, "We want to make sure the entire procedure is laid out all the personnel know what they are supposed to do." The plans were to keep this lockup a secret, at least for now. The American Civil Liberties Union says it will ask the City of Denver how prisoners will get access to food and water, bathrooms, telephones, plus medical care, and if there will be a place to meet with attorneys. The protesters have already given this place a name: "Gitmo on the Platte." From rforno at infowarrior.org Wed Aug 13 16:03:11 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Aug 2008 12:03:11 -0400 Subject: [Infowarrior] - RFI: Flip4Mac audio problem Message-ID: <273FB70D-33CF-401B-8E77-E191FBA93B65@infowarrior.org> Any Mac users here with Flip4Mac installed on a current version of Leopard? I have video but no audio on web videos played through the plugin....mostly WMV stuff, I think. (Other vids, including stand- alone WMV files, show up fine in Flash or Quicktime, though.) Tried a few Google-inspired workarounds but nothing seems to work, and VLC is a bit too unstable at times for me to switch to it as a primary video plugin. I'm running Firefox 3 and Safari for browsers. Any workarounds/solutions/ideas to the "no audio" problem in Flip4Mac? TIA -rick From rforno at infowarrior.org Wed Aug 13 16:40:44 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Aug 2008 12:40:44 -0400 Subject: [Infowarrior] - OT: Just for George Lucas.... Message-ID: <2D154C98-EBDB-4E04-9EA2-71734FF096BB@infowarrior.org> Apparently LucasArts is angry that folks might be giving 'Clone Wars' less-than-stellar reviews before it opens and going after websites hosting such reviews that likely don't have deep pockets or might cave easily to legal pressures. So here's one such review from MSNBC. Dear George: Deal with it. -rick http://www.msnbc.msn.com/id/26159685/ The force is not with ?Clone Wars? Ugly animation and an uninspired storyline drag down the film REVIEW By Alonso Duralde Film critic updated 1:25 p.m. ET, Tues., Aug. 12, 2008 Legend has it that, on his deathbed, Orson Welles exhorted his loved ones to make sure that Ted Turner ? who, at the time, was determined to colorize every black-and-white movie in his library ? kept his ?goddamn crayons? off of ?Citizen Kane.? But who will stop George Lucas from destroying the legacy of George Lucas? ?Star Wars? lovers have had to deal with lots of heartbreak in the past few decades, from Jar Jar Binks to dozens of different video versions to Greedo shooting first. And now there?s ?Star Wars: The Clone Wars,? an uninspiring animated addition to the series that takes us back to a time long, long ago that many of us never wanted to revisit ? namely, Episodes I-III. If you love a ?Star Wars? movie that begins with narration about trade routes, you?re in luck. As ?Clone Wars? begins, the nefarious Count Dooku (voiced by Christopher Lee, one of the few actors from the live- action movies to reprise his character here) and his rebel droid army are making things difficult for the Republic. The Jedi decide that it?s a priority to form an alliance with Jabba the Hutt, so they pull Obi-Wan Kenobi (James Arnold Taylor) and Anakin Skywalker (Matt Lanter) out of battle to go and rescue Jabba?s son, who has been kidnapped. (The kid apparently has no name; he?s referred to as ?Jabba the Hutt?s son? throughout, except when he?s referred to by some characters as ?Stinky.?) Joining them on this mission is Ahsoka Tano (Ashley Eckstein), a Padawan learner who has been assigned to train under Skywalker. In a blatant attempt to make the movie more kid-friendly, Ahsoka plays like a character straight out of a Disney Channel sitcom ? she?s a sassy teen girl with a halter top, a mini-skirt and a sarcastic rejoinder for every situation. Meanwhile, Senator Amidala (Catherine Taber) tries to negotiate with Jabba?s uncle, Ziro the Hutt (Corey Burton), only to discover a whole conspiracy behind the kidnapping. Ziro provides the film?s one bit of shocking unpredictability, in that he?s been voiced by Burton to sound exactly like Truman Capote circa ?Murder by Death.? The character animation is astoundingly unpleasant, with human faces that would barely pass muster in a video game. Some of the battle and dogfight sequences are stirring, but since most of the combatants are either androids or clones ? talk about cannon fodder ? there doesn?t seem to be much at stake. What we?re left with is a lot of pew-pew-pew laser battles with occasional interruptions for ?Hangin? with Mr. Skywalker??style interactions between Anakin and his Padawan. Everything about ?Clone Wars? feels a little off. Yoda?s famous verb- at-the-end syntax gets so garbled by the writers that he eventually lets out a compound sentence that seems to make no sense whatsoever. Even the legendary John Williams theme has been so badly orchestrated that it sounds like it?s being performed by a third-rate middle-school marching band. Very young kids, ?Star Wars? completists and Lucas apologists may find themselves compelled to attend; anyone else would have a better time going to the Toshi Station to pick up power converters. ? 2008 MSNBC Interactive URL: http://www.msnbc.msn.com/id/26159685/ From rforno at infowarrior.org Wed Aug 13 16:52:36 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Aug 2008 12:52:36 -0400 Subject: [Infowarrior] - Photography as a Weapon Message-ID: Photography as a Weapon http://morris.blogs.nytimes.com/2008/08/11/photography-as-a-weapon/?ref=opinion As almost everyone knows by now, various major daily newspaper published, on July 10, a photograph of four Iranian missiles streaking heavenward; then Little Green Footballs (significantly, a blog and not a daily newspaper) provided evidence that the photograph had been faked. Later, many of those same papers published a Whitman?s sampler of retractions and apologies. For me it raised a series of questions about images.[1] Do they provide illustration of a text or an idea of evidence of some underlying reality or both? And if they are evidence, don?t we have to know that the evidence is reliable, that it can be trusted? Hany Farid, a Dartmouth professor and an expert on digital photography, has published a number of journal articles and a recent Scientific American article on digital photographic fraud. He seemed to be a good person to start with. If a photograph has been tampered with, he?s the person to analyze how the tampering has been done. I wanted to discuss with him the issue of the Iranian photograph starting with the issue of why we trust photographs in the first place. < - > http://morris.blogs.nytimes.com/2008/08/11/photography-as-a-weapon/?ref=opinion From rforno at infowarrior.org Wed Aug 13 17:56:33 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Aug 2008 13:56:33 -0400 Subject: [Infowarrior] - DHS setting up counterspy unit Message-ID: <3E384CEA-CE94-4FB0-B5FB-96186BD51FE4@infowarrior.org> Homeland Security setting up counterspy unit By EILEEN SULLIVAN, Associated Press WriterTue Aug 12, 6:20 PM ET http://news.yahoo.com/s/ap/20080812/ap_on_go_ca_st_pe/homeland_spy_worries_4&printer=1;_ylt=Aiw8QzPmBgNmsI9.1EOZSA.WwvIE Concerns about foreign spies and terrorists have prompted the Homeland Security Department to set up its own counterintelligence division and require strict reporting from employees about foreign travel, according to a memo obtained by The Associated Press. The new directive comes as the federal government increases its counterspy efforts across all agencies and raises the awareness of intelligence vulnerabilities in the private industry as well as in protecting government secrets. The Homeland Security Department "is vulnerable to adversaries who seek information about our nation's homeland defense programs, classified or unclassified," Secretary Michael Chertoff wrote in the Aug. 4 memo to employees obtained by AP. The agency, formed in 2003 after the 9/11 attacks, has about 216,000 employees and posts around the world. It includes divisions that protect the country's borders, develop new radiation detection equipment, study and test infectious diseases, enforce immigration and maritime laws, protect the president and other dignitaries, coordinate disaster response, work to keep terrorists off of airplanes and other transportation, and monitor and prevent cyber-intrusions. Homeland Security is creating a counterintelligence system now, because there is currently no place for such a function in the department ? which was formed by 22 disparate agencies ? said a senior U.S. government official who requested anonymity because he is not authorized to publicly discuss intelligence. "We are still a relatively young department," Homeland Security spokesman Russ Knocke said, adding that the memo reflects the department's maturity over the past five years. Counterintelligence is an organized effort to block an enemy's sources of information and access to sensitive material. It can also be used to give misinformation. In his memo, Chertoff instructs that employees must tell a special security officer about any planned foreign travel. When the employee returns, the employee should report "any real or possible contacts with foreign intelligence services, terrorists or foreign criminal enterprises." This reporting, Chertoff says, will protect department employees who travel abroad. Chertoff instructs employees to report suspected espionage behavior. Some examples: _If someone asks an employee for classified and sensitive information or access to systems. _If someone asks an employee traveling overseas to bring back an envelope or package. _If an employee has regular contact with a person suspected of being part of a foreign intelligence service, terrorist group or foreign criminal enterprise. While setting up a separate office dedicated to counterintelligence, the concept is not new to the department. In 2005, it published a brochure, "Espionage: How to recognize and report it," which includes a list of suspicious behaviors. ___ Associated Press writer Pamela Hess contributed to this report. From rforno at infowarrior.org Wed Aug 13 19:21:25 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Aug 2008 15:21:25 -0400 Subject: [Infowarrior] - Air Force Halts Cyber Command Program Message-ID: Air Force Halts Cyber Command Program By Kim Zetter EmailAugust 13, 2008 | 2:01:58 PMCategories: Cybersecurity http://blog.wired.com/27bstroke6/2008/08/air-force-halts.html Cyber_command_af After months touting its intention to be the front line for defending cyberspace, the Air Force has suspended plans to establish its much hyped Cyber Command program, according to Nextgov. The program is being halted until new senior Air Force leaders have time to review it and determine a focus and direction. The Cyber Command was courted by governors in several states who all wanted the command's headquarters based in their jurisdiction in order to benefit from federal investments and jobs that a command center would bring. But from the beginning, the program had been marred by a vague mission definition "to defend cyberspace" and a lack of focus. A defense expert told Wired writer Marty Graham earlier this year that the program was full of "gee-whiz flackery." "They've got the whole thing tarted up, and it's hard to tell what they're actually doing," John Pike, director of GlobalSecurity.org told Graham. Politics may also be behind the suspension. Nextgov reports that the Air Force's hard-sell grab to assume the top spot in cyberdefense may have rubbed the Army and Navy the wrong way. Fellow Wired scribe Noah Shachtman, who has been following the Cyber Command's progress for a while at his Danger Room blog, independently confirmed the program's suspension and places it in context with other recent Air Force setbacks. From rforno at infowarrior.org Thu Aug 14 12:12:57 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 14 Aug 2008 08:12:57 -0400 Subject: [Infowarrior] - OSS archives opened; Julia Child's spy file revealed Message-ID: Newly Released Files Detail Early US Spy Network Long secret CIA files identify nearly 24,000 spies from WWII era, including chef Julia Child By BRETT J. BLACKLEDGE and RANDY HERSCHAFT Associated Press WritersThe Associated Press WASHINGTON http://abcnews.go.com/print?id=5577204 Before Julia Child became known to the world as a leading chef, she admitted at least one failing when applying for a job as a spy: impulsiveness. Details about Child's background as a government agent come into the public spotlight Thursday with the National Archives' release of more than 35,000 top-secret personnel files of World War II-era spies. The CIA held this information for decades. The 750,000 documents identify the vast spy network managed by the Office of Strategic Services, which later became the CIA. President Franklin Roosevelt created the OSS, the country's first centralized intelligence operation. Child's file shows that in her OSS application, she included a note expressing regret she left an earlier department store job hastily because she did not get along with her boss, said William Cunliffe, an archivist who has worked extensively with the OSS records at the National Archives. The OSS files offer details about other agents, including Supreme Court Justice Arthur Goldberg, major league catcher Moe Berg, historian Arthur Schlesinger Jr. and film actor Sterling Hayden. Other notables identified in the files include John Hemingway, son of author Ernest Hemingway; Kermit Roosevelt, son of President Theodore Roosevelt; and Miles Copeland, father of Stewart Copeland, drummer for the band The Police. Some of those on the list have been identified previously as having worked for the OSS, but their personnel records never have been available before. Those records would show why they were hired, jobs they were assigned to and perhaps even missions they pursued while working for the agency. The release of the OSS personnel files unmasks one of the last secrets from the short-lived wartime intelligence agency, which for the most part was later folded into the CIA after President Truman disbanded it in 1945. "I think it's terrific," said Elizabeth McIntosh, 93, a former OSS agent now living in Woodbridge, Va. "They've finally, after all these years, they've gotten the names out. All of these people had been told never to mention they were with the OSS." The CIA long resisted releasing the records. But a former CIA director, William Casey, himself an OSS veteran, cleared the way for transfer of millions of OSS documents to the National Archives when he took over the spy agency in 1981. The personnel files are the latest documents to be made public. Information about OSS involvement was so guarded that relatives often could not confirm a family member's work with the group. Walter Mess, who handled covert OSS operations in Poland and North Africa, said he kept quiet for more than 50 years, only recently telling his wife of 62 years about his OSS activity. "I was told to keep my mouth shut," said Mess, now 93 and living in Falls Church, Va. The files provide new information even for those most familiar with the agency. Charles Pinck, president of the OSS Society created by former OSS agents and their relatives, said the nearly 24,000 employees included in the archives far exceed previous estimates of 13,000. The newly released documents will clarify these and other issues, Cunliffe said. "We're saying the OSS was a lot bigger than they were saying," he said. ??? On the Net: CIA OSS page: http://tinyurl.com/6bvmhf Index to National Archives OSS personnel files: http://www.archives.gov/research/arc/ Copyright 2008 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. From rforno at infowarrior.org Thu Aug 14 13:36:27 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 14 Aug 2008 09:36:27 -0400 Subject: [Infowarrior] - Globe Editorial: Hacking and free speech Message-ID: <5775D753-7127-44EC-B400-A51DBCEC8A1E@infowarrior.org> http://www.boston.com/bostonglobe/editorial_opinion/editorials/articles/2008/08/14/hacking_and_free_speech/ GLOBE EDITORIAL Hacking and free speech August 14, 2008 THREE MIT students claim to have identified ways of hacking the MBTA's automated fare-collection system, and they could have spared themselves some trouble had they notified the transit agency of any security flaws right away. The T found out about their work only after they made plans to describe their discoveries last Sunday at DEFCON, a conference for hackers. On Saturday, the agency persuaded US District Judge Douglas Wood-lock to issue a temporary restraining order against the undergrads. But what the students should have done out of moral obligation and what they have the right to do under the First Amendment are two different questions. For good reason, US courts have long been highly skeptical of prior restraints on what may be said in a public forum. Woodlock strayed into dangerous territory by restricting what the students could disclose at the conference. At a hearing today, Judge George O'Toole will hear motions to modify or lift the order. He ought to lift it. The order had its intended effect, for the students did not give their talk. But it would be a mistake to regard them merely as mischief- makers bent on helping scofflaws ride for free. Finding security breaches in electronic systems is a legitimate, even vital, line of inquiry. The students began looking into the T's CharlieCards and CharlieTickets in conjunction with an MIT class. The T says it wants to enforce the principle of "responsible disclosure" - the notion that a security researcher who finds a flaw in an electronic system should notify the owner and give sufficient time to fix the breach before going public. The students and T officials met for the first time about a week before DEFCON. The transit agency argues that the students did not offer enough information to judge whether they would behave responsibly at the conference. But should the T be the arbiter of what constitutes responsible disclosure? The students' lawyer says they met the standard, because they planned to withhold from their talk key information necessary to cheat the fare collection system. In any case, responsible disclosure, while a valuable ethical standard, is not enshrined in federal statutes, and should not trump First Amendment rights. Such rights aren't absolute; if the students were to incite others to commit crimes, they could face civil and criminal penalties. But if expression can lead to penalties after the fact, that is one more reason not to block it in advance. The MIT undergrads and others in this field surely need to learn that, even if they have a First Amendment right to disclose their work at their discretion, it doesn't mean they always should. But the MBTA should recognize that security flaws are a design problem, not a legal one. From rforno at infowarrior.org Thu Aug 14 21:27:00 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 14 Aug 2008 17:27:00 -0400 Subject: [Infowarrior] - Fliers without ID placed on TSA list Message-ID: <343AF325-6741-4B19-A588-71C5B176E956@infowarrior.org> Find this article at: http://www.usatoday.com/tech/news/surveillance/2008-08-12-tsa_N.htm Fliers without ID placed on TSA list By Thomas Frank, USA TODAY WASHINGTON ? The Transportation Security Administration has collected records on thousands of passengers who went to airport checkpoints without identification, adding them to a database of people who violated security laws or were questioned for suspicious behavior. The TSA began storing the information in late June, tracking many people who said they had forgotten their driver's license or passport at home. The database has 16,500 records of such people and is open to law enforcement agencies, according to the TSA. Asked about the program, TSA chief Kip Hawley told USA TODAY in an interview Tuesday that the information helps track potential terrorists who may be "probing the system" by trying to get though checkpoints at various airports. Later Tuesday, Hawley called the newspaper to say the agency is changing its policy effective today and will stop keeping records of people who don't have ID if a screener can determine their identity. Hawley said he had been considering the change for a month. The names of people who did not have identification will soon be expunged, he said. Civil liberties advocates have been fearful that the database includes passengers who have done nothing wrong yet may face extra scrutiny at airports or questioning by authorities investigating possible terrorism. "This information comes back to haunt people," said Barry Steinhardt of the American Civil Liberties Union. The TSA has been expanding an electronic database that started a couple of years ago to keep track of people who violated security regulations, most often by bringing a dangerous item to a checkpoint. The agency then began adding names of people who were questioned by police but not necessarily charged after an airport screener saw them acting suspiciously. In those cases, the TSA can keep records for 15 years of someone's name, address, Social Security number, nationality, race and physical features, as well as identifying information about a traveling companion, according to a report by the Homeland Security Department privacy office. Hawley said the database will still be used but it will not contain people's names who forgot their identification. Such a database helps the TSA spot patterns of activity that may indicate terrorist planning and refer people to the FBI for possible questioning. "It's just like if a police officer chats to somebody. It's part of the investigative process," Hawley said. Travelers without ID were added in June after the TSA barred them from airplanes. The agency wanted to identify all passengers to check them against watch lists. Previously, passengers without ID could board airplanes after facing additional searches. Hawley said the TSA will stop tracking people without ID because they do not automatically represent a security threat. The TSA will still keep records of people who go to checkpoints without ID and then give a false name to screeners. Find this article at: http://www.usatoday.com/tech/news/surveillance/2008-08-12-tsa_N.htm From rforno at infowarrior.org Fri Aug 15 12:14:59 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Aug 2008 08:14:59 -0400 Subject: [Infowarrior] - MIT studies Charlieticket vuln Message-ID: <78E2D2A1-A4B0-4FF0-A5EA-E5F9F49A0260@infowarrior.org> Public Documents Seem to Show Free T Fare By Michael McGraw-Herdeg EXECUTIVE EDITOR August 14, 2008, 4:13 p.m. http://www-tech.mit.edu/V128/N30/subwayvulnerabilities.html Documents made public by an MBTA lawsuit against MIT undergraduates show how anyone can get free T fare by copying an existing CharlieTicket or by making their own. The Massachusetts Bay Transportation Authority has asked for its temporary restraining order, protecting information about research by MIT students into the CharlieCard and CharlieTicket systems, to be changed to include only ?non public? information. MBTA spokesman Joe Pesaturo characterized documents available online as ?harmless information that is now public? in an e-mail. But that public information shows how to get free rides with a CharlieTicket, leaving open the possibility that the MBTA suspects an even more serious compromise of its CharlieCard system. Numerous ways to get unpaid-for T fare are clearly laid out in the DEF CON presentation, available online at http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf ; in the report the students gave to the MBTA, available at http://www-tech.mit.edu/V128/N30/subway/10-declaration-henderson-vulnerability.pdf ; and in prior research on similar systems. Anyone with a magnetic card writer can repeatedly copy a CharlieTicket onto another card, never having to pay for a ticket again, if the students? ?Vulnerability Assessment Report? is accurate. In the T?s system, a CharlieTicket is worth as much as its magnetic stripe says it is, and no central computer tracks the tickets? values, according to the report. A single $25 ticket could be copied onto hundreds, if not thousands of blank cards, providing free travel forever. A ticket?s identification number or value can also be easily changed, the report says. A $5 card can be made to say it is worth up to $655.36. A thief could take a 5 cent CharlieTicket, rewrite it so that its value is $99, insert it into an MBTA ticketing kiosk along with a dollar, and receive $100 in T fares on a fresh card, purchased for $1.05, the report says. The ticket would have ?$100.00? printed on the front and would appear identical to a legitimate CharlieTicket. The report suggests that an attacker might resell tickets. (Three people arrested in New York are said to have exploited a vending machine bug to get $800,000 worth of Long Island Rail Road tickets and MetroCard fares for free, The New York Times reported Tuesday. They allegedly sold much of that fare.) Magnetic card writers go for $173 on eBay, but they can be made for as little as $5 in parts, according to slides the students were to present at this weekend?s DEF CON hacker convention. Discarded CharlieTickets are available in many subway stations? trash cans; other cards with magnetic stripes can also be found for less than a dollar online. The information on the ticket includes a checksum, a six-bit number calculated from the rest of the information on the card, which is used to detect errors in the card?s data. There are only 64 six-bit numbers. If you do not know how the checksum is generated, you need only create 64 tickets, each with a different checksum value, and test each. One will work, according to the report. The report does not say whether the students have successfully written software to generate forged CharlieTickets without having to try all the possible checksums. The final presentation in the spring 2008 subject Computer and Network Security (6.857) was based on guessing the checksum value by making many cards, a ?brute force? approach. That work was done by four students: Samuel G. McVeety G, who did not participate in the DEF CON presentation, along with the three students who did, Zackary M. Anderson ?09, Russell J. Ryan ?09, and Alessandro Chiesa ?09. The project earned an A, according to the MBTA. Students recommend system changes A central system should store the current value of all tickets so that people cannot forge new CharlieTickets, the students? confidential report recommends. An ?auditing system? should also be used to detect copied or forged tickets, the report recommends. The CharlieTicket and CharlieCard should both include additional encryption to make them hard to duplicate or forge, the report says. The report recommends an auditing system be installed to detect cloning of RFID cards. It also recommends that the CharlieTicket?s checksum be replaced with a cryptographically secure signature which would be harder to duplicate. The DEF CON presentation highlighted fixable weaknesses in ?physical security.? The presentation includes photos of unlocked doors into subway stations, pictures of open ?turnstile control boxes? accessible ?almost everywhere,? a picture of a ?door key? found in an open box, and a photo of a computer screen in the MBTA?s operations center. (That picture was taken from an adjacent building with a telephoto lens, according to Tech photographer Eric Schmiedl, who gave a presentation on physical security at DEF CON.) Charliecard may be insecure The students? report suggests that all CharlieCards may be protected against duplication by a single encryption key, but the report is unclear on whether they have decoded that key. If they have found this key, this could be what the MBTA?s restraining order seeks to protect. CNET reported on Thursday that the students gave the MBTA ?particular information to complete the Charlie card hack which they say they had no intention of revealing in the Defcon discussion,? which could be this key. The CharlieCard uses the MIFARE Classic system, which is also used in London?s transport system and in the Dutch transport system. That system is known to be vulnerable to a cloning attack -- by standing near someone, you can decrypt their card and copy its identity and value. The maker of that card, NXP Semiconductors, has unsuccesfully sued in Dutch courts to keep research details from being presented in public. The students? report discusses possible ways to decode the encryption key that protects CharlieCards. It also suggests that the key may be the same on every card, rather than differing from card to card -- which could be a serious problem if true. But in a court filing, security consultant Eric Johanson said that the publicly available information about the students? findings describes an ?aspirational? attack on the key rather than a functional one. The MIFARE Classic card has undergone worldwide security analysis. In place of the students? talk on Sunday, Dutch journalist Brenno de Winter gave a talk describing MIFARE Classic vulnerabilities and NXP?s unsuccessful lawsuit that sought to keep Dutch researchers from presenting those vulnerabilities. The research results to be published in October will show how the card can be cloned in a few seconds, he said. ?If anyone in the room is using MIFARE Classic at this moment, this is your final wakeup call,? de Winter said. ?This is your final heads-up. You?ve got two months left, and then you?re screwed.? An NXP Semiconductors employee advised the MBTA on July 30 about the upcoming DEF CON presentation. ?Of special concern is the announced intent to release open source tools required to perform the attacks,? wrote Manuel Albers, director of regional marketing for NXP. ?Please let me know if we can support you in any way,? he wrote. From rforno at infowarrior.org Fri Aug 15 13:24:07 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Aug 2008 09:24:07 -0400 Subject: [Infowarrior] - UK Police Seize War on Terror Board Game Message-ID: <78906435-952F-45A9-A6A3-F94795613316@infowarrior.org> http://www.schneier.com/blog/archives/2008/08/uk_police_seize.html UK Police Seize War on Terror Board Game They said -- and it's almost to stupid to believe -- that: the balaclava "could be used to conceal someone's identity or could be used in the course of a criminal act". Don't they realize that balaclavas are for sale everywhere in the UK? Or that scarves, hoods, handkerchiefs, and dark glasses could also be used to conceal someone's identity? The game sounds like it could be fun, though: Each player starts as an empire filled with good intentions and a determination to liberate the world from terrorists and from each other. Then the reality of world politics kicks and terrorist states emerge. Andrew said: "The terrorists can win and quite often do and it's global anarchy. It sums up the randomness of geo-politics pretty well." In their cardboard version of realpolitik George Bush's "Axis of Evil" is reduced to a spinner in the middle of the board, which determines which player is designated a terrorist state. That person then has to wear a balaclava (included in the box set) with the word "Evil" stitched on to it. From rforno at infowarrior.org Sat Aug 16 03:15:08 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Aug 2008 23:15:08 -0400 Subject: [Infowarrior] - RIAA pays Tanyan Andersen $107,951 Message-ID: RIAA pays Tanyan Andersen $107,951 RIAA News:- Another huge hole has appeared in Vivendi Universal, EMI, Warner Music and Sony BMG?s s(t)inking ship, the SS Sue ?Em All. And it?s well below the water-line. Nor is the rapidly foundering merchant vessel MediaSentry looking too good. Single mum Tanya Andersen and her daughter, Kylee, have come to epitomize the victims of the Big 4?s RIAA as the labels continue to pursue their hopeless course of trying to sue consumers around the world into buying their formulaic, cookie-cutter ?product?. She and her lawyers, Lory Lybeck and Ben Justus, beat the labels and their enforcer to a standstill, and a judge ordered them to pay the price. Now the Big 4 have been forced to come through. ?Maybe more lawyers will be encouraged to take on these difficult cases as more courts assess fees for the false prosecution of these sham cases,? Lybeck told p2pnet.. < - > http://www.p2pnet.net/story/16724 From rforno at infowarrior.org Sat Aug 16 18:02:55 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 16 Aug 2008 14:02:55 -0400 Subject: [Infowarrior] - U.S. May Ease Police Spy Rules Message-ID: <188D1707-A3E4-4FD2-9DF7-6452DE50A08B@infowarrior.org> http://www.washingtonpost.com/wp-dyn/content/article/2008/08/15/AR2008081503497_pf.html U.S. May Ease Police Spy Rules More Federal Intelligence Changes Planned By Spencer S. Hsu and Carrie Johnson Washington Post Staff Writers Saturday, August 16, 2008; A01 The Justice Department has proposed a new domestic spying measure that would make it easier for state and local police to collect intelligence about Americans, share the sensitive data with federal agencies and retain it for at least 10 years. The proposed changes would revise the federal government's rules for police intelligence-gathering for the first time since 1993 and would apply to any of the nation's 18,000 state and local police agencies that receive roughly $1.6 billion each year in federal grants. Quietly unveiled late last month, the proposal is part of a flurry of domestic intelligence changes issued and planned by the Bush administration in its waning months. They include a recent executive order that guides the reorganization of federal spy agencies and a pending Justice Department overhaul of FBI procedures for gathering intelligence and investigating terrorism cases within U.S. borders. Taken together, critics in Congress and elsewhere say, the moves are intended to lock in policies for Bush's successor and to enshrine controversial post-Sept. 11 approaches that some say have fed the greatest expansion of executive authority since the Watergate era. Supporters say the measures simply codify existing counterterrorism practices and policies that are endorsed by lawmakers and independent experts such as the 9/11 Commission. They say the measures preserve civil liberties and are subject to internal oversight. White House spokesman Tony Fratto said the administration agrees that it needs to do everything possible to prevent unwarranted encroachments on civil liberties, adding that it succeeds the overwhelming majority of the time. Bush homeland security adviser Kenneth L. Wainstein said, "This is a continuum that started back on 9/11 to reform law enforcement and the intelligence community to focus on the terrorism threat." Under the Justice Department proposal for state and local police, published for public comment July 31, law enforcement agencies would be allowed to target groups as well as individuals, and to launch a criminal intelligence investigation based on the suspicion that a target is engaged in terrorism or providing material support to terrorists. They also could share results with a constellation of federal law enforcement and intelligence agencies, and others in many cases. Criminal intelligence data starts with sources as basic as public records and the Internet, but also includes law enforcement databases, confidential and undercover sources, and active surveillance. Jim McMahon, deputy executive director of the International Association of Chiefs of Police, said the proposed changes "catch up with reality" in that those who investigate crimes such as money laundering, drug trafficking and document fraud are best positioned to detect terrorists. He said the rule maintains the key requirement that police demonstrate a "reasonable suspicion" that a target is involved in a crime before collecting intelligence. "It moves what the rules were from 1993 to the new world we live in, but it maintains civil liberties," McMahon said. However, Michael German, policy counsel for the American Civil Liberties Union, said the proposed rule may be misunderstood as permitting police to collect intelligence even when no underlying crime is suspected, such as when a person gives money to a charity that independently gives money to a group later designated a terrorist organization. The rule also would allow criminal intelligence assessments to be shared outside designated channels whenever doing so may avoid danger to life or property -- not only when such danger is "imminent," as is now required, German said. On the day the police proposal was put forward, the White House announced it had updated Reagan-era operating guidelines for the U.S. intelligence community. The revised Executive Order 12333 established guidelines for overseas spying and called for better sharing of information with local law enforcement. It directed the CIA and other spy agencies to "provide specialized equipment, technical knowledge or assistance of expert personnel" to support state and local authorities. And last week, Attorney General Michael B. Mukasey said that the Justice Department will release new guidelines within weeks to streamline and unify FBI investigations of criminal law enforcement matters and national security threats. The changes will clarify what tools agents can employ and whose approval they must obtain. The recent moves continue a steady expansion of the intelligence role of U.S. law enforcement, breaking down a wall erected after congressional hearings in 1976 to rein in such activity. The push to transform FBI and local police intelligence operations has triggered wider debate over who will be targeted, what will be done with the information collected and who will oversee such activities. Many security analysts faulted U.S. authorities after the 2001 terrorist attacks, saying the FBI was not combating terrorist plots before they were carried out and needed to proactively use intelligence. In the years since, civil liberties groups and some members of Congress have criticized the administration for unilaterally expanding surveillance and moving too fast to share sensitive information without safeguards. Critics say preemptive law enforcement in the absence of a crime can violate the Constitution and due process. They cite the administration's long-running warrantless-surveillance program, which was set up outside the courts, and the FBI's acknowledgment that it abused its intelligence-gathering privileges in hundreds of cases by using inadequately documented administrative orders to obtain telephone, e-mail, financial and other personal records of U.S. citizens without warrants. Former Justice Department official Jamie S. Gorelick said the new FBI guidelines on their own do not raise alarms. But she cited the recent disclosure that undercover Maryland State Police agents spied on death penalty opponents and antiwar groups in 2005 and 2006 to emphasize that the policies would require close oversight. "If properly implemented, this should assure the public that people are not being investigated by agencies who are not trained in how to protect constitutional rights," said the former deputy attorney general. "The FBI will need to be vigilant -- both in its policies and its practices -- to live up to that promise." German, an FBI agent for 16 years, said easing established limits on intelligence-gathering would lead to abuses against peaceful political dissenters. In addition to the Maryland case, he pointed to reports in the past six years that undercover New York police officers infiltrated protest groups before the 2004 Republican National Convention; that California state agents eavesdropped on peace, animal rights and labor activists; and that Denver police spied on Amnesty International and others before being discovered. "If police officers no longer see themselves as engaged in protecting their communities from criminals and instead as domestic intelligence agents working on behalf of the CIA, they will be encouraged to collect more information," German said. "It turns police officers into spies on behalf of the federal government." Civil liberties groups also have warned that forthcoming Justice Department rules for the FBI may permit the use of terrorist profiles that could single out religious or ethnic groups such as Muslims or Arabs for investigation. Mukasey said the changes will give the next president "some of the tools necessary to keep us safe" and will not alter Justice rules that prohibit investigations based on a person's race, religion or speech. He said the new guidelines will make it easier for the FBI to use informants, conduct physical and photographic surveillance, and share data in intelligence cases, on the grounds that doing so should be no harder than in investigations of ordinary crimes. Rep. Bennie Thompson (D-Miss.), chairman of the House Homeland Security Committee, said that updating police intelligence rules is a move "in the right direction. However, the vagueness of the provisions giving broad access to criminal intelligence to undefined agencies . . . is very troubling." Staff writers Joby Warrick and Ellen Nakashima contributed to this report. From rforno at infowarrior.org Sat Aug 16 21:34:13 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 16 Aug 2008 17:34:13 -0400 Subject: [Infowarrior] - National security and free speech Message-ID: National security and free speech By Harvey Silverglate August 16, 2008 http://www.boston.com/bostonglobe/editorial_opinion/oped/articles/2008/08/16/national_security_and_free_speech/?s_campaign=8315 WHY DID the federal district court gag three MIT undergraduates who apparently discovered a flaw in the MBTA's electronic fare-collection system? The reason one judge imposed the unconstitutional gag order prohibiting the students from presenting their paper Aug. 10 at the DEFCON computer "hackers" conference, and another judge refused on Aug. 14 to vacate that order even after the conference ended, is the current excuse du jour for an epidemic of censorship: national security. The students, as a project for their class in computer security, discussed how the CharlieCard could be decoded and used to obtain free T rides. When the MBTA learned that they were going to present their paper at DEFCON, it sought a temporary restraining order. Judge Douglas Woodlock, sitting as emergency "duty judge," granted the T's request and prohibited the presentation -- a clearly unconstitutional decision -- citing a violation of the federal Computer Fraud and Abuse Act. Even after a follow-up Aug. 14 hearing before Judge George O'Toole, the order stands. The Computer Fraud and Abuse Act almost certainly does not apply to mere speech; rather, it covers someone who "knowingly causes the transmission of a program, information, code, or command to a computer or computer system." In other words, the statute outlaws hacking, not a scholarly (or even unscholarly) presentation. And even if the statute could be twisted to cover the DEFCON presentation, the First Amendment's free speech guarantee would render this use unconstitutional. Yet Woodlock issued a patently unconstitutional order. Why? This bizarre court intervention is rooted, as are many other recent civil liberties violations, in the aftermath of the Sept. 11, 2001, terrorist attacks. The MBTA's court complaint highlights "the role of the MBTA in Homeland Security efforts" and claims that the hacking threat "affects a computer system used by a government entity for national security purposes." A supporting affidavit of MBTA personnel adds that "in 2007 the MBTA received $4 million from the Department of Homeland Security . . . for use in emergency communications initiatives." Thus the T, in reality just another local transit system struggling under crushing debt and long-term mismanagement, transmogrified a temporary threat to its fare collection system into something so urgent as to override the First Amendment. The MBTA's motion for a gag order was heard by Woodlock. Four years ago, the judge penned an opinion when civil libertarians and political activists challenged Draconian security measures aimed at severely limiting demonstrations at the 2004 Democratic National Convention in Boston. While characterizing the chicken-coop-like "free speech zone" into which protesters were to be herded outside the Fleet Center as akin to "an internment camp," Woodlock said that it was "irretrievably sad" that post-Sept. 11 security threats made such tight restrictions on otherwise protected activity necessary. "One cannot conceive of other elements [that could be] put in place to create a space that's more of an affront to the idea of free expression than the designated demonstration zone," Woodlock moaned as he facilitated the affront. The convention security issues were, admittedly real, even if the solution was unnecessarily harsh on free speech. But the possibility of real or merely feared -- but in any event temporary -- revenue losses for the T should not qualify as the kind of extraordinary and irreparable threat that can justify a restraining order. The Supreme Court has not had occasion -- yet -- to change that high legal barrier, but some lower federal courts have nonetheless since 9/11 been setting a lower bar for the censors. Ironically, this constitutional violation is for naught, since the order will not stop other bright minds from making the same discovery. Knowledge and its spread, for both constitutional and practical reasons, are not subject to court injunctions. The MBTA would have been better off hiring, rather than suing, the MIT trio to solve the electronic flaw. The students (and their professor) could doubtless do a better job of patching the security hole than the T's security officials, consultants, and vendors who designed the vulnerable system. But with the ghosts of 9/11 and "national security" hovering, the students and the First Amendment didn't stand a chance. Harvey Silverglate is a criminal defense and civil liberties litigator and writer. From rforno at infowarrior.org Sun Aug 17 15:46:39 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 17 Aug 2008 11:46:39 -0400 Subject: [Infowarrior] - Fare's fair for hackers? Message-ID: Published online 15 August 2008 | Nature | doi:10.1038/news.2008.1044 http://www.nature.com/news/2008/080815/full/news.2008.1044.html News Fare's fair for hackers? Researchers warn of ?devastating effect? of computer-science gagging order. Daniel Cressey A legal ruling on a student project in the United States has thrown the computer science community into a battle over the line between legitimate research and illegal hacking. The disagreement turns on the principle of "responsible disclosure", which governs decisions by computer security researchers over when and how to make public weaknesses in commercial systems. Eleven top-level computer scientists have publicly come out in support of a group of students from the Massachusetts Institute of Technology (MIT). The protest comes after the Massachusetts Bay Transportation Authority sought and received an order from the district court restraining the students from delivering a presentation to the annual DEFCON conference in Las Vegas. The undergraduates' talk was to be on alleged shortcomings in the security of ?smart-card? electronic tickets used by the MBTA. Broderick in War GamesNext step: responsible disclosurePunchstock According to documents the MBTA filed to the court, the students claimed to have circumvented security on e-tickets, offered ?free subway rides for life? and ?plan to allow others to duplicate their claimed ?breaking??. In a letter sent in support of the students, the computer scientists say the court order is unfair and could have a devastating impact on future research. ?I find the court's decision troubling,? said David Wagner, a computer scientist at the University of California Berkeley and one of the signatories to the letter, in an email to Nature. ?If the decision is upheld, it could have a profound chilling effect on scientific research into the security of information technology.? Time to take stock Experts in the area say the strategy of responsible disclosure is widely accepted for research on security topics. This involves quietly informing a product?s manufacturer and users when a security issue is discovered and giving them a set period of time before you publish your findings. ?If all you do is report quietly it just gets buried and forgotten about,? says Ross Anderson, a researcher at the University of Cambridge with much experience in the area. ?There?s been quite some debate and we?ve settled on responsible disclosure. This is widely accepted in the computer industry.? Exactly how much time you give the relevant companies and users is variable, says Bart Jacobs, a researcher at Radboud University Nijmegen, in the Netherlands. For a problem with a widely used software product where companies already have the intrastructure for updates, researchers might give a month. For something like a smartcard, a longer period might be necessary. Jacobs was on the receiving end of a similar court case earlier this year when Dutch company NXP asked for an injunction to stop the publication of research on security of its Mifare Classic smartcards. These are used as Oyster cards for transport on London?s trains and buses. The injunction was refused: Jacobs plans to publish his findings later this year. ?You give the manufacturer reasonable time to patch things and at the same time you put the company under pressure to really fix the problem,? he says. Indecent disclosure? In the American case, there is disagreement between the MBTA and the MIT students over what information was provided and when. In a statement, the students say they initially contacted the MBTA as they ?wanted to let the MBTA know what they found and wanted to provide some ideas about how to fix the system?. They also say their presentation would not have included crucial information needed to actually hack the fare system and that it contained less information than documents that the MBTA?s court filing has now made available to the public. An MBTA spokesman told Nature, ?The MBTA received no pertinent information from the students before 4.30am on Saturday [the court order was granted at 1.30pm on Saturday]. We did ask for the information, and time, and got nothing.? MIT declined to comment. Yesterday, another judge at the district court ruled the restraining order ? which bars the students from providing ?program, information, software code, or command? that would help compromise the MBTA?s fare media system ? should stand. A decision is expected on Tuesday 19 August about whether it will be amended or withdrawn. ?One thing is clear ? the Boston transit authority?s [MBTA] actions backfired, big time,? says Wagner. ?The technical details are all over the Internet now. The lesson: trying to censor something just draws even more attention to it.? From rforno at infowarrior.org Sun Aug 17 15:55:14 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 17 Aug 2008 11:55:14 -0400 Subject: [Infowarrior] - DC Metro Area to use License Plate Readers Message-ID: <13E79C09-310D-42F1-9FAF-34ABED992C49@infowarrior.org> License Plate Readers To Be Used In D.C. Area By Mary Beth Sheridan Washington Post Staff Writer Sunday, August 17, 2008; C01 http://www.washingtonpost.com/wp-dyn/content/article/2008/08/16/AR2008081602218_pf.html Authorities plan to install about 200 automated license plate readers on police vehicles and alongside roads in the Washington area to thwart potential terrorist attacks, dramatically expanding the use of a high-tech tool previously aimed at parking scofflaws and car thieves. Top homeland security officials from Maryland, Virginia and the District agreed last week to spend $4.5 million on the new system, officials said Friday. The funds will come from a $59.8 million federal homeland security grant for the D.C. area announced last month. That grant also will be used to outfit police with radiation detectors, improve hazmat and bomb squads and provide equipment to hospitals, officials decided. License plate scanners, also known as tag readers, took off in Britain in the 1990s as a way to deter Irish Republican Army attacks, and police here have started using the technology to identify stolen vehicles and illegally parked cars. A handful of the devices are in use by law enforcement agencies in the Washington region for such tasks. The new project is much broader, installing cameras on about 160 police vehicles and at 40 fixed sites, such as airports or highway entrances, officials say. It appears to be one of the most extensive license reading systems in the nation, according to privacy experts. "This is a vast expansion of the technology, and a vast change in the goal of the technology," said Melissa Ngo, publisher of http://www.privacylives.com , a site about privacy and civil liberties issues. Ngo, a former journalist who has worked at The Washington Post and other publications, questioned the outlay of so much money on a project described as an anti-terrorist tool. "Do they have any proof that this works?" Ngo asked. Arlington Police Capt. Kevin Reardon, who has worked on planning the new system, said the tag readers have shown that they can boost police efficiency. "The technology has reached the point where it's very good now. It puts a tool in the hands of police officers out in the street to help fight terrorism," said Reardon, who works in his department's homeland security unit. The readers will scan the license plate of every vehicle that zooms by and run the numbers through federal criminal databases and terrorist watch lists, Reardon said. Maryland, Virginia and the District could plug in additional databases. When the machines get "hits," they instantly notify police or other law enforcement officials. The devices can typically read hundreds of plates an hour. Civil liberties advocates say the tag readers are the latest sign of how surveillance programs are expanding in U.S. cities, driven by terrorism fears and rapidly developing technology. New York officials said last week that they plan to scan the license plates of all cars and trucks entering Manhattan as part of a new security system that also involves thousands of closed-circuit cameras. In the District, the government plans to use $10 million from another homeland security grant to centralize monitoring of the city's growing network of closed-circuit cameras at schools, public buildings and other places. Although city officials say the project is aimed at improving emergency response, it has stirred fierce opposition from some D.C. Council members. Privacy advocates say they are concerned about what is done with the images picked up. "What's going to happen to the data?" asked MarcRotenberg, executive director of the Electronic Privacy Information Center, which monitors civil liberties issues. "The Department of Homeland Security will now have an enormous amount of information about the travel habits of Washington area residents." Rotenberg questioned whether the terrorist databases connected to the readers would be any more reliable than the much-criticized watch lists used at airports. Authorities say many of the details of the new program are being worked out. But Reardon said that at least in the short term, officials don't plan to store data on the scanned license plates, except for those associated with terrorism or other crime. "We'll have to carefully weigh all those [privacy] issues and make sure we do it the right way," said Andrew Lauland, the top homeland security official in Maryland. But, he said, license plates are open to view by any passerby. "So there's nothing intrusive about it," he said. In some ways, the new system might be less invasive, Reardon said. Currently, police can run the plate number of any vehicle, turning up the name of the owner, he said. The new system pulls up information only on cars linked to crime or terrorism, he said. If a vehicle has no such associations, "you're not even in the database," he said. Lauland said the system could be useful in such incidents as the hijacking of a fuel tanker in Baltimore last fall that raised fears of potential terrorism. The vehicle was found in the District, and a terror connection was ruled out. In England, one of the suspects in last year's botched car bomb attacks in London and Glasgow was arrested after his license plate was picked up by roadside cameras. Reardon said, however, that there might be a time delay of up to several hours in getting information on wanted cars into the license plate devices being installed in police vehicles. He said the devices would be useful for more than just potentially stopping terrorists. "It will help us identify other types of criminal activity" by detecting cars used in offenses such as bank robberies, he said. The tag readers are one of about two dozen projects in the Washington region that will be funded with the homeland security grant, an annual award to urban areas at risk of terrorist attack. Officials announced that they will also spend $4 million to equip police in the area with radiation detectors; $5.6 million for training and gear for local bomb squads; and about $18 million for equipment, planning and exercises to help the region's hospitals and medical personnel cope with disasters. Robert Malson, president of the D.C. Hospital Association, said he was grateful that state and local officials had devoted so much of the grant to the medical sector. "Normally they focus most of the money on government agencies, but the hospitals are a critical part of the response to any natural disaster or terrorist attack," he said. The $59.8 million urban area grant to the region was smaller than the $61.6 million it received last year from the Department of Homeland Security. However, the D.C. area also received a new homeland-security grant this year, of $11.5 million, to help it prepare for such catastrophes as the detonation of a nuclear bomb. Staff researcher Eddy Palanzo contributed to this report. From rforno at infowarrior.org Sun Aug 17 16:20:59 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 17 Aug 2008 12:20:59 -0400 Subject: [Infowarrior] - NSF and the Birth of the Internet Message-ID: (c/o Barry W.....a nifty NSF-produced video history of the Internet.) NSF and the Birth of the Internet [Macromedia Flash Player] http://www.nsf.gov/news/special_reports/nsf-net/index.jsp From rforno at infowarrior.org Mon Aug 18 17:04:23 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Aug 2008 13:04:23 -0400 Subject: [Infowarrior] - Survey Help: U.S. military and movies Message-ID: (c/o a friend who's helping another friend out.) Friend says: "If you have a moment, take this survey on the U.S. military and Hollywood. The results will be used in a good friend?s master?s thesis at the University of Southern California's Annenberg School for Communication." http://usccollege.qualtrics.com/SE?SID=SV_1AAJ5AV8j52TMhu&SVID=Prod From rforno at infowarrior.org Mon Aug 18 18:22:11 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Aug 2008 14:22:11 -0400 Subject: [Infowarrior] - Q&A With FBI's Cyber Division Chief Message-ID: <8619F1E7-4EE6-453D-9CBA-F769B65E0A09@infowarrior.org> Q&A With FBI's Cyber Division Chief At the end of the Black Hat hacker convention in Las Vegas a week ago Thursday, I had a few minutes to sit down with James Finch, head of the FBI's Cyber Division. What follows is an excerpted Q&A from that discussion, in which Finch describes himself as a serious geek who refuses to be spooked by organized cyber criminal gangs that target online banking customers and other 'Netizens. < - > http://voices.washingtonpost.com/securityfix/2008/08/qa_with_fbis_cyber_crime_chief.html#more From rforno at infowarrior.org Tue Aug 19 13:39:17 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Aug 2008 09:39:17 -0400 Subject: [Infowarrior] - Apple Is Flailing Badly At The Edges Message-ID: <439E1092-2467-416C-97F4-BAC8511AA3FA@infowarrior.org> (Mike makes some very good points......QC at Cupertino just ain't what it used to be.....-rf) Apple Is Flailing Badly At The Edges http://www.techcrunch.com/2008/08/19/apple-is-flailing-badly-at-the-edges/ From rforno at infowarrior.org Tue Aug 19 13:54:45 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Aug 2008 09:54:45 -0400 Subject: [Infowarrior] - Airports, Security, Dignity, and the New America Message-ID: <96BA48D9-64A2-48EE-9D9C-09B88D2D1CBB@infowarrior.org> At JFK Airport, Denying Basic Rights Is Just Another Day at the Office By Emily Feder, AlterNet. Posted August 18, 2008. I was recently stopped by Homeland Security as I was returning from a trip to Syria. What I saw in the hours that followed shocked and disturbed me. < - > http://www.alternet.org/rights/95351?page=entire From rforno at infowarrior.org Tue Aug 19 17:54:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Aug 2008 13:54:46 -0400 Subject: [Infowarrior] - Boston judge tosses MIT students' gag order Message-ID: Federal Judge Throws Out Gag Order Against Boston Students in Subway Case By Kim Zetter August 19, 2008 | 1:07:19 PMCategories: DefCon, Hacks and Cracks, The Courts http://blog.wired.com/27bstroke6/2008/08/federal-judge-t.html A federal judge in Boston this morning threw out a temporary gag order against three MIT students who were prevented from presenting a talk on security vulnerabilities in the Boston subway's fare tickets and cards. U.S. District Judge George A. O'Toole, Jr., vacated the temporary 10- day restraining order that another judge had instituted last Saturday against the students and which was scheduled to expire today. District Judge O'Toole also threw out a request by the Massachusetts Bay Transportation Authority to obtain a preliminary injunction against the students to expand the restraining order beyond the original 10 days. "It's great news for the free speech rights for these students," said Rebecca Jesche, a spokeswoman for the Electronic Frontier Foundation, which represented the students. "Although it's extremely unfortunate that the students were not allowed to give their talk at DefCon." District Judge O'Toole, in making his decision, ruled against using the Computer Fraud and Abuse Act to invoke the restraining order, saying that the anti-hacking statute, which applies to code transmitted to computer systems, does not apply to speech. A weekend judge who had heard the case last Saturday and had granted the restraining order on behalf of the Massachusetts Bay Transportation Authority, had invoked the Computer Fraud and Abuse Act in his decision, implying that speech about how a system was vulnerable to hacking was equivalent to someone actually hacking the system -- or at least aided that illegal hacking activity. "It was definitely unfair to use that statute to silence the students," Jesche said. "We certainly hope the next time that people are allowed to present their important research instead of being silenced by bogus lawsuits." Zach Anderson, one of the students sued in the case, was elated by the judge's decision today. "We're glad the court actually saw things as they should be," he told Threat Level. "We're glad the court read the law correctly." Although the restraining order has gone away, it doesn't mean the students are completely in the clear. Still standing is a lawsuit the MBTA has filed against them, accusing them of hacking its system and causing damages. Anderson said the students regret that they weren't allowed to give their presentation last Sunday but have no intention of giving the talk anymore. "All the material we were going to talk about has been made public . . . and more," he said, referring to the fact that their presentation slides as well as a confidential report describing vulnerabilities with the Boston system were posted online after the judge granted the restraining order. Anderson maintains that the students never planned to present key information that would have allowed someone to defraud the MBTA system and says they still stand by that. "Despite what's happened, and the animosity the MBTA has brought toward us," he said, "we don't want people to defraud them." When asked if he and the other students ever created bogus MBTA cards and used them to get free rides on Boston's T subway, Anderson declined to respond. "I can't really comment on the actual means that we used," he said. "It's probably not a good idea to comment on that. We certainly did not get free fare. We had to spend several hundred dollars on buying tickets to look at the data structure. Far more than we ever would have used." From rforno at infowarrior.org Wed Aug 20 01:49:04 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Aug 2008 21:49:04 -0400 Subject: [Infowarrior] - Why We Love 'America's Outrageous War Economy' Message-ID: Why We Love 'America's Outrageous War Economy' http://www.foxbusiness.com/story/markets/industries/media/love-americas-outrageous-war-economy/ Paul B. Farrell MarketWatch ARROYO GRANDE, Calif. -- Yes, America's economy is a war economy. Not a "manufacturing" economy. Not an "agricultural" economy. Nor a "service" economy. Not even a "consumer" economy. Seriously, I looked into your eyes, America, saw deep into your soul. So let's get honest and officially call it "America's Outrageous War Economy." Admit it: we secretly love our war economy. And that's the answer to Jim Grant's thought-provoking question last month in the Wall Street Journal -- "Why No Outrage?" There really is only one answer: Deep inside we love war. We want war. Need it. Relish it. Thrive on war. War is in our genes, deep in our DNA. War excites our economic brain. War drives our entrepreneurial spirit. War thrills the American soul. Oh just admit it, we have a love affair with war. We love "America's Outrageous War Economy." Americans passively zone out playing video war games. We nod at 90- second news clips of Afghan war casualties and collateral damage in Georgia. We laugh at Jon Stewart's dark comedic news and Ben Stiller's new war spoof "Tropic Thunder" ... all the while silently, by default, we're cheering on our leaders as they aggressively expand "America's Outrageous War Economy," a relentless machine that needs a steady diet of war after war, feeding on itself, consuming our values, always on the edge of self-destruction. Why else are Americans so eager and willing to surrender 54% of their tax dollars to a war machine, which consumes 47% of the world's total military budgets? Why are there more civilian mercenaries working for no-bid private war contractors than the total number of enlisted military in Iraq (180,000 to 160,000), at an added cost to taxpayers in excess of $200 billion and climbing daily? Why do we shake our collective heads "yes" when our commander-in-chief proudly tells us he is a "war president;" and his party's presidential candidate chants "bomb, bomb, bomb Iran," as if "war" is a celebrity hit song? Why do our spineless Democrats let an incompetent, blundering executive branch hide hundreds of billions of war costs in sneaky "supplemental appropriations" that are more crooked than Enron's off-balance-sheet deals? Why have Washington's 537 elected leaders turned the governance of the American economy over to 42,000 greedy self-interest lobbyists? And why earlier this year did our "support-our-troops" "war president" resist a new GI Bill because, as he said, his military might quit and go to college rather than re-enlist in his war; now we continue paying the Pentagon's warriors huge $100,000-plus bonuses to re-up so they can keep expanding "America's Outrageous War Economy?" Why? Because we secretly love war! We've lost our moral compass: The contrast between today's leaders and the 56 signers of the Declaration of Independence in 1776 shocks our conscience. Today war greed trumps morals. During the Revolutionary War our leaders risked their lives and fortunes; many lost both. Today it's the opposite: Too often our leaders' main goal is not public service but a ticket to building a personal fortune in the new "America's Outrageous War Economy," often by simply becoming a high- priced lobbyist. Ultimately, the price of our greed may be the fulfillment of Kevin Phillips' warning in "Wealth and Democracy:" "Most great nations, at the peak of their economic power, become arrogant and wage great world wars at great cost, wasting vast resources, taking on huge debt, and ultimately burning themselves out." 'National defense' a propaganda slogan selling a war economy? But wait, you ask: Isn't our $1.4 trillion war budget essential for "national defense" and "homeland security?" Don't we have to protect ourselves? Sorry folks, but our leaders have degraded those honored principles to advertising slogans. They're little more than flag-waving excuses used by neocon war hawks to disguise the buildup of private fortunes in "America's Outrageous War Economy." America may be a ticking time bomb, but we are threatened more by enemies within than external terrorists, by ideological fanatics on the left and the right. Most of all, we are under attack by our elected leaders who are motivated more by pure greed than ideology. They terrorize us, brainwashing us into passively letting them steal our money to finance "America's Outrageous War Economy," the ultimate "black hole" of corruption and trickle-up economics. You think I'm kidding? I'm maybe too harsh? Sorry but others are far more brutal. Listen to the ideologies and realities eating at America's soul. 1. Our toxic 'war within' is threatening America's soul How powerful is the Pentagon's war machine? Trillions in dollars. But worse yet: Their mindset is now locked deep in our DNA, in our collective conscience, in America's soul. Our love of war is enshrined in the writings of neocon war hawks like Norman Podoretz, who warns the Iraq War was the launching of "World War IV: The Long Struggle Against Islamofascism," a reminder that we could be occupying Iraq for a hundred years. His WW IV also reminded us of the coming apocalyptic end-of-days "war of civilizations" predicted by religious leaders in both Christian and Islamic worlds two years ago. In contrast, this ideology has been challenged in works like Craig Unger's "American Armageddon: How the Delusions of the Neoconservatives and the Christian Right Triggered the Descent of America -- and Still Imperil Our Future." Unfortunately, neither threat can be dismissed as "all in our minds" nor as merely ideological rhetoric. Trillions of tax dollars are in fact being spent to keep the Pentagon war machine aggressively planning and expanding wars decades in advance, including spending billions on propaganda brainwashing naive Americans into co-signing "America's Outrageous War Economy." Yes, they really love war, but that "love" is toxic for America's soul. 2. America's war economy financed on blank checks to greedy Read Nobel Economist Joseph Stiglitz and Harvard professor Linda Bilmes' "$3 Trillion War." They show how our government's deceitful leaders are secretly hiding the real long-term costs of the Iraq War, which was originally sold to the American taxpayer with a $50 billion price tag and funded out of oil revenues. But add in all the lifetime veterans' health benefits, equipment placement costs, increased homeland security and interest on new federal debt, and suddenly taxpayers got a $3 trillion war tab! 3. America's war economy has no idea where its money goes Read Portfolio magazine's special report "The Pentagon's $1 Trillion Problem." The Pentagon's 2007 budget of $440 billion included $16 billion to operate and upgrade its financial system. Unfortunately "the defense department has spent billions to fix its antiquated financial systems [but] still has no idea where its money goes." And it gets worse: Back "in 2000, Defense's inspector general told Congress that his auditors stopped counting after finding $2.3 trillion in unsupported entries." Yikes, our war machine has no records for $2.3 trillion! How can we trust anything they say? 4. America's war economy is totally 'unmanageable' For decades Washington has been waving that "national defense" flag, to force the public into supporting "America's Outrageous War Economy." Read John Alic's "Trillions for Military Technology: How the Pentagon Innovates and Why It Costs So Much." A former Congressional Office of Technology Assessment staffer, he explains why weapon systems cost the Pentagon so much, "why it takes decades to get them into production even as innovation in the civilian economy becomes ever more frenetic and why some of those weapons don't work very well despite expenditures of many billions of dollars," and how "the internal politics of the armed services make weapons acquisition almost unmanageable." Yes, the Pentagon wastes trillions planning its wars well in advance. Comments? Tell us: What will it take to wake up America, get citizens, investors, anybody mad at "America's Outrageous War Economy?" Why don't you rebel? Will the outrage come too late ... after this massive war bubble explodes in our faces? Copyright ? 2008 MarketWatch, Inc. From rforno at infowarrior.org Wed Aug 20 04:05:11 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Aug 2008 00:05:11 -0400 Subject: [Infowarrior] - US Citizens' U.S. Border Crossings Tracked Message-ID: <2346E341-2976-4CD0-8189-851ACF28AF86@infowarrior.org> Citizens' U.S. Border Crossings Tracked Data From Checkpoints To Be Kept for 15 Years By Ellen Nakashima Washington Post Staff Writer Wednesday, August 20, 2008; A01 http://www.washingtonpost.com/wp-dyn/content/article/2008/08/19/AR2008081902811_pf.html The federal government has been using its system of border checkpoints to greatly expand a database on travelers entering the country by collecting information on all U.S. citizens crossing by land, compiling data that will be stored for 15 years and may be used in criminal and intelligence investigations. Officials say the Border Crossing Information system, disclosed last month by the Department of Homeland Security in a Federal Register notice, is part of a broader effort to guard against terrorist threats. It also reflects the growing number of government systems containing personal information on Americans that can be shared for a broad range of law enforcement and intelligence purposes, some of which are exempt from some Privacy Act protections. While international air passenger data has long been captured this way, Customs and Border Protection agents only this year began to log the arrivals of all U.S. citizens across land borders, through which about three-quarters of border entries occur. The volume of people entering the country by land prevented compiling such a database until recently. But the advent of machine-readable identification documents, which the government mandates eventually for everyone crossing the border, has made gathering the information more feasible. By June, all travelers crossing land borders will need to present a machine-readable document, such as a passport or a driver's license with a radio frequency identification chip. In January, border agents began manually entering into the database the personal information of travelers who did not have such documents. The disclosure of the database is among a series of notices, officials say, to make DHS's data gathering more transparent. Critics say the moves exemplify efforts by the Bush administration in its final months to cement an unprecedented expansion of data gathering for national security and intelligence purposes. The data could be used beyond determining whether a person may enter the United States. For instance, information may be shared with foreign agencies when relevant to their hiring or contracting decisions. Public comments are being taken until Monday, when the "new system of records will be effective," the notice states. "People expect to be checked when they enter the country and for the government to determine if they're admissible or not," said Greg Nojeim, senior counsel at the Center for Democracy & Technology. "What they don't expect is for the government to keep a record for 15 years of their comings into the country." But DHS spokesman Russ Knocke said the retention period is justified. "History has shown, whether you are talking about criminal or terrorist activity, that plotting, planning or even relationships among conspirators can go on for years," he said. "Basic travel records can, quite literally, help frontline officers to connect the dots." The government states in its notice that the system was authorized by post-Sept. 11 laws, including the Enhanced Border Security and Visa Reform Act of 2002, the Aviation and Transportation Security Act of 2001, and the Intelligence Reform and Terrorism Prevention Act of 2004. Nojeim said that though the statutes authorize the government to issue travel documents and check immigration status, he does not believe they explicitly authorize creation of the database. "This database is, in a sense, worse than a watch list," he said. "At least in the watch-list scenario, there's some reason why the name got on the list. Here, the only thing a person does to come to the attention of DHS is to lawfully cross the border. The theory of this data collection is: Track everyone -- just in case." Under the system, officials record name, birth date, gender, date and time of crossing, and a photo, where available, for U.S. travelers returning to the country by land, sea or air. The same information is gathered about foreign travelers, but it is held for 75 years. DHS and other agencies are amassing more and more data that they subject to sophisticated analysis. A customs document issued last month stated that the agency does not perform data mining on border crossings to glean relationships and patterns that could signify a terrorist or law enforcement threat. But the Federal Register notice states that information may be shared with federal, state and local governments to test "new technology and systems designed to enhance border security or identify other violations of law." And the Homeland Security Act establishing the department calls for the development of data-mining tools to further the department's objectives. That raises concerns, privacy advocates say, that analyses can be undertaken that could implicate innocent people if appropriate safeguards are not used. The border information system will link to a new database, the Non- Federal Entity Data System, which is being set up to hold personal information about all drivers in a state's database. States that do not agree to allow customs to have such large amounts of information may allow the agency to query their databases in real time for information on a traveler. Because of privacy concerns, Washington state earlier this year opted for the queries-only approach. The Canadian government made the same decision. "There was absolutely no way they should have the entire database," said Ann Cavoukian, Ontario's privacy commissioner, who learned about the Canadian government's decision in April. "Once you have data in a database you don't need, it lends itself to unauthorized use," she said. "You have no idea of the data creep." Vermont opted to allow access to its driver's licenses because the state could not guarantee the "nanoseconds" response time DHS required, said Bonnie L. Rutledge, the state's commissioner of motor vehicles. She said drivers are informed up front of the data sharing. "A person opts to go over the border, their information is going to be collected and held anyway," she said. "If you don't want to go over the border, you don't have to." The notice states that the government may share border records with federal, state, local, tribal or foreign government agencies in cases where customs believes the information would assist enforcement of civil or criminal laws or regulations, or if the information is relevant to a hiring decision. They may be shared with a court or attorney in civil litigation, which could include divorce cases; with federal contractors or consultants "to accomplish an agency function related to this system of records"; with federal and foreign intelligence or counterterrorism agencies if there is a threat to national or international security or to assist in anti-terrorism efforts; or with the news media and the public "when there exists a legitimate public interest in the disclosure of the information." Homeland Security is proposing to exempt the database from some provisions of the 1974 Privacy Act, including the right of a citizen to know whether a law enforcement or intelligence agency has requested his or her records and the right to sue for access and correction in those disclosures. A traveler may, however, request access to records based on documents he or she presented at the border. The notice is posted at the Government Printing Office's Web site. From rforno at infowarrior.org Wed Aug 20 13:40:53 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Aug 2008 09:40:53 -0400 Subject: [Infowarrior] - TSA inspector damages 9 commuter planes Message-ID: Commuter Flights Grounded Thanks To Bumbling TSA Inspector http://www.aero-news.net/index.cfm?ContentBlockID=340a79d6-839a-470d-b662-944325cea23d Wed, 20 Aug '08 Damaged TAT Probes On Nine Jets While Conducting 'Security Checks' They're the government... and remember, they're here to help. A bumbling inspector with the Transportation Safety Administration apparently has some explaining to do, after nine American Eagle regional jets were grounded at Chicago's O'Hare International Airport on Tuesday. Citing sources within the aviation industry, ABC News reports an overzealous TSA employee attempted to gain access to the parked aircraft by climbing up the fuselage... reportedly using the Total Air Temperature (TAT) probes mounted to the planes' noses as handholds. "The brilliant employees used an instrument located just below the cockpit window that is critical to the operation of the onboard computers," one pilot wrote on an American Eagle internet forum. "They decided this instrument, the TAT probe, would be adequate to use as a ladder." Officials with American Eagle confirmed to ANN the problem was discovered by maintenance personnel, who inspected the planes Tuesday morning... and questioned why the TAT probes all gave similar error indications. One Eagle pilot says had the pilots not been so attentive, the damaged probes could have caused problems inflight. TSA agents "are now doing things to our aircraft that may put our lives, and the lives of our passengers at risk," the pilot wrote on the forum. Grounding the planes to replace the TAT probes affected about 40 flights, according to American Airlines spokeswoman Mary Frances. "We think it's an unfortunate situation," she told ABCNews.com. TSA conducts routine spot inspections of aircraft parked at commercial airports, according to agency spokesman Elio Montenegro. "Our inspector was following routine procedure for securing the aircraft that were on the tarmac," Montenegro said, adding the inspector was attempting to determine whether someone could break into the parked planes. Pilots respond that agents are only allowed to check for unlocked cabin doors... a clear security risk, that could indeed compromise security. Indeed, regional airline Mesa Air Group notes "48 percent of all TSA investigations involving Mesa Air Group involve a failure to maintain area/aircraft security." It's unclear whether that duty also allows an inspector to paw around an aircraft, however. E-I-C Note: This was an extraordinarily dangerous incident, folks. The TSA has neither the mandate nor the knowledge to inspect any aircraft for any reason. The stupidity of this matter is nearly unbelievable... until you hear that the TSA is involved... then it becomes understandable, though still tragic. And I can not tell you how frustrating it is, to see them continue to hurt an indsutry that they were created to protect. The TSA has NO BUSINESS putting untrained personnel in a position to damage aircraft. Their bizarre games, in the name of security, do NOTHING to enhance security and do much to inhibit safety. Aviation personnel -- pilots, A&P's, ground personnel -- are all either licensed or supervised by licensed personnel and this kind of tampering, had it been accomplished by anyone else, would have subjected that person to criminal charges. In this case, ANN strongly recommends and encourages the criminal prosecution of this so-called inspector and his immediate supervisors... it is a matter of time before one of these morons does something stupid and gets someone killed... and with the way these incidents are occurring, we believe it is a virtual certainty that a TSA "Inpector" will hurt or kill someone in such a manner. No kidding. A few other notes.. ANN spoke directly to the TSA PAO in this story, Elio Montenegro... a man who desperately needs to get his stories straight. When ANN talked to him early Tuesday evening, Montenegro first stated that no aircraft were tampered with, and thereafter attempted to minimize the issue by stating that a TSA Inspector "may have touched" the aircraft... which American Eagle "sorta" objected to. He claimed that there was no attempt to enter the aircraft, and when he was asked if TSA was, in fact, authorized to attempt such an entry -- out of the sight/knowledge/supervision of American Eagle personnel -- he said that he thought that I had asked a good question, did not know the answer, and promised to get back to me... in direct conflict with other reported statements. TSA can not keep their stories straight... and lying to the media... especially that part of the media that actually knows a thing or two about airplanes, was just plain foolish... if not a deliberate attempt to mislead. Mind you, this is the same agency that now wants to step up supervision and surveillance of the GA world. Would you trust these kind of folks around your airplane? I sure do not, and will not -- and the first time that I see a TSA person attempt any interaction with any aircraft under my control, I will call the cops and do my utmost to see that person charged with a crime... TSA can not be trusted around Air Transport airplanes... hell, TSA can not be trusted around GA... and TSA has shown us little or no reason why they should be trusted, in any way, with the security of the traveling public. We're fed up with the incompetence of this organization... and while it was simply 'annoying' when they were sniffing our shoes or trying to rip off our laptops, it gets downright threatening when they start tampering with our airplanes. Yes... this is quite the rant and I admit to no end of frustration with this organization... but I have to tell you, it's time to scrap the TSA and failing that, it is WAY past time that they be SEVERELY curtailed in their ability to harm others. Simply put, it's time to reign in the TSA... before they kill someone... if they haven't already. Rant over... for now. -- Jim Campbell, ANN E-I-C. From rforno at infowarrior.org Wed Aug 20 13:42:26 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Aug 2008 09:42:26 -0400 Subject: [Infowarrior] - Airline captain, lawyer, child on terror 'watch list' Message-ID: <54FB1354-CF90-4B0B-BE14-E70B648B8644@infowarrior.org> Airline captain, lawyer, child on terror 'watch list' http://www.cnn.com/2008/US/08/19/tsa.watch.list/index.html SAN FRANCISCO, California (CNN) -- James Robinson is a retired Air National Guard brigadier general and a commercial pilot for a major airline who flies passenger planes around the country. James Robinson is a retired brigadier general and a commercial pilot. His name is on the terrorist "watch list." He has even been certified by the Transportation Security Administration to carry a weapon into the cockpit as part of the government's defense program should a terrorist try to commandeer a plane. But there's one problem: James Robinson, the pilot, has difficulty even getting to his plane because his name is on the government's terrorist "watch list." That means he can't use an airport kiosk to check in; he can't do it online; he can't do it curbside. Instead, like thousands of Americans whose names match a name or alias used by a suspected terrorist on the list, he must go to the ticket counter and have an agent verify that he is James Robinson, the pilot, and not James Robinson, the terrorist. "Shocking's a good word; frustrating," Robinson -- the pilot -- said. "I'm carrying a weapon, flying a multimillion-dollar jet with passengers, but I'm still screened as, you know, on the terrorist watch list." The American Civil Liberties Union estimates more than 1 million names have been added to the watch list since the September 11 attacks. The FBI, which manages the Terrorist Screening Database, disputes that figure. It says that there are about 400,000 actual people on the list and that about 95 percent of those people are not U.S. citizens. Video Watch how three people found themselves on terror watch list ? "There's going to come a point in time where everybody's on the list," Robinson said. Robinson is not the only person with that name flagged on the list. Since airing a story this summer about how Correspondent Drew Griffin began getting told he was on the watch list -- coincidentally after he wrote a series critical of the TSA's Federal Air Marshal Service -- CNN has received dozens of e-mails and iReport submissions from viewers who also have found themselves on the watch list. It turns out that three people named "James Robinson" found their names on the list in early 2005. iReport.com: Do you think your name is on the list? Besides the airline pilot, there's the James Robinson who served as U.S. attorney in Detroit, Michigan, and as an assistant attorney general in the Clinton administration; and James Robinson of California, who loves tennis, swimming and flying to the East Coast to see his grandmother. He's 8. The third-grader has been on the watch list since he was 5 years old. Asked whether he is a terrorist, he said, "I don't know." Though he doesn't even know what a terrorist is, he is embarrassed that trips to the airport cause a ruckus, said his mother, Denise Robinson. Denise Robinson said that no one in the government even told her her son is on the watch list but that it wasn't hard to figure out. Checking in at curbside three years ago, the family was told they couldn't get boarding passes and were hustled to the ticket counter. She said the ticket agent made a number of phone calls and kept asking which among her husband and two sons was James. "And all of a sudden he says, 'How old is he?' " Robinson recounted. She said she responded numerous times, "He's 5." The agent handed them paperwork and refused to tell them what the problem was but urged them to fill out the forms. The documents were Department of Homeland Security paperwork to get off the watch list. Not knowing which of the three might be targeted, she sent in the required documents for the entire family -- and got back one letter, addressed to James. Congress has demanded that the TSA and Homeland Security fix the problems with the list that are making travel so difficult for so many Americans. Prominent lawmakers, including Massachusetts Sen. Edward Kennedy and civil rights leader-turned-Georgia congressman John Lewis, also have encountered watch list difficulties. "I want the burden of clearing this up to be on the agencies that are the holders of responsibilities: the Department of Homeland Security and the attorney general of the United States," said Rep. Sheila Jackson Lee, D-Texas, who has called for investigations into why Griffin wound up on the list after his critical reporting. The FBI won't confirm any name on the list. And the TSA says Kennedy and Lewis aren't on the list, even though they have been stopped. But although the list is clearly bloated with misidentifications by every official's account, CNN has learned that it may also be ineffective. Numerous people, including all three Robinsons, have figured out that there are ways not to get flagged by the watch list. Denise Robinson says she tells the skycaps her son is on the list, tips heavily and is given boarding passes. And booking her son as "J. Pierce Robinson" also has let the family bypass the watch list hassle. Capt. James Robinson said he has learned that "Jim Robinson" and "J.K. Robinson" are not on the list. And Griffin has tested its effectiveness. When he runs his first and middle name together when making a reservation online, he has no problem checking in at the airport. The TSA has said the problem lies with the airlines and threatened to fine airlines that tell passengers they are on the watch list. That didn't sit well with the airlines, who through the Air Transport Association said they have been waiting for four years for the TSA to come up with a fix. Those comments apparently sparked a recent meeting between TSA chief Kip Hawley and airline representatives. Following that meeting, a spokesman for the ATA said the airlines and TSA would cooperate to make things work. But then last week, Homeland Security Secretary Michael Chertoff seemed to re-ignite the controversy over who is to blame for the watch list failure. "We told the airlines we would allow them, if someone gave a birth date, to exclude that person from the list," Chertoff said during a question-and-answer session at the University of Southern California. "Let the person get their boarding pass directly at home or at the kiosk, just like everyone else. Some airlines have done this; some have chosen not to because they don't want to spend the money." Chertoff then implied that the financially strapped airlines might comply if they could make money from the process. "And their attitude is, 'Well, TSA gets the blame for it,' so I guess if they can do what they are doing now with food and can charge you for it -- but I hate to suggest that. I may give them an idea," he said. The ATA, the trade association for the airlines, said carriers will work with the TSA and said enrolling in a frequent-flyer program could help. "We are now awaiting TSA's announced January 2009 implementation of the Secure Flight Program, which is expected to reduce the number of misidentified passengers," the association said in a written statement. advertisement "In the meantime, the airlines worked collaboratively with TSA to further minimize unnecessary passenger inconvenience. ... A key part of that short-term solution relies on frequent-flier program enrollment to help resolve misidentification issues and as a result we are urging passengers to enroll." All the Robinsons are enrolled in frequent-flyer programs, and all have filled out the paperwork that Chertoff said is an easy way to get them off the watch list. But it has been three years since all three James Robinsons filled out those forms, and their cases have yet to be resolved. From rforno at infowarrior.org Wed Aug 20 19:10:19 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Aug 2008 15:10:19 -0400 Subject: [Infowarrior] - Beloit College Mindset List for the Class of 2012 Message-ID: (Yes, it's that time of the year again........--rf) This month, almost 2 million first-year students will head off to college campuses around the country. Most of them will be about 18 years old, born in 1990 when headlines sounded oddly familiar to those of today: Rising fuel costs were causing airlines to cut staff and flight schedules; Big Three car companies were facing declining sales and profits; and a president named Bush was increasing the number of troops in the Middle East in the hopes of securing peace. However, the mindset of this new generation of college students is quite different from that of the faculty about to prepare them to become the leaders of tomorrow. Each August for the past 11 years, Beloit College in Beloit, Wis., has released the Beloit College Mindset List. It provides a look at the cultural touchstones that shape the lives of students entering college. It is the creation of Beloit?s Keefer Professor of the Humanities Tom McBride and Public Affairs Director Ron Nief. The List is shared with faculty and with thousands who request it each year as the school year begins, as a reminder of the rapidly changing frame of reference for this new generation. < - more - > http://www.beloit.edu/mindset/2012.php From rforno at infowarrior.org Wed Aug 20 23:28:49 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Aug 2008 19:28:49 -0400 Subject: [Infowarrior] - WatchListed Fliers Can Sue, Appeals Court Rules Message-ID: <3B82221C-DAA2-46E7-80E7-B6FB42C8834B@infowarrior.org> Watch-Listed Fliers Can Sue, Appeals Court Rules By Ryan Singel EmailAugust 20, 2008 | 1:20:36 PM http://blog.wired.com/27bstroke6/2008/08/watch-listed--1.html Airline passengers on the government's no-fly list can sue the government to get their names removed, according to a federal appeals court ruling Monday that swept aside complicated judicial rules that insulated the government from lawsuits over the sprawling list of suspected terrorists. The decision (.pdf) marks the first time that an individual has been allowed to use the court -- rather than a form mailed to a Homeland Security office -- to contest their inclusion in the nation's secret anti-terrorism database. In a recent interview, Homeland Security chief Michael Chertoff said such court reviews would destroy the watch lists and lead to another hijacking like 9/11. Those who continually run up against the list describe the experience of trying to figure out how to get off the list as Kafkaesque. The U.S. 9th Circuit Court of Appeals decided 2-1 to overturn a lower court dismissal of the case on jurisdiction grounds. The lower court found that Congress protected the Transportation Security Administration's aviation safety orders from legal challenges in district court, and that the case had to be filed in the court of appeals first. That essentially blocks any plaintiff from calling witnesses and subpoenaing documents -- leaving them with only the possibility of challenging the constitutionality of the order itself. That notion struck Chief Judge Alex Kozinski as nonsensical: Just how would an appellate court review the agency?s decision to put a particular name on the list? There was no hearing before an administrative law judge; there was no notice-and-comment procedure. For all we know, there is no administrative record of any sort for us to review. ... (the process of maintaining the No-Fly List is opaque). So if any court is going to review the government?s decision to put Ibrahim?s name on the no-fly list, it makes sense that it be a court with the ability to take evidence. Kozinski, joined by James Otero, found instead that the TSA's no-fly and selectee lists were compiled and maintained by another agency -- the Terrorist Screening Center -- that wasn't protected, so the challenge can proceed. Judge Randy Smith dissented, saying Congress clearly wanted to protect the TSA from such suits. The case arose after a Malaysian woman studying at Stanford attempted to fly from San Francisco to Malaysia in January 2005, but United Airlines identified Rahinah Ibrahim as being on the no-fly list. The airline contacted the police, who called the TSA's intelligence service. There an employee named John Bondanella told police to detain and question Ibrahim, and call the FBI. Ibrahim was handcuffed in front of her 14-year-old daughter and taken to the police station, where she was held for two hours until the FBI called to say let her go. Ibrahim is suing the feds, United Airlines, San Francisco county and a number of individuals. She is also seeking an injunction to have her name removed from the list. The appeals court, overturning the lower court, is also allowing Ibrahim to sue Bondanella personally. She alleges that his order to detain her violated her constitutional rights, since the no-fly list is not a list of wanted terrorists, but rather a list of people suspected of being too dangerous to board a plane. From rforno at infowarrior.org Thu Aug 21 01:06:59 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Aug 2008 21:06:59 -0400 Subject: [Infowarrior] - Comcast to stop slowing BitTorrent traffic Message-ID: <193D9873-97C1-4EEA-973B-E955C1E0763B@infowarrior.org> Comcast to stop slowing BitTorrent traffic http://www.electronista.com/articles/08/03/27/comcast.eases.torrents/ Comcast on Thursday made a surprise reversal of its past practices and said that it would halt its practice of blocking BitTorrent traffic on its cable Internet service. The provider revealed that it would instead work towards a management system on its network that will remain strictly neutral, preventing a bias towards or against any one distribution format. The move is publicly claimed as a recognition of the use of BitTorrent as a legitimate mechanism for business, which requires that it receives equal treatment along with other traffic, according to the company. Adjusting these practices will demand that Comcast "rapidly reconfigure" its network monitoring but should more accurately reflect online reality, said the company's CTO, Tony Werner. Comcast noted that it was in discussions with BitTorrent for future plans and that it would openly publish its techniques to ensure that both customers and developers are aware of how data will behave on the cable network. The Internet provider's action is widely understood to be a partial reaction to recent statements by FCC chair Kevin Martin, who argued this month that Comcast's approach to its Torrent-oriented practices was deceptive and didn't rule out the possibility of investigating the practice. In its existing form, the Comcast technique uses software from SandVine that cuts the peer-to-peer BitTorrent or Gnutella links between Comcast subscribers and others on the Internet under certain conditions, severely limiting download and upload speeds. The cable firm admitted that its discussions with BitTorrent were meant to resolve problems without government intervention. Comcast's gesture may also have been prompted by efforts on Verizon's part to optimize peer-to-peer traffic for known legitimate services, which the DSL service provider said would not only reduce costs on its end but improve the speed for end users. From rforno at infowarrior.org Thu Aug 21 01:47:38 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Aug 2008 21:47:38 -0400 Subject: [Infowarrior] - Another victory for fair-use rights Message-ID: Judge: Copyright Owners Must Consider 'Fair Use' Before Sending Takedown Notice By David Kravets EmailAugust 20, 2008 | 6:21:03 PMCategories: Intellectual Property http://blog.wired.com/27bstroke6/2008/08/judge-copyright.html In the nation's first such ruling, a federal judge on Wednesday said copyright owners must consider "fair use" of their works before sending takedown notices to online video-sharing sites. The 10-page decision (.pdf) came a month after Universal Music told a San Jose, California federal judge that copyright owners need not consider the "fair use" doctrine before issuing takedown notices requiring online video-sharing sites to remove content. The doctrine, recognized by the Digital Millennium Copyright Act, permits limited use of copyright materials without the owner's permission. "Even if Universal is correct that fair use only excuses infringement, the fact remains that fair use is a lawful use of a copyright," U.S. District Judge Jeremy Fogel ruled. "Accordingly, in order for a copyright owner to proceed under the DMCA with 'a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law,' the owner must evaluate whether the material makes fair use of the copyright." Fogel added that an "allegation that a copyright owner acted in bad faith by issuing a takedown notice without proper consideration of the fair use doctrine thus is sufficient to state a misrepresentation claim." The legal dispute decided Wednesday centers on a rarely used clause in the DMCA -- originally approved by Congress in 1998 -- allowing victims of meritless takedown notices to seek damages, in a bid to deter false notices and breaches of First Amendment speech. It is usually used when somebody issues a takedown notice and misrepresents ownership of the copyright. The case considered a lawsuit brought by a Pennsylvania woman whose 29- second garbled video of her toddler dancing to Prince's "Let's Go Crazy" was removed last year after Universal sent YouTube a takedown notice under the DMCA. The DMCA requires removal of material a rights holder claims is infringing its copyrights. If it isn't removed, legal liability can be placed on YouTube or other video-sharing sites. But the act also allows the uploader -- in this case, the Pennsylvania mother of the dancing toddler -- to demand the video be reposted online. Universal did not challenge Stephanie Lenz's assertion that the video was a "fair use" of Prince's song. After being taken down for six weeks, the video went back online last year, having now generated about half a million hits. The Electronic Frontier Foundation, which is representing Lenz, has asked the judge to award attorneys' fees and other unspecified monetary damages. While there is no bright-line rule, the factors to consider whether a video uploaded to a file-sharing site is a fair use are: how much of the original work was used, whether the new use is commercial in nature, whether the market for the original work was harmed, and whether the new work is a parody. Universal argued that copyright owners may lose the ability to respond rapidly to potential infringements if they are required to evaluate fair use prior to issuing takedown notices. Universal also raised the question of whether a particular use of copyrighted material constitutes fair use is a "fact-intensive inquiry," arguing that it is difficult for copyright owners to predict whether a court eventually may rule in their favor. Fogel ruled that, "while these concerns are understandable, their actual impact likely is overstated. Although there may be cases in which such considerations will arise, there are likely to be few in which a copyright owner's determination that a particular use is not fair use will meet the requisite standard of subjective bad faith required to prevail in an action for misrepresentation." Judge Fogel denied Universal's motion to dismiss Lenz's case -- freeing her to continue with her lawsuit seeking damages. Still, Judge Fogel said he had "considerable doubt that Lenz will be able to prove that Universal acted with subjective bad faith" when it sent YouTube the takedown notice. Universal spokesman Peter Lofrumento seized on that language. "While the court merely declined to throw the case out at this early pleadings stage," Lofrumento said, "we remain confident that we will prevail in this matter." Corynne McSherry, an EFF attorney, said the digital rights group intends on convincing the judge that Universal acted in bad faith when it sent the takedown notice last year. "We will overcome his doubts," she said. From rforno at infowarrior.org Thu Aug 21 01:50:36 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Aug 2008 21:50:36 -0400 Subject: [Infowarrior] - FTC Bans Pre-Recorded Telemarketer Calls Message-ID: <3A374E47-DF6D-44E7-9218-BC4C98694887@infowarrior.org> FTC Bans Pre-Recorded Telemarketer Calls New rules said to protect consumer privacy http://www.consumeraffairs.com/news04/2008/08/telemarketing_rules.html From rforno at infowarrior.org Thu Aug 21 04:26:35 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Aug 2008 00:26:35 -0400 Subject: [Infowarrior] - New Guidelines Would Give F.B.I. Broader Powers Message-ID: August 21, 2008 New Guidelines Would Give F.B.I. Broader Powers By ERIC LICHTBLAU http://www.nytimes.com/2008/08/21/washington/21fbi.html?_r=1&hp=&oref=slogin&pagewanted=print WASHINGTON ? A Justice Department plan would loosen restrictions on the Federal Bureau of Investigation to allow agents to open a national security or criminal investigation against someone without any clear basis for suspicion, Democratic lawmakers briefed on the details said Wednesday. The plan, which could be made public next month, has already generated intense interest and speculation. Little is known about its precise language, but civil liberties advocates say they fear it could give the government even broader license to open terrorism investigations. Congressional staff members got a glimpse of some of the details in closed briefings this month, and four Democratic senators told Attorney General Michael B. Mukasey in a letter on Wednesday that they were troubled by what they heard. The senators said the new guidelines would allow the F.B.I. to open an investigation of an American, conduct surveillance, pry into private records and take other investigative steps ?without any basis for suspicion.? The plan ?might permit an innocent American to be subjected to such intrusive surveillance based in part on race, ethnicity, national origin, religion, or on protected First Amendment activities,? the letter said. It was signed by Russ Feingold of Wisconsin, Richard J. Durbin of Illinois, Edward M. Kennedy of Massachusetts and Sheldon Whitehouse of Rhode Island. As the end of the Bush administration nears, the White House has been seeking to formalize in law and regulation some of the aggressive counterterrorism steps it has already taken in practice since the Sept. 11 attacks. Congress overhauled the federal wiretapping law in July, for instance, and President Bush issued an executive order this month ratifying new roles for intelligence agencies. Other pending changes would also authorize greater sharing of intelligence information with the local police, a major push in the last seven years. The Justice Department is already expecting criticism over the F.B.I. guidelines. In an effort to pre-empt critics, Mr. Mukasey gave a speech last week in Portland, Ore., describing the unfinished plan as an effort to ?integrate more completely and harmonize the standards that apply to the F.B.I.?s activities.? Differing standards, he said, have caused confusion for field agents. Mr. Mukasey emphasized that the F.B.I. would still need a ?valid purpose? for an investigation, and that it could not be ?simply based on somebody?s race, religion, or exercise of First Amendment rights.? Rather than expanding government power, he said, ?this document clarifies the rules by which the F.B.I. conducts its intelligence mission.? In 2002, John Ashcroft, then the attorney general, allowed F.B.I. agents to visit public sites like mosques or monitor Web sites in the course of national security investigations. The next year, Mr. Bush issued guidelines allowing officials to use ethnicity or race in ?narrow? circumstances to detect a terrorist threat. The Democratic senators said the draft plan appeared to allow the F.B.I. to go even further in collecting information on Americans connected to ?foreign intelligence? without any factual predicate. They also said there appeared to be few constraints on how the information would be shared with other agencies. Michael German, a lawyer with the American Civil Liberties Union and a former F.B.I. agent, said the plan appeared to open the door still further to the use of data-mining profiles in tracking terrorism. ?This seems to be based on the idea that the government can take a bunch of data and create a profile that can be used to identify future bad guys,? he said. ?But that has not been demonstrated to be true anywhere else.? The Justice Department said Wednesday that in light of requests from members of Congress for more information, Mr. Mukasey would agree not to sign the new guidelines before a Sept. 17 Congressional hearing. From rforno at infowarrior.org Thu Aug 21 17:35:40 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Aug 2008 13:35:40 -0400 Subject: [Infowarrior] - RIAA does *not* represent the artists Message-ID: <6F2573E1-A160-4ED7-9F6F-0137722049B9@infowarrior.org> EMI/Virgin Records Sues Platinum Selling Band For $30 Million... Despite Not Paying Them A Dime In Royalties from the the-music-business-at-work dept http://techdirt.com/articles/20080820/0204472040.shtml It's always fun to remember stories like the following one the next time you hear some RIAA exec claim that it represents musicians. The RIAA represents the record labels and record labels are continually at odds with musicians -- sometimes to extreme levels. Wired reported that EMI/Virgin Records had sued the band 30 Seconds To Mars for $30 million recently. The band is apparently fronted by movie star Jared Leto, and is considered something of a success. Its last album went platinum and won some awards. So why the lawsuit? Well, EMI implied that the band failed to deliver its latest record on time, but members of the band have now responded with a very different story. Wired now points us to the response from 30 Seconds To Mars, where the band notes that the lawsuit appears to have a lot more to do with the band opting out of its contract. The band points out that, under California law, a contract of more than seven years is not valid -- and the contract EMI held with the band was for nine years. So why opt out? Perhaps this has something to do with it: If you think the fact that we have sold in excess of 2 million records and have never been paid a penny is pretty unbelievable, well, so do we. And the fact that EMI informed us that not only aren't they going to pay us AT ALL but that we are still 1.4 million dollars in debt to them is even crazier. That the next record we make will be used to pay off that old supposed debt just makes you start wondering what is going on. Shouldn't a record company be able to turn a profit from selling that many records? Or, at the very least, break even? We think so. This is, of course, rather par for the course in the recording industry. As Courtney Love explained years ago, it's quite rare for a recording artist to ever see a dime of royalties from selling music. The label gives the band an "advance" which really isn't that much, and then uses some funky accounting tricks to claim all of the band's royalties as paying off that advance as well as covering other fees involved in the marketing and distribution of the album. In this case, apparently, despite selling 2 million records, EMI is still claiming that the band has $1.4 million to pay back. Not so long ago, we noted that Lyle Lovett was in the same boat: 4.6 million albums sold, no royalties paid. So, at what point will the press and politicians stop buying the RIAA's claims that it's looking out for the musicians and trying to get them paid? The RIAA has always been in the business of not paying musicians. From rforno at infowarrior.org Thu Aug 21 21:46:27 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Aug 2008 17:46:27 -0400 Subject: [Infowarrior] - Teh Stupid: CA mayor shuts tween's produce stand Message-ID: <64732C86-D650-41AC-8BD9-27D58C0FE660@infowarrior.org> What an idiot......--rf Young girls fight produce stand closure Wednesday, August 20, 2008 | 8:22 AM By Terry McSweeney http://abclocal.go.com/kgo/story?section=news/local&id=6339365 CLAYTON, CA (KGO) -- Two young East Bay girls are trying to find out if you really can fight city hall. The youngsters are battling to get their produce stand back after the city of Clayton shut them down. The mayor himself is getting involved in this issue; he says the produce stand, operated by two young sisters, had to be shut down because of public safety and a zoning ordinance. But members of the Lewis family say - we have just begun to fight. On a Clayton street corner is where 11-year-old Katie and 3-year- old Sabrina Lewis had been selling their families surplus fruits and veggies - stuff like: "Zucchini, melons, tomatoes, radishes," said Sabrina Lewis. They did it for maybe four hours on Saturday mornings to make a little money. They haven't sold a thing since the police showed up recently in response to one complaint to the mayor's office. "They said traffic was being stopped and then they came up with we can't have a roadside stand and then they said it was a commercial enterprise," said Katie Lewis, former produce seller. As for the traffic issue, neighbor Terri Highsmith says there isn't one. "On the weekends is when I mostly notice them selling. I come and go a lot and I've never seen any traffic problems," said Highsmith. Clayton Mayor Gregg Manning disagrees. And wonders what Katie and Sabrina might do with that produce stand if the zoning laws weren't enforced. "They may start out with a little card-table and selling a couple of things, but then who is to say what else they have. Is all the produce made there, do they make it themselves? Are they going to have eggs and chickens for sale next," said Manning. Lucky for Katie and Sabrina their folks don't have lemon trees. "Lemonade stands are technically illegal, but they don't last long enough to do anything about," said Manning. "I was extremely shocked," said Mike Lewis, father of Katie and Sabrina. The girls' father is speaking about the city's decision to enforce the letter of the law, and run his girls out of business. "There is always exceptions and compromises and ways to go around it. To this day, I haven't seen anything except 'no, you can't do it,'" said Mike Lewis. "I wish everyone would follow the rules and not be just self- centered," said Manning. "I've called the mayor a couple of times and he won't talk to me at all," said Mike Lewis. "He knows the rules and chose to ignore them," said Manning. "Why is this a problem?" That last comment from one of the people who has signed a petition to bring the produce stand back. The petition circulated by its author 11- year old Katie, suddenly the voice of reason in the middle of a controversy that's growing faster than: "That big pumpkin over there," said Katie Lewis. And that's getting bigger by the day. Mr. Lewis says he has approached the city planning commission - hoping to find a compromise making one last stand for his girls' produce stand. City planners meet next week - we will keep you posted. (Copyright ?2008 KGO-TV/DT. All Rights Reserved.) From rforno at infowarrior.org Fri Aug 22 01:47:55 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Aug 2008 21:47:55 -0400 Subject: [Infowarrior] - MSFT patents "PageUp/PageDown" function Message-ID: ....think this ranks up there with IBM getting the "paper or plastic?" patent reported last week. --rf United States Patent 7,415,666 Sellers , et al. August 19, 2008 Method and system for navigating paginated content in page-based increments Abstract A method and system in a document viewer for scrolling a substantially exact increment in a document, such as one page, regardless of whether the zoom is such that some, all or one page is currently being viewed. In one implementation, pressing a Page Down or Page Up keyboard key/ button allows a user to begin at any starting vertical location within a page, and navigate to that same location on the next or previous page. For example, if a user is viewing a page starting in a viewing area from the middle of that page and ending at the bottom, a Page Down command will cause the next page to be shown in the viewing area starting at the middle of the next page and ending at the bottom of the next page. Similar behavior occurs when there is more than one column of pages being displayed in a row. < - > http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=7,415,666.PN.&OS=PN/7,415,666&RS=PN/7,415,666 From rforno at infowarrior.org Fri Aug 22 13:21:48 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Aug 2008 09:21:48 -0400 Subject: [Infowarrior] - PR Push for Iraq War Preceded Intelligence Findings Message-ID: <3D3234C5-4A60-4FBB-8C33-C79C83AB2D49@infowarrior.org> PR Push for Iraq War Preceded Intelligence Findings "White Paper" Drafted before NIE even Requested National Security Archive Electronic Briefing Book No. 254 Posted - August 22, 2008 For more information contact: John Prados - (202) 994-7000 Washington D.C., August 22, 2008 - The U.S. intelligence community buckled sooner in 2002 than previously reported to Bush administration pressure for data justifying an invasion of Iraq, according to a documents posting on the Web today by National Security Archive senior fellow John Prados. The documents suggest that the public relations push for war came before the intelligence analysis, which then conformed to public positions taken by Pentagon and White House officials. For example, a July 2002 draft of the "White Paper" ultimately issued by the CIA in October 2002 actually pre-dated the National Intelligence Estimate that the paper purportedly summarized, but which Congress did not insist on until September 2002. A similar comparison between a declassified draft and the final version of the British government's "White Paper" on Iraq weapons of mass destruction adds to evidence that the two nations colluded in the effort to build public support for the invasion of Iraq. Dr. Prados concludes that the new evidence tends to support charges raised by former White House press secretary Scott McClellan and by the Senate Select Committee on Intelligence in its long-delayed June 2008 "Phase II" report on politicization of intelligence. < - > http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB254/index.htm From rforno at infowarrior.org Fri Aug 22 13:43:06 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Aug 2008 09:43:06 -0400 Subject: [Infowarrior] - DOD selecting firm for 'info ops' initiative in Iraq Message-ID: <8E940D89-3BC9-4C12-88CD-6AEBF51EB596@infowarrior.org> Military to select firm for 'info ops' initiative in Iraq Ted McKenna August 21 2008 http://www.prweekus.com/Military-to-select-firm-for-info-ops-initiative-in-Iraq/PrintArticle/115740/ BAGHDAD: The US military expects to hire a firm to provide ?information operations? support in Iraq to counter insurgent misinformation tactics. The bids were due on Friday, August 22. Army public affairs officer Paul Boyce said the reason for the RFP is primarily the military's need to counter misinformation spread by hostile parties. Stopping rumors is a particular need for the Army, but finding out about those rumors is difficult if the language and culture of the area of operations is not well understood. ?We've had an insurgent population that has sought to kill our soldiers,? Boyce said. ?By communicating with people in Iraq in as many ways possible what we're trying to do to help them, and what we're trying to do to prevent people from using these ruthless roadside bombs that blow up people in streets, in schools and mosques, we find that a very important thing.? Work for the account involves a wide range of communications activities, including monitoring and analyzing Arabic and Western media; spokesperson training; and development and dissemination of TV, radio, newsprint, and Internet ?information? products, according to the RFP, originally issued by the Department of the Army's Joint Contracting Command in late July. The minimum amount for the one-year contract, with two, one-year options to renew, is set at $250,000, and the maximum amount is $300 million. Boyce noted that while the US military has gone to considerable effort to train soldiers in Arabic languages and improve their understanding of local culture, development of that sort of knowledge takes so much time and effort, and the need is so great that contractors are simply needed to meet the demand. ?Oftentimes, outside contractors bring outside talents or abilities, or previous experiences that might not necessarily be readily available within the government,? Boyce said. ?Or they can bring a dedicated resource to the task [that might] already be used elsewhere within the government.? As described in a ?statement of work,? provided by the department of Multi-National Force-Iraq called Strategic Communications Management Services, insurgents in Iraq have sought to discredit US and allied forces, as well as the Iraqi government, through various means, including psychological warfare, terrorism, murders, and other ?asymmetric? means intended to counter the US allied forces' stronger military. Public affairs executives speaking on background said the contract has elicited a lot of attention from Washington agencies because of its potential size, but that firms with previous experience working in dangerous, high-security environments like Iraq ? such as Lincoln Group, The Rendon Group, and MPRI ? would have an inside track on winning the bid. ?The reasons that Lincoln Group and The Rendon Group are shoo-ins is that they tend to be the companies that know how to get people into the country,? noted Don Meyer, cofounder of Rubin Meyer and a former communications strategist at the Department of Defense during the start of the Iraq war. ?They have the security background and are willing to pay the insurance. Once you establish yourself as being able to do this, you tend to gain an advantage in bidding.? Executives at several multinational agencies said that they were aware of the contract, but chose not to bid for it because of the security and logistical difficulties of placing staff in Iraq and protecting them, as well as the advantage enjoyed by firms experienced in developing proposals for this type of work. Neither Lincoln Group nor The Rendon Group responded for comment by press time. From rforno at infowarrior.org Fri Aug 22 14:04:26 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Aug 2008 10:04:26 -0400 Subject: [Infowarrior] - NBC: A Lesson in Media Economics Message-ID: <27A7499B-7F14-4E5E-AB1C-374EFEB46780@infowarrior.org> Interesting take on the NBC News Division's coverage during the Olympics from a WaPo reporter. --rf The WaPo reporter starts off with this entry: NBC News: Olympic Tout? http://voices.washingtonpost.com/playback/2008/08/nbc_news_the_infomercial.html < - > In other words, "Nightly News," which rarely cares about sports, was out-reporting "SportsCenter," the leading sports-news broadcast on TV, about the Olympics. High-fives, NBC News! But hold on a second. What I was really witnessing was a little lesson in media economics. The contrasting priorities of "SportsCenter" and NBC tell you loads about how money can drive the TV news agenda. < - > .... and then.... NBC News Responds http://voices.washingtonpost.com/playback/2008/08/nbc_news_responds.html (at which point the WaPo reporter takes 'em to task) From rforno at infowarrior.org Fri Aug 22 14:12:41 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Aug 2008 10:12:41 -0400 Subject: [Infowarrior] - Interview with MIT Subway Hacker Zack Anderson Message-ID: Exclusive Interview with MIT Subway Hacker Zack Anderson By Chris Ladd Published on: August 21, 2008 http://www.popularmechanics.com/technology/industry/4278892.html Its rare that a hacker convention makes national news, but three MIT students caused a whole lot of controversy when they planned a presentation about security holes in Boston's subway system for DefCon in Las Vegas earlier this month. They were forced to cancel the talk at the last minute by a 10-day federal restraining order, requested by Boston's Massachusetts Bay Transit Authority (MBTA). On Tuesday, a judge denied motions by the MBTA to issue a preliminary injunction aimed at keeping the students quiet for a further five months. Now, in his most extensive interview to date, MIT subway hacker Zack Anderson talks with PM about what's wrong with the Charlie Card, what happened at DefCon, and what it's like to tango with the FBI and the MBTA. Popular Mechanics: All this started as a class project at MIT?is that right? Zack Anderson: For Computer Network Security class, and it was basically the final project. We wanted to look at some system which might have some vulnerabilities, figure out what they were, and how some of those problems could be fixed if they existed. So we thought about fare collection systems for the subway, and we looked at the MBTA. It's local, so we could take a pretty extensive analysis. What did you find? We found quite a few things. Some significant physical security problems were present?not technology related, just things that are very easily overlooked. People could hit a button in an open box and all the turnstiles would open. I mean, why resort to some high-tech hack when you could just hit a button? We also looked at the Charlie Ticket, which is a magnetic card. Actually, the MIT Tech [the university's daily newspaper] has a good article that basically went over everything that was made public?some of which came out through MBTA filings, not through anything we released. But the Charlie Ticket is [vulnerable to] cloning and forgery attacks. The cloning attack means that you can, say, take a $5 card and make two $5 cards. The forgery attack means you change the data on the cards to actually represent a new value. Both attacks are possible. What about the RFID Charlie Card? Yes, the Charlie Card is an RFID [radio-frequency identification] card which has weak encryption. And because of that weak encryption, there are ways to recover the key on the card, and the key allows you to read from and write to the card. So you could walk through a subway station without contact and kind of rub your briefcase with a little antenna in it against someone's pocket and grab their card's key. And then you could use that until it's depleted or deactivated or whatnot. That's always the danger with RFID cards?you don't even need contact to read it. So you wrote your report and gave your final presentation at MIT. How was it received? It was very well received. People were pretty impressed and surprised that these vulnerabilities existed. This was toward the end of class. It might have been the very last day. And you immediately start thinking about DefCon? We'd been to DefCon before, and thought it would be pretty interesting to give a talk. And we thought it was very applicable?there's a lot of subway systems, a lot of them might be suffering from the same vulnerabilities, and it's really an important issue that needed to be addressed. And we thought DefCon would be an interesting venue. So DefCon accepts your application, you start booking plane tickets and hotel rooms. What happens next? A bit of time passed and around mid-July we e-mailed our professor, Ron Rivest, and asked if he could contact MBTA for us and tell them that we did this security analysis, this is what we found, and here's some ways to fix each of the problems. And also, you know, tell them we're giving this talk at DefCon, this is what we're going to discuss and also, this is a key point, that we were going to be withholding a few key details. We were not going to go over the full process to replicate the system, so people would not be able to replicate these attacks. What was the reaction? When Ron Rivest got back to us, he said, "You know, we have a serious problem." And we asked him what happened, and he said "The MBTA does not want to talk to me. They already know about the talk, and they said the FBI has been involved." When you hear "FBI," that's got to be a bit chilling. I couldn't believe it. I was like, "What have we done? The FBI? Why?" We were completely surprised. So we said, you know, we need to resolve this quickly. We need to call them back and set up a meeting to make sure there's trust here, to make sure they see what we've done, to make sure they see what we're planning on presenting so they have peace of mind. And also, our initial point was that MBTA needs to fix some of these problems, because they do exist. You set up a meeting with the MBTA, I understand. That's right. So at that meeting what was planned was an MBTA official to be present there, and we were going to have it at MIT's campus. So in walks someone from the MBTA [a detective], and behind him was a special agent from the FBI. It was like, "This is a bit more serious." Because, you know, the MBTA told us "The FBI is investigating," but we didn't know how truthful that was. Certainly we thought there was some truth, like they'd contacted the FBI, but submitting some Web form is different from a full-on investigation. Having the FBI agent there made it more real. But after about a minute, I calmed down and realized that we needed to just show them that this is not a big deal, this is not a problem. There's no reason for the FBI to be concerned here. There's no reason for the MBTA to be concerned. Let's just lay out what it is we're doing, and what we found, and clear things up. How did the meeting end? It ended on a very good note. [The MBTA detective] said that he didn't see any reason why we shouldn't proceed with the talk. He said he would e-mail his supervisor and tell him that he met with us, and things are fine, and there's no problem. The FBI agent said, basically, this is not going to be an investigation. We don't have anything here. Don't worry about it. So we told them we'd provide them a vulnerability report, going over what we found, and also methods that could fix these problems, and they said we could get that to them within two weeks. We had actually planned on getting it to them within the week, before business hours ended on Friday, so they'd have this in their hands before we gave the talk. We felt this was a courtesy we should give them. This report was not going over what we were speaking about at DefCon, that wasn't the point. Some other people at MBTA have claimed that it was, but the point of the report was to go over the vulnerabilities, and go over ways that they could fix them. That's what we provided them, and we got it to them that Friday. So at the end of the week you get on a plane and fly to Las Vegas and go to DefCon? Yes. Friday was the first day of the conference and we went to a talk in the morning and we were having lunch when I got a call from an attorney from MIT, saying that the MBTA is in court right now and they're suing us and MIT. They're filing a lawsuit right now, basically, and nobody's in court for us?just MBTA lawyers?and we don't fully know what's going on. CONTINUED >>> RELATED STORIES ? PLUS: Air Force Pulls Plug on Cyber Command Force?For Now ? EARLIER: Inside NSA Red Team Secret Ops With Government's Top Hackers ? OLYMPICS: Homeland's Concerns Over Gadget Surveillance in China A Red Line train rolls into South Station in downtown Boston, Mass. (Photo by Darren McCollester/Getty Images) What did you do? I don't remember exactly what happened in the rest of the conversation. I think it was just trying to figure out any information, what [MIT counsel] knew. I think he recommended at that point that, guys, we really need to get legal counsel. We went to the booth of the Electronic Frontier Foundation (EFF), and it was a little more hectic than, "Let's sit down." It was a little more like "Oh, God!" But yeah, all day Friday was really trying to get information about what was happening. We were communicating with the MBTA, their legal counsel. We got the paperwork from the federal docket. Did they hire someone back in Boston right away? They tried, but this was Friday and there was an emergency hearing scheduled for the next morning. So we were desperately trying to find someone in Boston that could help us, but in that time frame we weren't able to. Did you have additional contact with the MBTA? There was a little bit of contact. There was kind of a back-and-forth. I'd called some of the attorneys from the MBTA. I briefly spoke with kind of their only technical guy, who runs security on the fare systems. And at that point, we tried the best we could to show them that this is kind of out of line, and it's probably going to be counterproductive. Because if there's one thing that people at DefCon don't like, it's a squelched talk. What they were hoping for was to not make this a big deal, and for us not to reveal details that would allow people to defraud the system, the latter of which we'd always maintained that we were not going to do. Saturday is the hearing. We were up all night preparing and we made a telephonic appearance in Boston court on Saturday morning. We didn't have anybody representing us in court, just on the phone, and MIT was present as well. At the end, the judge basically ruled in favor of MBTA and their motion, which was a temporary restraining order which basically blocked us from talking about anything that could possibly assist in any way someone circumventing the fare collection system. It became obvious that we had to cancel the talk. Then, it just really exploded from a media perspective. We answered what we could. But, the talk was clearly over. There was no way to appeal the decision in that time frame. It was not possible, really. The problem was that they filed their paperwork in the last few minutes the court was open on Friday. We had this ruling when the courts were closed. At this point there's nothing you can do until Monday morning. We had been going on for 30-plus hours without sleep, and the fact was that it was kind of over. While we were very disappointed, it was a little bit ... it gave us a chance to breathe and sleep and stuff. And you guys basically turned into DefCon celebrities. It was definitely a pretty big issue. A lot of people were talking about it. A lot of people were coming up to us and were interested, but we really couldn't talk about much to anyone. And the media takes a much larger interest as well, I'm sure. There was a lot of disinformation, and really we saw that Monday when some of the national newspapers and stuff picked it up. There was a lot of misinformation that the MBTA was claiming about the content of the talk, saying that we were going to allow people free subway rides for life. If you look at, if any technical person looks at the slides, they'll understand that there isn't enough information to do that. So I just tried to clear it up. I guess when people see the word "hacker," it has a nefarious stigma to the general public, which is unfortunate because a lot of people consider themselves hackers when the average person would never say "That's a hacker." Most people hear hacker and they think it's some horrible person breaking into the system and causing havoc and damage. So Sunday rolls around and the conference is over. On Sunday, after Vegas was behind me, I kind of felt like "Oh my God, what happened this week?" because it was pretty shocking. My first weekend in Vegas after turning 21. Who would've thought that this was going to be the excitement? A federal lawsuit? Then, Tuesday was the really big court hearing where some of my attorneys flew out to Boston, a couple local attorneys were there, and the rest of us listened in on the telephone. It was probably about an hour and a half long, both sides presented their case, and at the end the judge spoke about how he saw the law, how he interpreted the case, and kind of went over the conflicting interests. So for the first 10 minutes he was kind of not really siding with one side, showing both sides. And then it started to get exciting when he started saying how the MBTA didn't really have a claim under the Computer Fraud and Abuse Act for several reason. There are several things that need to be met under the act and a multiple of them did not apply in this case. What was your reaction? I actually muted the phone during the entire hearing, just in case there was any sound that I didn't want to blast through the courtroom. But, yeah, it was pretty exciting listening in as the judge started to slant our way. And in the end, when he both lifted the TRO [temporary restraining order] and lifted the previous judge's order, and he threw out the MBTA's motion for a preliminary injunction that would last five months, it was really relieving. It was really satisfying that the court interpreted the law correctly. What happens next? There's still a lawsuit from the MBTA, right? Probably the next thing is, hopefully at this point we'll be able to settle this and make it go away. If not, we're going to have to file a motion to dismiss the case, but I think, and I definitely hope, that things are kind of over now. We didn't give the talk, which was I think a primary aim that they had. That was effective on their part. And, you know, we still maintain that we never planned on releasing all of the details. Even though now we're allowed to, we're still not going to. What do you think the legal implications of the case will be in the future? I think that's a question best posed to the EFF, but definitely this was one of the first cases where the Computer Fraud and Abuse Act was tested in such a way that the MBTA tried to apply to speech, and the judge threw it out. So there was some uncharted territory that was tested here. Certainly if the court had ruled the other way, that would have set a very problematic precedent for the security research community in general. You're heading back to MIT soon. You guys are going to be something like celebrities on campus. One blog called us "veritable hacking heroes." I don't know if it's justified to be "heroes" or something. Again, I feel this turned into this huge production when really, it wasn't a huge issue to start with. To be a hero, you need to have done something absolutely amazing on its own merits. I think we did a very thorough security research project, and the presentation that we were going to give and the work was very good. We stood up there and we got through this, but I think that really, the true heroes in this case are our lawyers because they're the ones that fought this case, and they're the ones that won at least this first motion to throw out the restraining order and throw out the preliminary injunction. If anyone's a hero in this case, I'd say it's our attorneys. From rforno at infowarrior.org Fri Aug 22 18:59:12 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Aug 2008 14:59:12 -0400 Subject: [Infowarrior] - Annals of the Patently Absurd Message-ID: (based on a previous post to the list......rf) Annals of the Patently Absurd http://radar.oreilly.com/2008/08/annals-of-the-patently-absurd-1.html From rforno at infowarrior.org Fri Aug 22 19:14:23 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Aug 2008 15:14:23 -0400 Subject: [Infowarrior] - New attack against multiple encryption functions Message-ID: <13F32938-AD5F-43AB-90E5-0C0D07A2AAFF@infowarrior.org> New attack against multiple encryption functions New mathematical attack works against a broad range cryptographic functions. Carl Jongsma 22/08/2008 10:01:00 http://www.computerworld.com.au/index.php/id;1395888957;fp;;fpid;;pf;1 Unless you're a dyed in the wool cryptographic geek you probably didn't know that there was a Crypto conference, or even a chain of worldwide crypto conferences that take place each year. Fortunately, for the most of us that aren't crypto geeks there are a handful of very highly skilled people who are; they can take the highly theoretical and complex mathematical proofs and arguments that make up most of modern cryptographic and cryptanalytic research and put it into plain language. Probably the best known is Bruce Schneier, who is a dedicated crypto geek famous for his general Information Security and cryptographic work; including being responsible (or partly responsible) for ciphers such as Blowfish and Twofish. From his blog he has provided a tantalising suggestion that one of the most famous names in cryptography is introducing a new form of cryptanalysis. Adi Shamir, who is the S in RSA, has presented material at the Crypto 2008 conference that has promised a new form of mathematical attack against a broad range of cryptographic ciphers, including hash functions (such as MD5, SHA-256), stream ciphers (such as RC4), and block ciphers (such as DES, Triple-DES, AES). The new method of cryptanalysis has been called a "cube attack" and formed part of Shamir's invited presentation at Crypto 2008 - "How to solve it: New Techniques in Algebraic Cryptanalysis". Comments from people who saw the presentation and had a chance to speak with Shamir (drawn from the comments in Schneier's blog) indicate that the new attack method isn't necessarily going to work against the exact ciphers listed above, but it presents a new generic attack method that can target basically formed ciphers irrespective of the basic cipher method in use, provided that it can be described in a "low-degree polynomial equation". Without access to the paper (expected to be published later this year), the full scope of the discovery can't be easily determined. It may be that it delivers an order of magnitude improvement over existing methods, but implementation will still take such a long period of time that it is effectively impractical for attack against time sensitive content. Then again, it may be that it has brought it into a viable timeframe, something that can be achieved with a handful of modern machines - nothing that is too far out of reach of the motivated and resourced attacker. What may be the biggest outcome from this research is the range of devices in widespread use that use weaker cryptographic protection, due to power or size limitations, that are now vulnerable to a straight forward mathematical attack. This might mean that some content delivery systems or simple communications channels are now vulnerable to a viable attack, or it could just form the basis of interesting class work for budding cryptographers and cryptanalysts. Either way, it is something that will be worth watching over the next 12-18 months to see how it evolves. From rforno at infowarrior.org Fri Aug 22 19:35:57 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Aug 2008 15:35:57 -0400 Subject: [Infowarrior] - Take That, Stupid Printer! Message-ID: Take That, Stupid Printer! How to fight back against the lying, infuriating, evil ink-and-toner cabal. By Farhad Manjoo Posted Thursday, Aug. 21, 2008, at 3:21 PM ET http://www.slate.com/id/2198316/ I bought a cheap laser printer a couple years ago, and for a while, it worked perfectly. The printer, a Brother HL-2040, was fast, quiet, and produced sheet after sheet of top-quality prints?until one day last year, when it suddenly stopped working. I consulted the user manual and discovered that the printer thought its toner cartridge was empty. It refused to print a thing until I replaced the cartridge. But I'm a toner miser: For as long as I've been using laser printers, it's been my policy to switch to a new cartridge at the last possible moment, when my printouts get as faint as archival copies of the Declaration of Independence. But my printer's pages hadn't been fading at all. Did it really need new toner?or was my printer lying to me? To find out, I did what I normally do when I'm trying to save $60: I Googled. Eventually I came upon a note on FixYourOwnPrinter.com posted by a fellow calling himself OppressedPrinterUser. This guy had also suspected that his Brother was lying to him, and he'd discovered a way to force it to fess up. Brother's toner cartridges have a sensor built into them; OppressedPrinterUser found that covering the sensor with a small piece of dark electrical tape tricked the printer into thinking he'd installed a new cartridge. I followed his instructions, and my printer began to work. At least eight months have passed. I've printed hundreds of pages since, and the text still hasn't begun to fade. On FixYourOwnPrinter.com, many Brother owners have written in to thank OppressedPrinterUser for his hack. One guy says that after covering the sensor, he printed 1,800 more pages before his toner finally ran out. Brother isn't the only company whose printers quit while they've still got life in them. Because the industry operates on a classic razor-and- blades business model?the printer itself isn't pricy, but ink and toner refills cost an exorbitant amount?printer manufacturers have a huge incentive to get you to replace your cartridges quickly. One way they do so is through technology: Rather than printing ever-fainter pages, many brands of printers?like my Brother?are outfitted with sensors or software that try to predict when they'll run out of ink. Often, though, the printer's guess is off; all over the Web, people report that their printers die before their time. Enter OppressedPrinterUser. Indeed, instructions for fooling different laser printers into thinking you've installed a new cartridge are easy to come by. People are even trying to sell such advice on eBay. If you're at all skilled at searching the Web, you can probably find out how to do it for free, though. Just Google some combination of your printer's model number and the words toner, override, cheap, and perhaps lying bastards. Similar search terms led me to find that many Hewlett-Packard printers can be brought back to life by digging deep into their onboard menus and pressing certain combinations of buttons. (HP buries these commands in the darkest recesses of its instruction manuals?see Page 163 of this PDF.) Some Canon models seem to respond well to shutting the printer off for a while; apparently, this resets the system's status indicator. If you can't find specific instructions for your model, there are some catchall methods: Try removing your toner cartridge and leaving the toner bay open for 15 or 20 seconds?the printer's software might take that as a cue that you've installed a new cartridge. Vigorously shaking a laser toner cartridge also gets good results; it breaks up clumps of ink and bathes the internal sensor in toner. These tricks generally apply to laser printers. It's more difficult to find ways to override ink-level sensors in an inkjet printer, and, at least according to printer manufactures, doing so is more dangerous. I was able to dig up instructions for getting around HP inkjets' shut- off, and one blogger found that coloring in his Brother inkjet cartridge with a Sharpie got it to print again. But I had no luck for Epson, Lexmark, Canon, and many other brands of inkjets. There are two reasons manufacturers make it more difficult for you to keep printing after your inkjet thinks it's out of ink. First, using an inkjet cartridge that's actually empty could overheat your printer's permanent print head, leaving you with a useless hunk of plastic. Second, the economics of the inkjet business are even more punishing than those of the laser business, with manufacturers making much more on ink supplies than they do on printers. Inkjet makers have a lot riding on your regular purchases of ink?and they go to great lengths to protect that market. In 2003, the British consumer magazine Which? found that inkjet printers ask for a refill long before their cartridges actually go dry. After overriding internal warnings, a researcher was able to print 38 percent more pages on an Epson printer that had claimed it didn't have a drop left. Lawyers in California and New York filed a class-action lawsuit against Epson; the company denied any wrongdoing, but it settled the suit in 2006, giving customers a $45 credit. A similar suit is pending against Hewlett-Packard. There's also a long-standing war between printer makers and third- party cartridge companies that sell cheap knockoff ink packs. In 2003, Lexmark claimed that a company that managed to reverse-engineer the software embedded in its printer cartridges was violating copyright law. Opponents of overbearing copyright protections were alarmed at Lexmark's reach; copyright protections have traditionally covered intellectual property like music and movies, not physical property like printer cartridges. A federal appeals court dismissed Lexmark's case, but manufacturers have recently been successful in using patent law to close down third-party cartridge companies. In the long run, though, the printer companies' strong line against cartridge makers seems destined to fail. Buying ink and toner is an enormous drag. Having to do it often, and at terribly steep prices, breeds resentment?made all the worse by my printer's lying ways. Some companies are realizing this. When Kodak introduced a new line of printers last year, it emphasized its low ink costs. Kodak claims that its cartridges last twice as long as those of other printers and sell for just $10 to $15 each, a fraction of the price of other companies' ink. When my Brother finally runs dry, perhaps I won't replace the toner?I'll replace the printer. From rforno at infowarrior.org Sat Aug 23 03:39:33 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Aug 2008 23:39:33 -0400 Subject: [Infowarrior] - Technical Flaws Hinder Terrorist Watch List; Message-ID: <84FB6EFA-905A-4948-8346-99554C54DF1B@infowarrior.org> Releases :: August 21, 2008 Technical Flaws Hinder Terrorist Watch List; Congress Calls for Investigation http://science.house.gov/press/PRArticle.aspx?NewsID=2289 (Washington, DC) ? Today, the Chairman of the House Science and Technology Committee?s Investigations and Oversight Subcommittee sent a letter to the Inspector General of the Office of the Director of National Intelligence (ODNI) requesting an investigation of the technical failure and mismanagement of one of the government?s most important counterterrorism programs. The "Railhead" program was intended to improve the terrorist watch list and enhance the integration of U.S. terrorist intelligence from the nation?s 16 separate intelligence agencies as recommended by the National Commission on Terrorist Attacks Upon the United States or 9.11 Commission. In addition, it was supposed to provide an integrated information infrastructure that government counterterrorism analysts could rely on to identify current and future terrorist threats and possibly predict and prevent the next terrorist attack. Situated at the National Counterterrorism Center (NCTC) the "Railhead" program was the celebrated superstar of the NCTC?s most promising and important counterterrorism programs. Yet the program appears to be on the brink of collapse after an estimated half-billion dollars in taxpayer funding has been spent on it. In recent weeks, the majority of more than 800 private contractors from dozens of companies working on Railhead have been laid off. Only a few dozen reportedly remain. Government managers, who were supposed to be providing vigilant oversight and clear direction on Railhead, finally realized that technical problems identified many months ago were insurmountable. Officials at NCTC drastically curtailed the troubled program last week and have implemented a major reorganization of Railhead to help repair the technical design flaws and improve government oversight. A Subcommittee staff memo to Chairman Miller detailed many of these problems. "This is a critical national security program that has been plagued by technical design and development errors, basic management blunders and poor government oversight," said Chairman Brad Miller (D-NC). "The program not only can?t connect the dots, it can?t find the dots." Railhead was intended to update and enhance the National Counterterrorism Center?s terrorist intelligence database called TIDE or Terrorist Identities Datamart Environment that provided the backbone of the FBI?s consolidated terrorist watch list. It was also supposed to improve two related information technology programs at the NCTC, TIDE Online (TOL), an unclassified version of the TIDE database and NCTC Online (NOL), a classified repository of terrorist information and finished intelligence reports from across the government?s intelligence community that is accessible to counterterrorism analysts. The Railhead program had been undergoing an internal technical implosion for more than one year. But public statements and sworn public testimony to Congress from senior officials within the NCTC and the Office of the Director of National Intelligence (ODNI) never revealed the mounting technical troubles, poor contractor management or lax government oversight that appears to have been endemic throughout the program and has led to Railhead?s colossal failure. Astoundingly, the Director of NCTC and the Director of National Intelligence have both specifically pointed to TIDE and NCTC Online as hallmarks of the government?s information sharing accomplishments. Last February, the Director of National Intelligence, J. M. McConnell and his Chief Information Officer, Dale Meyerrose, issued a report outlining the U.S. Intelligence Community?s "Information Sharing Strategy." The report emphasized that "time is of the essence" in improving information sharing among intelligence agencies and said: "The tragic events of September 11, 2001, demonstrated that the United States needed greater integration across the Intelligence Community and improved information sharing to respond to evolving threats and to support new homeland security customers." Furthermore, it boasted, "NCTC has developed innovative solutions, including NCTC Online and Terrorist Identities Datamart Environment, to increase information sharing and collaboration in support of the counterterrorism mission." Yet internal Railhead documents paint a very different and troubling picture of these programs. Not only do existing technical impediments drastically hinder the ability of the current TIDE database to operate effectively and efficiently, but the planned design and development upgrade to TIDE, Tide Online and NCTC Online have come under intense criticism within the Railhead program. This analysis has shown that the planned upgrades to these programs would actually diminish not improve their capabilities, limiting the ability to share terrorist intelligence data among federal agencies and crippling the ability of counterterrorism analysts to conduct searches of these databases. Most disturbingly, the Subcommittee understands that tens of thousands of potentially vital CIA messages flowing into NCTC have not been properly processed, reviewed or included in the existing TIDE database. As a result, it is impossible to tell if critical terrorist intelligence sits in a U.S. government file somewhere that has not been properly vetted, distributed or pursued. Similar government failures occurred before the 1993 bombing of the World Trade Center and the September 11, 2001 terrorist attacks. It is imperative that current technical problems on the TIDE database be identified and corrected before enhancements are made to other NCTC information systems. "The collapse of the Railhead program appears to be the result of poor technical planning and design, potential contractor mismanagement and inadequate government oversight," said Miller. "These same problems have emerged again and again on government programs as millions of dollars in taxpayer funding is squandered. At some point the government needs to learn how to manage its technology programs so that they actually perform as advertised. This episode is particularly disturbing since we are talking about the safety and security of 300 million American citizens," Miller added. "I have asked the Inspector General to investigate this program thoroughly and recommend potential lessons learned for future government programs. We can?t just keep making the same mistakes again and again." For more information or to view the letter please visit the Committee?s website. From rforno at infowarrior.org Sat Aug 23 03:39:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Aug 2008 23:39:46 -0400 Subject: [Infowarrior] - NYT Editorial: A New Rush to Spy Message-ID: August 22, 2008 Editorial A New Rush to Spy http://www.nytimes.com/2008/08/22/opinion/22fri2.html?_r=1&oref=slogin&pagewanted=print There is apparently no limit to the Bush administration?s desire to invade Americans? privacy in the name of national security. According to members of Congress, Attorney General Michael Mukasey is preparing to give the F.B.I. broad new authority to investigate Americans ? without any clear basis for suspicion that they are committing a crime. Opening the door to sweeping investigations of this kind would be an invitation to the government to spy on people based on their race, religion or political activities. Before Mr. Mukasey goes any further, Congress should insist that the guidelines be fully vetted, and it should make certain that they do not pose a further threat to Americans? civil liberties. Mr. Mukasey has not revealed the new guidelines. But according to senators whose staff have been given limited briefings, the rules may also authorize the F.B.I. to use an array of problematic investigative techniques. Among these are pretext interviews, in which agents do not honestly represent themselves while questioning a subject?s neighbors and work colleagues. Four Democratic Senators ? Russ Feingold of Wisconsin, Sheldon Whitehouse of Rhode Island, Richard Durbin of Illinois and Edward Kennedy of Massachusetts ? have written to Mr. Mukasey and urged him not to sign the guidelines until they are publicly announced and national security and civil liberties experts have had a chance to analyze them. We concur, and we would add that there should be full Congressional hearings so Americans can learn what new powers the government intends to take on. The F.B.I. has a long history of abusing its authority to spy on domestic groups, including civil rights and anti-war activists, and there is a real danger that the new rules would revive those dark days. Clearly, the Bush administration cannot be trusted to get the balance between law enforcement and civil liberties right. It has repeatedly engaged in improper and illegal domestic spying ? notably in the National Security Agency?s warrantless eavesdropping program. The F.B.I. and the White House no doubt want to push the changes through before a new president is elected. There is no reason to rush to adopt rules that have such important civil liberties implications. From rforno at infowarrior.org Sun Aug 24 05:09:00 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 24 Aug 2008 01:09:00 -0400 Subject: [Infowarrior] - We're Teaching Books That Don't Stack Up Message-ID: <09F8DA0F-075F-4CD1-A0E9-15EAF85E3CC4@infowarrior.org> We're Teaching Books That Don't Stack Up By Nancy Schnog Sunday, August 24, 2008; B01 http://www.washingtonpost.com/wp-dyn/content/article/2008/08/22/AR2008082202398_pf.html Browsing in Barnes & Noble one recent afternoon, I found myself drawn to the "Summer Reading" table, where neatly stacked piles of books by Charles Dickens and John Steinbeck and Zora Neale Hurston sat waiting for the teenagers who were supposed to read them by the first day of school. Gazing at the gleaming covers, I had to wonder how many students were in fact turning the pages with any real desire to get to the next one. It's the time of year when I'm reminded of my twisted fate as a high- school English teacher. According to the National Endowment for the Arts, more teens and young adults are dropping literary reading than any other age group in America. "The percentage of 17-year olds," it reports, "who read nothing at all for pleasure has doubled" in the past 20 years. I teach juniors and seniors -- yes, 17-year-olds. If ever there were a teaching conundrum, today's high-school English teachers are smack in the middle of it. It's our job to take digital natives -- teens saturated with images in video games and on YouTube -- and get them to strike up a relationship with pictureless chains of black print and focus on the decidedly internal rewards of classical literature. More and more, this mission feels like blind idealism. But as school starts up again, it's time to acknowledge that the lure of visual media isn't the only thing pushing our kids away from the page and toward the screen. We've shied away from discussing a most unfortunate culprit in the saga of diminishing teen reading: the high- school English classroom. As much as I hate to admit it, all too often it's English teachers like me -- as able and well-intentioned as we may be -- who close down teen interest in reading. "Butchering." That's what one of my former students, a young man who loves creative writing but rarely gets to do any at school, called English class. He was referring to the endless picking apart of linguistic details that loses teens in a haze of "So what?" The reading quizzes that turn, say, "Hamlet" into a Q&A on facts, symbols and themes. The thesis-driven essay assignments that require students to write about a novel they can't muster any passion for ("The Scarlet Letter" is high on teens' list of most dreaded). I'll never forget what one parent, bemoaning his daughter's aversion to great books after she took AP English Literature, wrote to me: "What I've seen teachers do is take living, breathing works of art and transform them into dessicated lab specimens fit for dissection." As someone who teaches in private schools, I find this especially painful to acknowledge. I haven't been constrained in my teaching methods by Standards of Learning or No Child Left Behind testing. But even where teachers are free to design their own "best practices," I've been amazed at the chasm between their sense of purpose in their curricular choices and teens' sense that what they choose for them is irrelevant. Ironically, kids' turn-off to books can originate in teachers' hopes of turning them on. How do I know? Because kids tell me. Every June, when I asked my students at a previous school to write about a favorite book of the year, they mostly gushed over two: J.D. Salinger's "The Catcher in the Rye" and F. Scott Fitzgerald's "The Great Gatsby." For years, "Catcher" served as a successful icebreaker for my juniors, exciting debate while eliding the gender divide. Whether they admired Holden Caulfield's quirkiness or disparaged him as a jerk, both my male and female students were eager to argue about him. So imagine my dismay when "Catcher" was demoted to the eighth or ninth grade. Apparently it wasn't sophisticated enough for 11th-graders, its language too facile, the plot insufficiently complex. That many 17- year-olds identify powerfully with Salinger's 17-year-old protagonist was a fact cast by the wayside. But here's what a former student wrote in an essay about this book that knocked her socks off: "To my twelve-year-old self, the book didn't seem to move anywhere. I didn't understand why Holden couldn't just try a little harder at school. By tenth grade, I had been drunk for the first time. I knew rebellion against my parents, the difficulties of teenage romance, the fakeness of social interaction. As a reader in the eleventh grade, I grew close to Holden; he was a friend who understood me." In adults' determination to create sophisticated teen readers, we sever them from potential fictional soulmates. It's hard to forget my son's summer-reading assignment the year before he entered ninth grade: Julia Alvarez's "How the Garc?a Girls Lost Their Accents." Try as he did, he never got beyond the first of 15 vignettes about four culturally displaced sisters who search for identity through therapists and mental illness, men and sex, drugs and alcohol. I could hardly blame him. We ask 14-year-old boys to read novels about the travails of anguished women and want them to develop a love of reading? Far too often, teachers' canonical choices split from teenagers' tastes, intellectual needs and maturity levels. "Why do we assume that every 15-year-old who passes through sophomore English is an English major in the making?" asks a teacher friend. "It's simply not the case. And the kids go elsewhere, just as fast as they can -- anywhere but another book." I watched this play out last year when the junior reading list at my school, consisting mainly of major American authors, was fortified with readings in Shakespeare, Ibsen and the British Romantic poets. When I handed my students two weeks of readings by William Wordsworth and Samuel Taylor Coleridge after a month-long study of American transcendentalists, it became clear that they had overdosed on verse packed with nature description and emotional reflection. "When will we read something with a plot?" asked one agitated boy, obviously yearning for afternoon lacrosse to begin. One of my recent juniors was particularly eloquent on the subject. After having sat in my classroom for a year forcefully projecting his boredom, he started an e-mail dialogue with me over the summer. "The reason for studying fiction escapes me," he wrote. "Why waste time thinking about fabricated situations when there are plenty of real situations that need solutions? Cloning, ozone depletion, and alternate fuels are a few of the countless problems that need to be addressed by the next generation, my generation." Okay, you may think, this is a kid geared to excel in history and science, not literature. But read his closing words: "Granted fiction has a place in this world, but it is not in the classroom. It is beside the night lamp next to your bed, the car ride to the beach, the soft glow of a fireplace. Fiction is about spending beautiful days indoors because you can't wait to get to the next page. Because I like science fiction, my Shakespeare, my Fitzgerald, my Dickinson are Haldeman, Asimov, Herbert. They dare me to think and question my beliefs." So there you have it: A smart teen and motivated reader goes to high- school English class and discovers that the classics have nothing to offer him. "The reason I did not participate in class," he admitted, "was that I found the reading a chore." Parents of high-school students are probably familiar with the product of this classroom: the alienated writer who turns up sulking at the dinner table. When students have to produce an essay on a book they care nothing for, it becomes a nightmare for both the student (think "all-nighter") and the teacher, who'll spend precious weekend hours reading papers devoid of content. The upshot of this empty drill: teens increasingly resistant to great books. If I were a student today, surfing the gazillions of Web libraries or model-essay banks for insight into an assigned school classic, I'm sure I'd be asking myself, "What on Earth could there be left to say?" Last year, when I thought that I was stepping out of the mainstream by requiring my students to write a review of "Dead Poets Society," I was shocked to find, with just one click, that the 1989 Robin Williams movie had already been analyzed by hundreds of online literary pundits. Asking our students for yet another written commentary has a certain absurd ring to it, no? The lesson couldn't be clearer. Until we do a better job of introducing contemporary culture into our reading lists, matching books to readers and getting our students to buy in to the whole process, literature teachers will continue to fuel the reading crisis. I'm not suggesting that every 11th-grade English teacher adopt "Catcher," drop Shakespeare or ride the multicultural bandwagon. But if we really want to recruit teen readers, we're going to have to be strenuous advocates for fresh and innovative reading incentives. If that means an end to business as usual -- abolishing dry-bones literature tests, cutting back on fact-based quizzes, adding works of science fiction or popular nonfiction to the reading list -- so be it. We can continue to alienate teen readers, or we can hear them, acknowledge their tastes, engage directly with their resistance to serious reading and move gradually, with sensitivity to what's age- appropriate, toward the realm of great literature. So if your kids haven't yet started their summer reading, or are having trouble getting through it, perhaps now you know why. It may be what they've learned at school. schnog at earthlink.net Nancy Schnog recently joined the English faculty at the McLean School in Potomac. From rforno at infowarrior.org Sun Aug 24 05:09:56 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 24 Aug 2008 01:09:56 -0400 Subject: [Infowarrior] - If Everyone's Talking, Who Will Listen? Message-ID: If Everyone's Talking, Who Will Listen? By Dusty Horwitt Sunday, August 24, 2008; B03 http://www.washingtonpost.com/wp-dyn/content/article/2008/08/22/AR2008082202396_pf.html Everybody jokes about "TMI" these days: "Too much information," we say laughingly, when someone tells a story full of embarrassing detail about some personal foible or intimate relationship. But in our information-overloaded society, the concept of TMI is no joke. The information avalanche coming from all sides -- the Internet, PDAs, hundreds of television channels -- is burying us in extraneous data that prevent important facts and knowledge from reaching a broad audience. Lawyers are familiar with this phenomenon. In fact, they use it to their advantage: They know that if you want to hide damaging information about a case, there's nothing like a document dump to do the trick. You make the facts freely available -- along with so much irrelevant data that no one will ever find them. But the implications for our democracy are troubling. To achieve their goals, political movements need to reach and influence tens of millions of citizens. Despite conventional thinking that the Internet helps spread information, such reach is actually impossible online. Consider: In August 2007, there were about 100 million blogs. Of those that reached 100,000 people or more in a month, only about 20 focused on news or politics, according to ComScore Media Metrix, a company that measures Internet traffic. The most popular was Breitbart.com, with only 1.1 million unique visitors, or 0.4 percent of the 228 million U.S. adults 18 and older. Moreover, visitors to blogs and Web sites probably don't see most of the information on them. According to Nielsen Online, the average visitor to newspaper Web sites stops by for just 1.5 minutes per day on average. By contrast, the average print newspaper reader spends 40 minutes with each day's edition, according to the Project for Excellence in Journalism. "When you think about the amount of information published to the Web, it's a physical impossibility for the vast majority of that stuff to spread virally," Derek Gordon, marketing director for the blog-tracking firm Technorati, told me in 2006. For this article, I got newspaper Internet readership statistics from the Web site of the Newspaper Association of America (NAA). But if there hadn't been prior newspaper coverage of the NAA, I might never have found its site. And if I had simply posted the information online, few people would have seen it. By contrast, The Washington Post's print edition reaches about 2 million readers on Sunday, more than 35 percent of whom are likely to read the editorial page, according to a Mediamark Research study. Which highlights the larger problem: The overload siphons audiences and revenue from newspapers such as The Post and other outlets that can spread important information, forcing these media to shrink and to rely increasingly on advertising to stay afloat. These trends predate the Internet era, but they've gotten worse. "It's much more difficult [to reach people] today -- and much more expensive," said Steve Eichenbaum, creative director of a Milwaukee- based marketing firm that helped engineer Russell Feingold's upset U.S. Senate victory in 1992. Among Eichenbaum's innovations was an ad that ran only once in every TV market in Wisconsin -- yet helped Feingold win the Democratic primary. Eichenbaum doubts that Feingold's underfunded, underdog victory "could ever happen again." Although the Internet has helped some candidates raise more money, media fragmentation has driven up TV advertising costs as candidates compete for the shrinking number of time slots that can reach voters, says Ken Goldstein, director of the Wisconsin Advertising Project at the University of Wisconsin. Moreover, viewers seem more distracted, and it takes more ads before pollsters can see any effect in tracking polls, says David Hill, a Houston-based Republican pollster. "The cost of media is accelerating and the ineffectiveness of media is accelerating," he said. "I'm getting hit twice." The opportunity to educate millions of citizens, so essential to significant movements of the past, has dwindled. In the early New Deal era, the Roman Catholic "radio priest" Father Charles Coughlin promoted ideas for economic reform to a weekly audience estimated at 40 million, which helped pressure President Franklin D. Roosevelt to enact Social Security, the Works Progress Administration and other programs. Today's top talk-radio host, Rush Limbaugh, reaches only about 14 million people per week. Without broad media coverage, the civil rights movement might never have succeeded. In 1965, front-page newspaper coverage of the bloody march from Selma to Montgomery, Ala., helped push Congress to pass the Voting Rights Act, write journalists Gene Roberts and Hank Klibanoff in their 2006 Pulitzer Prize-winning book, "The Race Beat." Even the Fairbanks Alaska News-Miner carried the story on the front page for 10 straight days. In 1965, weekday newspaper circulation was more than 60 million copies, or roughly one paper for every two adults. By this year, it was down to about 50 million, or one paper for every 4.5 adults, and newspapers are slashing reporting jobs and, inevitably, news coverage. Other outlets aren't picking up the slack. In 1970-71, Nielsen reported that 35 percent of households watched the three network news shows. That figure was down to just 16 percent in 2007-08. In November 1980, ABC, CBS and NBC news broadcasts reached 52.1 million Americans nightly, or about 32 percent of the adult population. In 2007, ABC, CBS, NBC, CNN, MSNBC and Fox combined reached fewer than 30 million Americans each day, or 12 percent of the adult population. The challenge is to find ways to strengthen democracy in the era of TMI. It won't be easy, but the situation may not be irreversible, either. Rather than call for government regulation of technology itself, perhaps the best way to limit the avalanche is to make the technologies that overproduce information more expensive and less widespread. It could be done via a progressive energy tax designed to keep energy prices at a consistently high level (while providing assistance to lower- and middle-income Americans). This solution may sound radical and unlikely, but as an environmental analyst, I've spent long hours studying energy consumption. Two years ago, I wrote an article speculating that the real problem behind America's loss of manufacturing jobs was low energy costs that made shipping so cheap that employers had overwhelming incentive to send jobs overseas. My argument that higher energy prices could reverse 50 years of outsourcing was met with skepticism. Yet that's exactly what has begun to happen this year as the high cost of oil has brought some manufacturing jobs back to such cities as Bowling Green, Ky., and Danville, Va. It's not too far-fetched to imagine that something similar could happen in the information world. Like long-distance shipping, modern information technologies are highly energy-intensive. According to Arizona State University engineering professor Eric Williams, a desktop computer "is probably the most energy-intensive of home devices, aside from furnaces and boilers." The Internet is built on about a billion such computers, in addition to data centers that, says the Wall Street Journal, "can consume enough juice to power a small city of 30,000." It's possible that over time, an energy tax, by making some computers, Web sites, blogs and perhaps cable TV channels too costly to maintain, could reduce the supply of information. If Americans are finally giving up SUVs because of high oil prices, might we not eventually do the same with some information technologies that only seem to fragment our society, not unite it? A reduced supply of information technology might at least gradually cause us to gravitate toward community- centered media such as local newspapers instead of the hyper- individualistic outlets we have now. If the thought of more expensive information technologies makes you flinch, consider economist Alan Blinder's warning that the Internet could lead to the outsourcing of 40 million American service jobs over the next 10 to 20 years, including such jobs as financial analysts, lawyers and computer programmers. So newspapers aren't the only ones to be hit by cheap information technologies. Change will no doubt be difficult, and it won't happen overnight. But it's time for some creative solutions for digging our democracy out of the information avalanche that threatens to smother it. dustyhorwitt at yahoo.com Dusty Horwitt is a lawyer who works for a nonprofit environmental group in Washington. From rforno at infowarrior.org Sun Aug 24 05:15:28 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 24 Aug 2008 01:15:28 -0400 Subject: [Infowarrior] - Joe Biden's pro-RIAA, pro-FBI tech voting record Message-ID: <82168F4C-8297-4DD3-A5C7-E8B8D69F0A7D@infowarrior.org> August 23, 2008 6:09 PM PDT Joe Biden's pro-RIAA, pro-FBI tech voting record Posted by Declan McCullagh http://news.cnet.com/8301-13578_3-10024163-38.html?hhTest=1&part=rss&subj=news&tag=2547-1_3-0-20 By choosing Joe Biden as their vice presidential candidate, the Democrats have selected a politician with a mixed record on technology who has spent most of his Senate career allied with the FBI and copyright holders, who ranks toward the bottom of CNET's Technology Voters' Guide, and whose anti-privacy legislation was actually responsible for the creation of PGP. That's probably okay with Barack Obama: Biden likely got the nod because of his foreign policy knowledge. The Delaware politician is the chairman of the Senate Foreign Relations committee who voted for the war in Iraq, and is reasonably well-known nationally after his presidential campaigns in 1988 and 2008. Copyright But back to the Delaware senator's tech record. After taking over the Foreign Relations committee, Biden became been a staunch ally of Hollywood and the recording industry in their efforts to expand copyright law. He sponsored a bill in 2002 that would have make it a federal felony to trick certain types of devices into playing unauthorized music or executing unapproved computer programs. Biden's bill was backed by content companies including News Corp. but eventually died after Verizon, Microsoft, Apple, eBay, and Yahoo lobbied against it. A few months later, Biden signed a letter that urged the Justice Department "to prosecute individuals who intentionally allow mass copying from their computer over peer-to-peer networks." Critics of this approach said that the Motion Picture Association of America and the Recording Industry Association of America, and not taxpayers, should pay for their own lawsuits. Last year, Biden sponsored an RIAA-backed bill called the Perform Act aimed at restricting Americans' ability to record and play back individual songs from satellite and Internet radio services. (The RIAA sued XM Satellite Radio over precisely this point.) All of which meant that nobody in Washington was surprised when Biden was one of only four U.S. senators invited to a champagne reception in celebration of the Digital Millennium Copyright Act hosted by the MPAA's Jack Valenti, the RIAA, and the Business Software Alliance. (Photos are here.) Now, it's true that few Americans will cast their votes in November based on what the vice presidential candidate thinks of copyright law. But these pro-copyright views don't exactly jibe with what Obama has promised; he's pledged to "update and reform our copyright and patent systems to promote civic discourse, innovation and investment while ensuring that intellectual property owners are fairly treated." These are code words for taking a more pro-EFF (Electronic Frontier Foundation) than pro-MPAA approach. Unfortunately, Biden has steadfastly refused to answer questions on the topic. We asked him 10 tech-related questions, including whether he'd support rewriting the Digital Millennium Copyright Act, as part of our 2008 Technology Voters' guide. Biden would not answer (we did hear back from Barack Obama, Hillary Clinton, John McCain, and Ron Paul). In our 2006 Technology Voters' Guide, which ranked Senate votes from July 1998 through May 2005, Biden received a mere 37.5 percent score because of his support for Internet filters in schools and libraries and occasional support for Internet taxes. Privacy, the FBI, and PGP On privacy, Biden's record is hardly stellar. In the 1990s, Biden was chairman of the Judiciary Committee and introduced a bill called the Comprehensive Counter-Terrorism Act, which the EFF says he was "persuaded" to do by the FBI. A second Biden bill was called the Violent Crime Control Act. Both were staunchly anti-encryption, with this identical language: It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall ensure that communications systems permit the government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law. Translated, that means turn over your encryption keys. The book Electronic Privacy Papers describes Biden's bill as representing the FBI's visible effort to restrict encryption technology, which was taking place in concert with the National Security Agency's parallel, but less visible efforts. (Biden was no foe of the NSA. He once described now-retired NSA director Bobby Ray Inman as the "single most competent man in the government.") Biden's bill -- and the threat of encryption being outlawed -- is what spurred Phil Zimmermann to write PGP, thereby kicking off a historic debate about export controls, national security, and privacy. Zimmermann, who's now busy developing Zfone, says it was Biden's legislation "that led me to publish PGP electronically for free that year, shortly before the measure was defeated after vigorous protest by civil libertarians and industry groups." While neither of Biden's pair of bills became law, they did foreshadow the FBI's pro-wiretapping, anti-encryption legislative strategy that followed -- and demonstrated that the Delaware senator was willing to be a reliable ally of law enforcement on the topic. (They also previewed the FBI's legislative proposal later that decade for banning encryption products such as SSH or PGP without government backdoors, which was approved by one House of Representatives committee but never came to a vote in the Senate.) "Joe Biden made his second attempt to introduce such legislation" in the form of the Communications Assistance for Law Enforcement Act (CALEA), which was also known as the Digital Telephony law, according to an account in Wired magazine. Biden at the time was chairman of the relevant committee; he co-sponsored the Senate version and dutifully secured a successful floor vote on it less than two months after it was introduced. CALEA became law in October 1994, and is still bedeviling privacy advocates: the FBI recently managed to extend its requirements to Internet service providers. CALEA represented one step in the FBI and NSA's attempts to restrict encryption without backdoors. In a top-secret memo to members of President George H.W. Bush's administration including Defense Secretary Dick Cheney and CIA director Robert Gates, one White House official wrote: "Justice should go ahead now to seek a legislative fix to the digital telephony problem, and all parties should prepare to follow through on the encryption problem in about a year. Success with digital telephony will lock in one major objective; we will have a beachhead we can exploit for the encryption fix; and the encryption access options can be developed more thoroughly in the meantime." There's another reason why Biden's legislative tactics in the CALEA scrum amount to more than a mere a footnote in Internet history. They're what led to the creation of the Center for Democracy and Technology -- and the Electronic Frontier Foundation's simultaneous implosion and soul-searching. EFF staffers Jerry Berman and Danny Weitzner chose to work with Biden on cutting a deal and altering the bill in hopes of obtaining privacy concessions. It may have helped, but it also left the EFF in the uncomfortable position of leaving its imprimatur on Biden's FBI-backed wiretapping law universally loathed by privacy advocates. The debacle ended with internal turmoil, Berman and Weitzner leaving the group and taking their corporate backers to form CDT, and a chastened EFF that quietly packed its bags and moved to its current home in San Francisco. (Weitzner, who was responsible for a censorship controversy last year, became a formal Obama campaign surrogate.) "Anti-terror" legislation The next year, months before the Oklahoma City bombing took place, Biden introduced another bill called the Omnibus Counterterrorism Act of 1995. It previewed the 2001 Patriot Act by allowing secret evidence to be used in prosecutions, expanding the Foreign Intelligence Surveillance Act and wiretap laws, creating a new federal crime of "terrorism" that could be invoked based on political beliefs, permitting the U.S. military to be used in civilian law enforcement, and allowing permanent detection of non-U.S. citizens without judicial review. The Center for National Security Studies said the bill would erode "constitutional and statutory due process protections" and would "authorize the Justice Department to pick and choose crimes to investigate and prosecute based on political beliefs and associations." Biden himself draws parallels between his 1995 bill and its 2001 cousin. "I drafted a terrorism bill after the Oklahoma City bombing. And the bill John Ashcroft sent up was my bill," he said when the Patriot Act was being debated, according to the New Republic, which described him as "the Democratic Party's de facto spokesman on the war against terrorism." Biden's chronology is not accurate: the bombing took place in April 1995 and his bill had been introduced in February 1995. But it's true that Biden's proposal probably helped to lay the groundwork for the Bush administration's Patriot Act. In 1996, Biden voted to keep intact an ostensibly anti-illegal immigration bill that outlined what the Real ID Act would become almost a decade later. The bill would create a national worker identification registry; Biden voted to kill an Abraham-Feingold amendment that would have replaced the registry with stronger enforcement. According to an analysis by the Electronic Privacy Information Center, the underlying bill would have required "states to place Social Security numbers on drivers licenses and to obtain fingerprints or some other form of biometric identification for licenses." Along with most of his colleagues in the Congress -- including Sen. John McCain but not Rep. Ron Paul -- Biden voted for the Patriot Act and the Real ID Act (which was part of a larger spending bill). Obama voted for the bill containing the Real ID Act, but wasn't in the U.S. Senate in 2001 when the original Patriot Act vote took place. Patriot Act In the Senate debate over the Patriot Act in October 2001, Biden once again allied himself closely with the FBI. The Justice Department favorably quotes Biden on its Web site as saying: "The FBI could get a wiretap to investigate the mafia, but they could not get one to investigate terrorists. To put it bluntly, that was crazy! What's good for the mob should be good for terrorists." The problem is that Biden's claim was simply false -- which he should have known after a decade of experience lending his name to wiretapping bills on behalf of the FBI. As CDT explains in a rebuttal to Biden: "The Justice Department had the ability to use wiretaps, including roving taps, in criminal investigations of terrorism, just as in other criminal investigations, long before the Patriot Act." But Biden's views had become markedly less FBI-friendly by April 2007, six years later. By then, the debate over wiretapping had become sharply partisan, pitting Democrats seeking to embarrass President Bush against Republicans aiming to defend the administration at nearly any cost. In addition, Biden had announced his presidential candidacy three months earlier and was courting liberal activists dismayed by the Bush administration's warrantless wiretapping. That month, Biden slammed the "president's illegal wiretapping program that allows intelligence agencies to eavesdrop on the conversations of Americans without a judge's approval or congressional authorization or oversight." He took aim at Attorney General Alberto Gonzales for allowing the FBI to "flagrantly misuse National Security Letters" -- even though it was the Patriot Act that greatly expanded their use without also expanding internal safeguards and oversight as well. Biden did vote against a FISA bill with retroactive immunity for any telecommunications provider that illegally opened its network to the National Security Agency; Obama didn't. Both agreed to renew the Patriot Act in March 2006, a move that pro-privacy Democrats including Ron Wyden and Russ Feingold opposed. The ACLU said the renewal "fails to correct the most flawed provisions" of the original Patriot Act. (Biden does do well on the ACLU's congressional scorecard.) "Baby-food bombs" The ACLU also had been at odds with Biden over his efforts to censor bomb-making information on the Internet. One day after a bomb in Saudi Arabia killed several U.S. servicemen and virtually flattened a military base, Biden pushed to make posting bomb-making information on the Internet a felony, punishable by up to 20 years in jail, the Wall Street Journal reported at the time. "I think most Americans would be absolutely shocked if they knew what kind of bone-chilling information is making its way over the Internet," he told the Senate. "You can access detailed, explicit instructions on how to make and detonate pipe bombs, light-bulb bombs, and even -- if you can believe it -- baby-food bombs." Biden didn't get exactly what he wanted -- at least not right away. His proposal was swapped in the final law for one requiring the attorney general to investigate "the extent to which the First Amendment protects such material and its private and commercial distribution." The report was duly produced, concluding that the proposal "can withstand constitutional muster in most, if not all, of its possible applications, if such legislation is slightly modified." It was. Biden and co-sponsor Dianne Feinstein introduced their bill again the following year. Biden pitched it as an anti-terror measure, saying in a floor debate that numerous terrorists "have been found in possession of bomb-making manuals and Internet bomb-making information." He added: "What is even worse is that some of these instructions are geared toward kids. They tell kids that all the ingredients they need are right in their parents' kitchen or laundry cabinets." Biden's proposal became law in 1997. It didn't amount to much: four years after its enactment, there had been only one conviction. And instead of being used to snare a dangerous member of Al Qaeda, the law was used to lock up a 20-year old anarchist Webmaster who was sentenced to one year in prison for posting information about Molotov cocktails and "Drano bombs" on his Web site, Raisethefist.com. Today there are over 10,000 hits on Google for the phrase, in quotes, "Drano bomb." One is a video that lists the necessary ingredients and shows some self-described rednecks blowing up small plastic bottles in their yard. Then there's the U.S. Army's Improvised Munitions Handbook with instructions on making far more deadly compounds, including methyl nitrate dynamite, mortars, grenades, and C-4 plastic explosive -- which free speech activists placed online as an in-your-face response to the Biden-Feinstein bill. Peer-to-peer networks Since then, Biden has switched from complaining about Internet baby- food bombs to taking aim at peer-to-peer networks. He held one Foreign Relations committee hearing in February 2002 titled "Theft of American Intellectual Property" and invited executives from the Justice Department, RIAA, MPAA, and Microsoft to speak. Not one Internet company, P2P network, or consumer group was invited to testify. Afterwards, Sharman Networks (which distributes Kazaa) wrote a letter to Biden complaining about "one-sided and unsubstantiated attacks" on P2P networks. It said: "We are deeply offended by the gratuitous accusations made against Kazaa by witnesses before the committee, including ludicrous attempts to associate an extremely beneficial, next-generation software program with organized criminal gangs and even terrorist organizations." Biden returned to the business of targeting P2P networks this year. In April, he proposed spending $1 billion in U.S. tax dollars so police can monitor peer-to-peer networks for illegal activity. He made that suggestion after a Wyoming cop demonstrated a proof-of-concept program called "Operation Fairplay" at a hearing before a Senate Judiciary subcommittee. A month later, the Senate Judiciary committee approved a Biden- sponsored bill that would spend over $1 billion on policing illegal Internet activity, mostly child pornography. It has the dubious virtue of being at least partially redundant: One section would "prohibit the broadcast of live images of child abuse," even though the Justice Department has experienced no problems in securing guilty pleas for underage Webcamming. (The bill has not been voted on by the full Senate.) Online sales of Robitussin Around the same time, Biden introduced his self-described Biden Crime Bill of 2007. One section expands electronic surveillance law to permit police wiretaps in "crimes dangerous to the life, limb, and well-being of minor children." Another takes aim at Internet-based telemedicine and online pharmacies, saying that physicians must have conducted "at least one in-person medical evaluation of the patient" to prescribe medicine. Another prohibits selling a product containing dextromethorphan -- including Robitussin, Sucrets, Dayquil, and Vicks -- "to an individual under the age of 18 years, including any such sale using the Internet." It gives the Justice Department six months to come up with regulations, which include when retailers should be fined for shipping cough suppressants to children. (Biden is a longtime drug warrior; he authored the Illicit Drug Anti-Proliferation Act that the Bush administration used to shut down benefit concerts.) Net neutrality On Net neutrality, Biden has sounded skeptical. In 2006, he indicated that no preemptive laws were necessary because if violations do happen, such a public outcry will develop that "the chairman will be required to hold this meeting in this largest room in the Capitol, and there will be lines wandering all the way down to the White House." Obama, on the other hand, has been a strong supporter of handing pre- emptive regulatory authority to the Federal Communications Commission. From rforno at infowarrior.org Sun Aug 24 14:51:51 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 24 Aug 2008 10:51:51 -0400 Subject: [Infowarrior] - DOD turf wars suspected in CyberCommand decision Message-ID: <40B5369A-CF08-4092-9136-4B1B6D4CFC73@infowarrior.org> Pentagon turf wars suspected in decision By John Andrew Prime ? jprime at gannett.com ? August 23, 2008 http://www.shreveporttimes.com/apps/pbcs.dll/article?AID=/20080823/NEWS01/808230325 Some national commentators suggest the brakes were applied to Air Force Cyber Command by Chairman of the Joint Chiefs of Staff Adm. Mike Mullen, who they say wants a greater cyber role for the Navy. If so, this would echo turf wars between services that for decades have resulted in unintended consequences. For example, a tiff between the Army and the Navy at the end of World War II, over which service would control air assets, ended with the Navy getting certain seaborne platforms and limited ground air units and the Army retaining helicopters and some reconnaissance platforms. Later in the 1940s, the Navy and the fledgling Air Force arm-wrestled over the issue of new supercarriers and new strategic bombers. The Air Force won that battle, getting the huge B-36 Peacemaker bomber, which was the nation's main strategic weapons platform through the 1950s. And in the 1950s, the Army and the Air Force fought over which service would control strategic missile forces, with the Air Force again the winner and a new upstart agency called NASA getting the space mission. The Navy gained a nuclear mission with the advent of nuclear submarines and the development of missiles for these and in 1960 tried to argue that maritime missiles eliminated the need for Air Force missiles and bombers. "The end result was not what the Navy had in mind," John T. Correll, of Air Force Magazine, wrote in a lengthy essay on the interservice bickering. Instead, he said, the Pentagon "created the Joint Strategic Target Planning Staff to control the targeting of both Air Force and Navy strategic weapons." And, he added, "after that and until the end of the Cold War, missiles predominated in the Air Force alert force." From rforno at infowarrior.org Sun Aug 24 14:54:23 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 24 Aug 2008 10:54:23 -0400 Subject: [Infowarrior] - Pentagon's intelligence arm steps up lie detecting Message-ID: <9C981FFD-FA7B-40F8-8AE4-738D3DA873E7@infowarrior.org> Pentagon's intelligence arm steps up lie detecting http://www.usatoday.com/news/washington/2008-08-23-intelligence-lies_N.htm?csp=34 WASHINGTON (AP) ? The Pentagon's intelligence arm is adding more polygraph studios and relying on outside contractors for the first time to conduct lie detection tests in an attempt to screen its 5,700 prospective and current employees every year. The stepped-up effort by the Defense Intelligence Agency is part of a growing emphasis on counterintelligence, detecting and thwarting would- be spies and keeping sensitive information away from America's enemies. A polygraph is not foolproof as a screening tool. The test gives a high rate of false positives on innocent people, and guilty subjects can be trained to beat the system, according to expert Charles Honts, a psychology professor at Boise State University. The National Research Council noted these deficiencies in a 2003 report. The council, an arm of the National Academy of Sciences, found that lie detectors can be useful for ferreting out the truth in specific incidents, but are unreliable for screening prospective national security employees for trustworthiness. "Its accuracy in distinguishing actual or potential security violators from innocent test takers is insufficient to justify reliance on its use in employee security screening in federal agencies," the council concluded. "Polygraph testing as currently used has extremely serious limitations in such screening applications, if the intent is both to identify security risks and protect valued employees." John Sullivan, a polygrapher with the CIA for 31 years, noted that turncoat Aldrich Ames, a CIA mole for the Soviets, beat a polygraph test twice. But the prospect of facing a polygraph can deter future security violations, according to the council's report. That prospect also increases the frequency of admission of violations ? taking home classified documents, for example ? and discourages people who may be security risks from applying. "Right now the polygraph is the best tool they have at their hands but it's not a tool that's without problems," Honts said. The increase in lie detection at the DIA is three years in the making. In 2005 the agency's director announced plans to test every prospective new DIA hire, whether a permanent federal worker or contract employee. The DIA would not say how many prospective, current and past employees are screened annually, but a 2002 report to Congress said the agency conducted 1,345 counterintelligence polygraphs. It also said the Defense Department had an average of about 160 government polygraphers on its payroll annually for the last decade. The Pentagon's polygraphing institute trains all polygraphers for the government. It produced 84 new examiners in 2002, according to the latest publicly available statistics. Until 2004, Congress severely limited the Pentagon's authority to conduct polygraphs for counterintelligence purposes. From 1988 to 1990, it could conduct 10,000 a year. From 1990 to 2004, that number was cut to 5,000. Congress lifted that cap in 2004 at the request of the Defense Department. Polygraph sessions are typically three- to four-hour interrogations. A person is hooked up to a machine that measures physiological responses. The subject is asked a series of "yes" and "no" questions. The machine records changes in blood pressure, respiration and heart rate and electrical activity in the skin. The polygrapher interprets that data to determine whether the answers show inconsistencies or indicate deception, based on established parameters An unclassified DIA document describing the new effort says the contractor hired to perform the exams will conduct a minimum of 4,550 a year in 13 new polygraph studios. The polygraphers would have to work at a brisk pace to meet the target: Each studio would need to complete 350 sessions a year to meet contract specifications. Those 13 new studios would be added to the eight now manned by DIA polygraphers. All would be overseen by DIA personnel. The document says that the agency will, for the first time, hire contractors to administer the tests rather than relying on government polygraphers. Mark Zaid is a lawyer who represents federal employees in lawsuits against the government, many involving disputed polygraphs. He said the government's reliance on lie detection tools is an easy way around the more reliable, but more time-consuming, security background investigations. There is a massive backlog for these. "It's a cheap fix to a broken system," Zaid said. The problem, Zaid said, is that there is no process for government employees to challenge a polygrapher's interpretation of a test. "They get labeled a liar, and that's it," Zaid said. Copyright 2008 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. From rforno at infowarrior.org Sun Aug 24 16:17:21 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 24 Aug 2008 12:17:21 -0400 Subject: [Infowarrior] - OpEd - REAL ID: Precursor to International ID? Message-ID: REAL ID: CONNECTING THE DOTS TO AN INTERNATIONAL ID By Representative Sam E. Rohrer August 24, 2008 NewsWithViews.com Sam Rohrer is a Representative for the state of Pennsylvania and a member of the American Policy Center Advisory Board. History offers many examples of societies which have sought to increase security by sacrificing freedom. America itself provides many pertinent instances. However, our founding fathers have not left us without wisdom on this issue. Ben Franklin has famously stated, "People willing to trade freedom for temporary security deserve neither and will lose both." REAL ID undoubtedly exemplifies a scenario in which a difficult tension exists between freedom and security. By commandeering every state's driver's license issuing process, REAL ID threatens the results warned by Franklin - loss of both freedom and security. It has become the biometric enrollment phase of a plan to implement a terribly invasive tracking system, largely without public knowledge or approval. REAL ID is merely the current face of a far larger, international government and private economic effort to collect, store, and distribute the sensitive biometric data of citizens to use for the twin purposes of government tracking and economic control. At issue are much more than standardized or non-duplicative driver's licenses. This effort extends worldwide, threatening every person alive today. Although very legitimate security concerns exist in this age of terrorism, this Act extends far beyond terrorism prevention or protection of the innocent. Keeping that broad picture in mind, let us move to some background behind the face of REAL ID implementation in America. < - > http://www.newswithviews.com/guest_opinion/guest128.htm From rforno at infowarrior.org Mon Aug 25 03:16:53 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 24 Aug 2008 23:16:53 -0400 Subject: [Infowarrior] - Surveillance made easy Message-ID: http://technology.newscientist.com/channel/tech/dn14591-surveillance-made-easy.html Surveillance made easy * 09:00 23 August 2008 * NewScientist.com news service * Laura Margottini "THIS data allows investigators to identify suspects, examine their contacts, establish relationships between conspirators and place them in a specific location at a certain time." So said the UK Home Office last week as it announced plans to give law- enforcement agencies, local councils and other public bodies access to the details of people's text messages, emails and internet activity. The move followed its announcement in May that it was considering creating a massive central database to store all this data, as a tool to help the security services tackle crime and terrorism. Meanwhile in the US the FISA Amendments Act, which became law in July, allows the security services to intercept anyone's international phone calls and emails without a warrant for up to seven days. Governments around the world are developing increasingly sophisticated electronic surveillance methods in a bid to identify terrorist cells or spot criminal activity. However, technology companies, in particular telecommunications firms and internet service providers, have often been criticised for assisting governments in what many see as unwarranted intrusion, most notably in China. Now German electronics company Siemens has gone a step further, developing a complete "surveillance in a box" system called the Intelligence Platform, designed for security services in Europe andAsia. It has already sold the system to 60 countries. According to a document obtained by New Scientist, the system integrates tasks typically done by separate surveillance teams or machines, pooling data from sources such as telephone calls, email and internet activity, bank transactions and insurance records. It then sorts through this mountain of information using software that Siemens dubs "intelligence modules". This software is trained on a large number of sample documents to pick out items such as names, phone numbers and places from generic text. This means it can spot names or numbers that crop up alongside anyone already of interest to the authorities, and then catalogue any documents that contain such associates. Once a person is being monitored, pattern-recognition software first identifies their typical behaviour, such as repeated calls to certain numbers over a period of a few months. The software can then identify any deviations from the norm and flag up unusual activities, such as transactions with a foreign bank, or contact with someone who is also under surveillance, so that analysts can take a closer look. Included within the package is a phone call "monitoring centre", developed by the joint-venture company Nokia Siemens Networks. However, it is far from clear whether the technology will prove accurate. Security experts warn that data-fusion technologies tend to produce a huge number of false positives, flagging up perfectly innocent people as suspicious. "These systems tend to produce false positives, flagging up innocent people as suspicious" "Combining two different sources of data has the tendency to increase your false-positive rate or your false-negative rate," says Ross Anderson, a computer security engineer at the University of Cambridge. "If you're looking for burglars in a run-down district where 50 per cent of men have a criminal conviction, you may find plenty. But if you're trying to find terrorists among airline passengers - where they are extremely rare - then almost all your hits will be false." Computer security expert Bruce Schneier agrees. "Currently there are no good patterns available to recognise terrorists," he says, and questions whether Siemens has got around this. Whatever the level of accuracy, human rights advocates are concerned that the system could give surveillance-hungry repressive regimes a ready-made means of monitoring their citizens. Carole Samdup of the organisation Rights and Democracy in Montreal, Canada, says the system bears a strong resemblance to the Chinese government's "Golden Shield" concept, a massive surveillance network encompassing internet and email monitoring as well as speech and facial-recognition technologies and closed-circuit TV cameras. In 2001, Rights and Democracy raised concerns about the potential for governments to integrate huge information databases with real-time analysis to track the activities of individuals. "Now in 2008 these very characteristics are presented as value-added selling points in the company advertisement of its product," Samdup says. In June, the PRISE consortium of security technology and human-rights experts, funded by the European Union (EU), submitted a report to the European Commission asking for a moratorium on the development of data- fusion technologies, referring explicitly to the Siemens Intelligence Platform. "The efficiency and reliability of such tools is as yet unknown," says the report. "More surveillance does not necessarily lead to a higher level of societal security. Hence there must be a thorough examination of whether the resulting massive constraints on human rights are proportionate and justified." Nokia Siemens says 90 of the systems are already being used around the world, although it hasn't specified which countries are using it. A spokesman for the company said, "We implement stringent safeguards to prevent misuse of such systems for unauthorised purposes. In all countries where we operate we do business strictly according to the Nokia Siemens Networks standard code of conduct and UN and EU export regulations." Samdup argues that such systems should fall under government controls that are imposed on "dual-use" goods - systems that could be used both for civil and military purposes. Security technologies usually escape these controls. For example, the EU regulation on the export and transfer of dual-use technology does not include surveillance and intelligence technologies on the list of items that must be checked and authorised before they are exported to certain countries. The problem is that surveillance technologies have developed so rapidly that they have outpaced developments in export controls, says Samdup. "In many cases politicians, policy-makers and human-rights organisations lack the technical expertise to adequately assess the impact that such technology could have when it is exported to repressive regimes." From rforno at infowarrior.org Mon Aug 25 04:03:28 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Aug 2008 00:03:28 -0400 Subject: [Infowarrior] - New Pentagon Media Agency Seeks to Fill Top Job Message-ID: New Pentagon Media Agency Seeks to Fill Top Job By Walter Pincus Monday, August 25, 2008; A15 http://www.washingtonpost.com/wp-dyn/content/article/2008/08/24/AR2008082401670_pf.html The Defense Department is looking for an "energetic and imaginative executive" to run its newly formed Defense Media Activity, according to an advertisement on the agency's Web site. The executive would earn as much as $172,200 a year overseeing DMA, which since its establishment in January combines formerly separate Pentagon media organizations, such as the Armed Forces Radio and Television Service, the Stars and Stripes newspaper, and the Pentagon Channel on television. It also includes the DefenseLink Web site and the military services' Web sites, the Bloggers Roundtable, and the Army, Navy, Air Force and Marine magazines. All told, the new chief would oversee 2,400 military, government and contract employees around the world, and a budget of more than $225 million. The primary mission of DMA, according to the directive that set it up, is to "provide a wide variety of information products to the entire DoD family." That "family" includes active, National Guard and Reserve service members; their dependents; retirees; Defense civilian and contract employees; and "external audiences." Along with communicating "messages and themes" from senior Defense officials, DMA will provide radio and television news and entertainment programming. The directive, signed by Deputy Defense Secretary Gordon England, lists another mission: to provide, "throughout the Department of Defense and to the American public, high quality visual information products, including Combat Camera imagery depicting U.S. military activities and operations." No other department in government has so large an internal communications operation whose work is also designed for public consumption. Although the directive includes "external audiences" as part of the Defense "family," the department and the separate military services have their own media operations that deal with civilian reporters and producers. The directive also created a Defense Media Oversight Board, which is chaired by the assistant defense secretary for public affairs and includes the DMA director, the services' information chiefs and the public affairs assistant to the chairman of the Joint Chiefs. The board's job is to ensure that DMA "policies, priorities, and programs properly reflect DoD-wide and Military Service-unique messages and strategic communications requirements," according to the directive. A $68 million, 186,000-square-foot DMA headquarters is to be constructed by 2011 on the grounds of Fort Meade. It will house about 650 employees, one-quarter of DMA's staff. Two of the larger DMA elements, Stars and Stripes and the Armed Forces Radio and Television Service, will remain at their current locations. From rforno at infowarrior.org Tue Aug 26 12:59:22 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 26 Aug 2008 08:59:22 -0400 Subject: [Infowarrior] - Meddling With 'Full Disclosure' Is Unwelcome Message-ID: Boston Court's Meddling With 'Full Disclosure' Is Unwelcome Bruce Schneier Email 08.21.08 http://www.wired.com/politics/security/commentary/securitymatters/ 2008/08/securitymatters_0821 In eerily similar cases in the Netherlands and the United States, courts have recently grappled with the computer-security norm of "full disclosure," asking whether researchers should be permitted to disclose details of a fare-card vulnerability that allows people to ride the subway for free. The "Oyster card" used on the London Tube was at issue in the Dutch case, and a similar fare card used on the Boston "T" was the center of the U.S. case. The Dutch court got it right, and the American court, in Boston, got it wrong from the start -- despite facing an open-and-shut case of First Amendment prior restraint. The U.S. court has since seen the error of its ways -- but the damage is done. The MIT security researchers who were prepared to discuss their Boston findings at the DefCon security conference were prevented from giving their talk. The ethics of full disclosure are intimately familiar to those of us in the computer-security field. Before full disclosure became the norm, researchers would quietly disclose vulnerabilities to the vendors -- who would routinely ignore them. Sometimes vendors would even threaten researchers with legal action if they disclosed the vulnerabilities. Later on, researchers started disclosing the existence of a vulnerability but not the details. Vendors responded by denying the security holes' existence, or calling them just theoretical. It wasn't until full disclosure became the norm that vendors began consistently fixing vulnerabilities quickly. Now that vendors routinely patch vulnerabilities, researchers generally give them advance notice to allow them to patch their systems before the vulnerability is published. But even with this "responsible disclosure" protocol, it's the threat of disclosure that motivates them to patch their systems. Full disclosure is the mechanism (.pdf) by which computer security improves. Outside of computer security, secrecy is much more the norm. Some security communities, like locksmiths, behave much like medieval guilds, divulging the secrets of their profession only to those within it. These communities hate open research, and have responded with surprising vitriol to researchers who have found serious vulnerabilities in bicycle locks, combination safes (.pdf), master- key systems and many other security devices. Researchers have received a similar reaction from other communities more used to secrecy than openness. Researchers -- sometimes young students -- who discovered and published flaws in copyright- protection schemes, voting-machine security and now wireless access cards have all suffered recriminations and sometimes lawsuits for not keeping the vulnerabilities secret. When Christopher Soghoian created a website allowing people to print fake airline boarding passes, he got several unpleasant visits from the FBI. This preference for secrecy comes from confusing a vulnerability with information about that vulnerability. Using secrecy as a security measure is fundamentally fragile. It assumes that the bad guys don't do their own security research. It assumes that no one else will find the same vulnerability. It assumes that information won't leak out even if the research results are suppressed. These assumptions are all incorrect. The problem isn't the researchers; it's the products themselves. Companies will only design security as good as what their customers know to ask for. Full disclosure helps customers evaluate the security of the products they buy, and educates them in how to ask for better security. The Dutch court got it exactly right when it wrote: "Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings." In a world of forced secrecy, vendors make inflated claims about their products, vulnerabilities don't get fixed, and customers are no wiser. Security research is stifled, and security technology doesn't improve. The only beneficiaries are the bad guys. If you'll forgive the analogy, the ethics of full disclosure parallel the ethics of not paying kidnapping ransoms. We all know why we don't pay kidnappers: It encourages more kidnappings. Yet in every kidnapping case, there's someone -- a spouse, a parent, an employer -- with a good reason why, in this one case, we should make an exception. The reason we want researchers to publish vulnerabilities is because that's how security improves. But in every case there's someone -- the Massachusetts Bay Transit Authority, the locksmiths, an election machine manufacturer -- who argues that, in this one case, we should make an exception. We shouldn't. The benefits of responsibly publishing attacks greatly outweigh the potential harm. Disclosure encourages companies to build security properly rather than relying on shoddy design and secrecy, and discourages them from promising security based on their ability to threaten researchers. It's how we learn about security, and how we improve future security. --- Bruce Schneier is Chief Security Technology Officer of BT Global Services and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. You can read more of his writings on his website. From rforno at infowarrior.org Tue Aug 26 20:21:00 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 26 Aug 2008 16:21:00 -0400 Subject: [Infowarrior] - Opentape Sticks It to RIAA with Open Source Muxtape Message-ID: <69205E66-7763-4D3F-91FB-227CFD4853C9@infowarrior.org> Opentape Sticks It to RIAA with Open Source Muxtape http://www.sitepoint.com/blogs/2008/08/26/opentape-sticks-it-to-riaa- with-open-source-muxtape/ by Josh Catone With web music fan favorite Muxtape currently out of commission due to ?a problem with the RIAA,? an open source ? if no more legal ? alternative has appeared: Opentape. Opentape describes itself as ?a free, open-source package that lets you make and host your own mixtapes on the web.? Or, in other words, a Muxtape clone that?s free and open source. The demo mixtape is basically a straight up clone of the Muxtape site. The software uses PHP 5, Apache, and requires curl. The version 0.1 release hit the web a couple of days ago. Why would anyone want to create an open source version of an application that was shuttered due to legal trouble with the highly litigous American recording industry? Over at Hacker News, where I first heard about Opentape, the concensus seems to be that the idea is to become another thorn in the RIAA?s side. The more people running their own version of what is essentially Muxtape, the harder it will theoretically be for the RIAA to shut them down. Opentape doesn?t solve any copyright issues, it just makes it harder for the RIAA to litigate. However, as others on Hacker News have pointed out, the RIAA has not been shy about going after individuals when it comes to P2P traffic. A few weeks ago we posted about a new service called 8tracks that operates similarly to Muxtape ? allowing users to create 8 song mixtapes and share them with friends ? but is planning to do so legally by paying royalties to SoundExchange, ASCAP, BMI and SESAC. Will Opentape succeed? That?s hard to say, but there are two potential issues holding it back. The obvious one is legal: how many people will be willing to risk the RIAA?s wrath to publish a mixtape on their server? The second is content. What made Muxtape great was the ability to browse other mixtapes and find great new music. Without a way to aggregate and discover the mixtapes people are making and publishing with Opentape, it will be less attractive as a distributed service. From rforno at infowarrior.org Wed Aug 27 01:11:15 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 26 Aug 2008 21:11:15 -0400 Subject: [Infowarrior] - Revealed: The Internet's Biggest Security Hole Message-ID: Revealed: The Internet's Biggest Security Hole By Kim Zetter EmailAugust 26, 2008 | 8:00:00 PM http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency. The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination. The demonstration is only the latest attack to highlight fundamental security weaknesses in some of the internet's core protocols. Those protocols were largely developed in the 1970s with the assumption that every node on the then-nascent network would be trustworthy. The world was reminded of the quaintness of that assumption in July, when researcher Dan Kaminsky disclosed a serious vulnerability in the DNS system. Experts say the new demonstration targets a potentially larger weakness. "It's a huge issue. It's at least as big an issue as the DNS issue, if not bigger," said Peiter "Mudge" Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. "I went around screaming my head about this about ten or twelve years ago.... We described this to intelligence agencies and to the National Security Council, in detail." The man-in-the-middle attack exploits BGP to fool routers into re- directing data to an eavesdropper's network. Anyone with a BGP router (ISPs, large corporations or anyone with space at a carrier hotel) could intercept data headed to a target IP address or group of addresses. The attack intercepts only traffic headed to target addresses, not from them, and it can't always vacuum in traffic within a network -- say, from one AT&T customer to another. The method conceivably could be used for corporate espionage, nation- state spying or even by intelligence agencies looking to mine internet data without needing the cooperation of ISPs. BGP eavesdropping has long been a theoretical weakness, but no one is known to have publicly demonstrated it until Anton "Tony" Kapela, data center and network director at 5Nines Data, and Alex Pilosov, CEO of Pilosoft, showed their technique at the recent DefCon hacker conference. The pair successfully intercepted traffic bound for the conference network and redirected it to a system they controlled in New York before routing it back to DefCon in Las Vegas. The technique, devised by Pilosov, doesn't exploit a bug or flaw in BGP. It simply exploits the natural way BGP works. "We're not doing anything out of the ordinary," Kapela told Wired.com. "There's no vulnerabilities, no protocol errors, there are no software problems. The problem arises (from) the level of interconnectivity that's needed to maintain this mess, to keep it all working." The issue exists because BGP's architecture is based on trust. To make it easy, say, for e-mail from Sprint customers in California to reach Telefonica customers in Spain, networks for these companies and others communicate through BGP routers to indicate when they're the quickest, most efficient route for the data to reach its destination. But BGP assumes that when a router says it's the best path, it's telling the truth. That gullibility makes it easy for eavesdroppers to fool routers into sending them traffic. Here's how it works. When a user types a website name into his browser or clicks "send" to launch an e-mail, a Domain Name System server produces an IP address for the destination. A router belonging to the user's ISP then consults a BGP table for the best route. That table is built from announcements, or "advertisements," issued by ISPs and other networks -- also known as Autonomous Systems, or ASes -- declaring the range of IP addresses, or IP prefixes, to which they'll deliver traffic. The routing table searches for the destination IP address among those prefixes. If two ASes deliver to the address, the one with the more specific prefix "wins" the traffic. For example, one AS may advertise that it delivers to a group of 90,000 IP addresses, while another delivers to a subset of 24,000 of those addresses. If the destination IP address falls within both announcements, BGP will send data to the narrower, more specific one. To intercept data, an eavesdropper would advertise a range of IP addresses he wished to target that was narrower than the chunk advertised by other networks. The advertisement would take just minutes to propagate worldwide, before data headed to those addresses would begin arriving to his network. The attack is called an IP hijack and, on its face, isn't new. But in the past, known IP hijacks have created outages, which, because they were so obvious, were quickly noticed and fixed. That's what occurred earlier this year when Pakistan Telecom inadvertently hijacked YouTube traffic from around the world. The traffic hit a dead- end in Pakistan, so it was apparent to everyone trying to visit YouTube that something was amiss. Pilosov's innovation is to forward the intercepted data silently to the actual destination, so that no outage occurs. Ordinarily, this shouldn't work -- the data would boomerang back to the eavesdropper. But Pilosov and Kapela use a method called AS path prepending that causes a select number of BGP routers to reject their deceptive advertisement. They then use these ASes to forward the stolen data to its rightful recipients. "Everyone ... has assumed until now that you have to break something for a hijack to be useful," Kapela said. "But what we showed here is that you don't have to break anything. And if nothing breaks, who notices?" Stephen Kent, chief scientist for information security at BBN Technologies, who has been working on solutions to fix the issue, said he demonstrated a similar BGP interception privately for the Departments of Defense and Homeland Security a few years ago. Kapela said network engineers might notice an interception if they knew how to read BGP routing tables, but it would take expertise to interpret the data. A handful of academic groups collect BGP routing information from cooperating ASes to monitor BGP updates that change traffic's path. But without context, it can be difficult to distinguish a legitimate change from a malicious hijacking. There are reasons traffic that ordinarily travels one path could suddenly switch to another -- say, if companies with separate ASes merged, or if a natural disaster put one network out of commission and another AS adopted its traffic. On good days, routing paths can remain fairly static. But "when the internet has a bad hair day," Kent said, "the rate of (BGP path) updates goes up by a factor of 200 to 400." Kapela said eavesdropping could be thwarted if ISPs aggressively filtered to allow only authorized peers to draw traffic from their routers, and only for specific IP prefixes. But filtering is labor intensive, and if just one ISP declines to participate, it "breaks it for the rest of us," he said. "Providers can prevent our attack absolutely 100 percent," Kapela said. "They simply don't because it takes work, and to do sufficient filtering to prevent these kinds of attacks on a global scale is cost prohibitive." Filtering also requires ISPs to disclose the address space for all their customers, which is not information they want to hand competitors. Filtering isn't the only solution, though. Kent and others are devising processes to authenticate ownership of IP blocks, and validate the advertisements that ASes send to routers so they don't just send traffic to whoever requests it. Under the scheme, the five regional internet address registries would issue signed certificates to ISPs attesting to their address space and AS numbers. The ASes would then sign an authorization to initiate routes for their address space, which would be stored with the certificates in a repository accessible to all ISPs. If an AS advertised a new route for an IP prefix, it would be easy to verify if it had the right to do so. The solution would authenticate only the first hop in a route to prevent unintentional hijacks, like Pakistan Telecom's, but wouldn't stop an eavesdropper from hijacking the second or third hop. For this, Kent and BBN colleagues developed Secure BGP (SBGP), which would require BGP routers to digitally sign with a private key any prefix advertisement they propagated. An ISP would give peer routers certificates authorizing them to route its traffic; each peer on a route would sign a route advertisement and forward it to the next authorized hop. The drawback is that current routers lack the memory and processing power to generate and validate signatures. And router vendors have resisted upgrading them because their clients, ISPs, haven't demanded it, due to the cost and man hours involved in swapping out routers. "That means that nobody could put themselves into the chain, into the path, unless they had been authorized to do so by the preceding AS router in the path," Kent said. Douglas Maughan, cybersecurity research program manager for the DHS's Science and Technology Directorate, has helped fund research at BBN and elsewhere to resolve the BGP issue. But he's had little luck convincing ISPs and router vendors to take steps to secure BGP. "We haven't seen the attacks, and so a lot of times people don't start working on things and trying to fix them until they get attacked," Maughan said. "(But) the YouTube (case) is the perfect example of an attack where somebody could have done much worse than what they did." ISPs, he said, have been holding their breath, "hoping that people don?t discover (this) and exploit it." "The only thing that can force them (to fix BGP) is if their customers ... start to demand security solutions," Maughan said. --- The DEFCON 16 presentation materials for our talk are now on-line: https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Kapela https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf I've posted the original power point slide deck for our presentation here: http://eng.5ninesdata.com/~tkapela/iphd-2.ppt Enjoy, From rforno at infowarrior.org Wed Aug 27 01:28:42 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 26 Aug 2008 21:28:42 -0400 Subject: [Infowarrior] - 'Hacktivists' Update Their Mission Message-ID: <7B66BCC0-E453-4E8F-9FB6-F4BD0297475B@infowarrior.org> A New Breed of Hackers Tracks Online Acts of War 'Hacktivists' Update Their Mission By Kim Hart Washington Post Staff Writer Wednesday, August 27, 2008; D01 http://www.washingtonpost.com/wp-dyn/content/article/2008/08/26/AR2008082603128_pf.html TORONTO -- Here in the Citizen Lab at the University of Toronto, a new breed of hackers is conducting digital espionage. They are among a growing number of investigators who spend their time monitoring how traffic is routed through various countries, where Web sites are blocked there and why it's all happening. Now they are turning their scrutiny to a new weapon of international warfare: cyber attacks. Tracking wars isn't what many of the researchers, who call themselves "hacktivists," set out to do. Many began intending to help residents in countries that censor online content. But as the Internet has evolved, so has their mission. Ronald J. Deibert, director of the Citizen Lab, calls the organization a "global civil society counterintelligence agency" and refers to the lab as the "NSA of operations." Their efforts have ramped up in the past year as researchers gather evidence that Internet assaults are playing a larger role in military strategy and political struggles. Even before Georgia and Russia entered a ground war earlier this month, Citizen Lab's researchers noticed sporadic attacks aimed at several Georgian Web sites. Such attacks are especially threatening to countries that increasingly link critical activities such as banking and transportation to the Internet. Once the fighting began, massive raids on Georgia's Internet infrastructure were deployed using techniques similar to those used by Russian criminal organizations. Then, attacks seemed to come from individuals who found online instructions for launching their own assaults, shutting down much of Georgia's communication system. Now, two weeks later, the researchers are still trying to trace the origins of the attacks, but they are difficult to decipher. "These attacks in effect had the same effect that a military attack would have," said Rafal Rohozinski, who co-founded the Information Warfare Monitor, which tracks cyber attacks, with Citizen Lab in 2003. "That suddenly means that in cyberspace anyone can build an A-bomb." The cyber attacks that disabled many Georgian and Russian Web sites earlier this month marked the first time such an assault coincided with physical fighting. And the digital battlefield will likely become a permanent front in modern warfare, Deibert said. Seven years ago, Deibert opened the Citizen Lab using grant money from the Ford Foundation. Soon after, he and Rohozinski helped begin the OpenNet Initiative, a collaboration with Harvard's Law School, and Cambridge and Oxford universities, which tracks patterns of Internet censorship in countries that use filters, such as China. The project has received an additional $3 million in funding from the MacArthur Foundation. Deibert and Rohozinski also launched the Information Warfare Monitor to investigate how the Internet is used by state military and political operations. And Citizen Lab researchers have created a software tool called Psiphon that helps users bypass Internet filters. The combined projects have about 100 researchers in more than 70 countries mapping Web traffic and testing access to thousands of sites. A number of companies specialize in cyber security, and several nonprofit organizations have formed cyber-surveillance projects to keep international vigil over the Web. Shadowserver.org, for example, is a group of 10 volunteer researchers who post their findings about cyber attacks online. The small Toronto office of Citizen Lab serves as the technological backbone for the operations. World maps and newspaper clips cover the walls. Researchers move between multiple computer screens, studying lists of codes with results from field tests in Germany, Cambodia, Iran and Venezuela, to name a few. "We rely on local experts to help us find out why a particular site is being blocked," Deibert said. It could be a problem with the Internet service provider, a temporary connection glitch or a downed server. "But what's more effective is blasting a site into oblivion when it is strategically important. It's becoming a real arms race." He's referring to "denial of service" attacks, in which hundreds of computers in a network, or "botnets," simultaneously bombard a Web site with millions of requests, overwhelming and crashing the server. In Georgia, such attacks were strong enough to knock key sources of news and information offline for days. And Georgian Internet service providers also limited access to Russian media outlets, cutting off the only remaining updates about the war. On the night of Aug. 12 -- the height of the fighting -- "there was panic in Tbilisi brought about by a vacuum of information," Rohozinski said. Shadowserver saw the first denial of service attack against Georgia's presidential Web site on July 20. When the fighting began, Andre M. Di Mino, Shadowserver's founder, counted at least six botnets launching attacks, but it was "difficult to tell if it was a grass-roots effort or one commissioned by the government." The organization detects between 30 and 50 denial of service attacks every day around the world, and Di Mino said they have become more sophisticated over the past two years. "It really went from almost a kiddie type of thing to where it's an organized enterprise," he said. But he's hesitant to label this month's attacks as form of cyberwar, although he expects networks to play an expanded role in political clashes. Jose Nazario, a security researcher with Arbor Networks, said cyber attacks used to target a computer's operating system. But he's seen a "tremendous rise" in attacks on Web browsers, allowing attackers access to much more personal information, such as which sites a person visits frequently. An attacker then could learn which servers to target in order to disrupt communication. It's unclear who is behind the attacks, however. In some cases, the locations of botnet controllers can be traced, but it's impossible to know if an attacker is working on the behalf of another organization or government. "It's going to take a year to figure this out," Nazario said. The data trail often goes cold when it crosses borders because there is little legal framework for such investigations. And many countries are still weighing whether a cyber attack is an act of war. "If a state brings down the Internet intentionally, another state could very well consider that a hostile act," said Jonathan Zittrain, co-founder of Harvard's Berkman Center for Internet Society, and a principal investigator for the OpenNet Initiative. There are also strategic reasons not to disrupt networks in order to monitor the enemy's conversations, or to spread misinformation. "That's an amazing intelligence opportunity," he said. Using the Internet to control information can be more important than disrupting the networks when it comes to military strategy, Rohozinski said. In Georgia, for example, the lack of access to both Georgian and Russian sources of information kept citizens in the dark while the fighting continued. "Sometimes the objective is not to knock out the infrastructure but to undermine the will of the people you're fighting against," he said. "It's about the nuts and bolts, but it's also about how perceptions can be shaped through what's available and what's not." From rforno at infowarrior.org Wed Aug 27 01:33:41 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 26 Aug 2008 21:33:41 -0400 Subject: [Infowarrior] - Delayed by her bra, air passenger is indignant Message-ID: <48EA2F47-40CB-4C20-B810-B11A32066EFD@infowarrior.org> elayed by her bra, air passenger is indignant Tyche Hendricks, Chronicle Staff Writer Tuesday, August 26, 2008 http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/08/25/BA2812HVK3.DTL&type=printable (08-25) 16:51 PDT OAKLAND -- When Berkeley resident Nancy Kates arrived at Oakland International Airport to board JetBlue flight 472, she thought she was heading off on a routine journey to visit her mother in Boston. Instead she ended up in a standoff with Transportation Safety Administration officials over her bra. In the post-Sept. 11 world of heightened airport scrutiny, Kates, like most travelers, is familiar with the drill: Take off shoes and belts, open the laptop, carry shampoo in 3-ounce bottles. For Kates, on Sunday, though, the security check got too invasive. A big-busted woman wearing a large underwire bra, she set off the metal detector. She was pulled aside and checked by a female TSA agent with a metal-sensitive wand. "The woman touched my breast. I said, 'You can't do that,' " Kates said. "She said, 'We have to pat you down.' I said, 'You can't treat me as a criminal for wearing a bra.' " Kates asked to see a supervisor and then the supervisor's supervisor. He told her that underwire bras were the leading item that set off the metal detectors, Kates said. If that's the case, Kates said, the equipment must be overly sensitive. And if the TSA is engaging in extra brassiere scrutiny, then other women are suffering similar humiliation, Kates thought. The Constitution bars unreasonable searches and seizures, Kates reminded the TSA supervisor, and scrutinizing a woman's brassiere is surely unreasonable, she said. The supervisor told her she had the choice of submitting to a pat-down in a private room or not flying. Kates offered a third alternative, to take off her bra and try again, which the TSA accepted. "They tried to humiliate me and I was not going to be humiliated over this," Kates said. "If I was carrying nail clippers and forgot about them, I wouldn't have gotten so upset. But here I was just wearing my underwear." So she went to the rest room, then through the security line a second time. Walking through the airport braless can be embarrassing for a large-chested woman, not to mention uncomfortable. The metal detector didn't beep on the second time through, but then officials decided to go through Kates' carry-on luggage, she said. The whole undertaking took 40 minutes, Kates said, and caused her to miss her flight. JetBlue put her on another one, but she was four hours late getting to Boston. "It's actually a little funny in a way, but a sad, sad commentary on the state of our country," Kates said. "This is bigger than just me. There are 150 million women in America, and this could happen to any of them." TSA spokesman Nico Melendez said Monday that he wasn't familiar with the incident. But he said in all circumstances, "we have to resolve an alarm." That's the case for bras, artificial hips or anything with metal that sets off an alarm, he said. "Unfortunately, we can't take a passenger's word for it." Melendez said he didn't have any statistics on how many times passengers are screened because of bras. But he said, "we do everything we can to ensure that a passenger doesn't feel humiliated." Kates said she plans to talk to her family lawyer as well as the American Civil Liberties Union and the National Organization for Women and decide how to pursue the incident. Barry Steinhardt, the director of the American Civil Liberties Union's technology and liberty program, said Monday of federal security officials: "They can't find bombs in checked luggage, and they're essentially doing a pat-down of private parts. This is a security apparatus that is out of control." Kates said that although she flies about once a month, the only other time her bra has set off alarms in an airport was while she was being "wanded" in Cedar Rapids, Iowa. When she explained to the security agent that the wand was picking up the metal in her bra, she said, that was the end of the matter and she was allowed to go on her way. Chronicle staff writer Henry K. Lee contributed to this report. E-mail Tyche Hendricks at thendricks at sfchronicle.com. http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/08/26/BA2812HVK3.DTL From rforno at infowarrior.org Wed Aug 27 02:06:52 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 26 Aug 2008 22:06:52 -0400 Subject: [Infowarrior] - Microsoft tweaks anti-piracy check for Windows XP Message-ID: <76829CDF-701F-4872-A2F9-1B81E7824992@infowarrior.org> (Perhaps XP is the 'most stolen' because nobody wants to buy Vista??? Hrmmm.....sounds logical to me. ---rf) Microsoft tweaks anti-piracy check for Windows XP The company said it made changes to the Windows Genuine Notification for Windows XP Professional Edition * By Elizabeth Montalbano, IDG News Service August 26, 2008 | Comments: (0) Microsoft has updated software that verifies whether a copy of Windows is genuine in its Windows XP Professional edition, making it similar to the notification in Windows Vista and thus more persistently visible to users. In a blog posting attributed to Alex Kochis, a Microsoft director of product marketing and management, the company said it made the changes to the Windows Genuine Notification (WGA) alerts for XP Pro because it is "the product edition that is most often stolen." < - > http://www.infoworld.com/article/08/08/26/Microsoft_tweaks_antipiracy_check_for_Windows_XP_1.html From rforno at infowarrior.org Wed Aug 27 16:53:36 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 27 Aug 2008 12:53:36 -0400 Subject: [Infowarrior] - NASA Security Badge Holder May Pose a Safety Hazard Message-ID: <956D85C9-D98F-4770-94B9-89697E4F3A78@infowarrior.org> NASA Security Badge Holder May Pose a Safety Hazard http://www.fas.org/blog/secrecy/2008/08/nasa_security_badge.html http://www.fas.org/blog/secrecy/?p=1904 A secure identification badge holder that was issued to NASA employees could pose a threat to sensitive NASA operations or personnel, the agency warned. The badge holders were issued to comply with President Bush?s Homeland Security Presidential Directive-12, which requires all government personnel to possess a secure, tamper-proof form of identification. But the NASA badge holders, which are ?electromagnetically opaque? to guard against unauthorized scanning of the identity badges, have created new safety problems of their own. ?The current issue with the badge holder is the possibility of the badge holder becoming a Foreign Object Damage (FOD) hazard to flight hardware, or a projectile hazard under certain circumstances,? wrote Randy J. Aden, the senior security official at NASA?s Jet Propulsion Laboratory, in an email message to all JPL personnel on August 22. A NASA Kennedy Space Center Safety Notice on August 15 provided additional background. ?The badge holder may separate with little effort, allowing the clips, the front half of the holder and badge ID to separate creating a significant FOD hazard in controlled areas,? the Safety Notice explained (pdf). Consequently, ?personnel should ensure the badge holder is not worn, or is properly secured, in the vicinity of sensitive flight hardware, such as electronics, where FOD may be an issue,? Mr. Aden advised. Also, ?When removing your badge, do not point [the] end with metal clips towards your face or another person? in order to minimize the projectile threat, the NASA Safety Notice suggested. NASA?s implementation of Homeland Security Presidential Directive-12 is controversial for other reasons as well, especially at Jet Propulsion Laboratory. While the Directive requires agencies to verify their employees? identities, JPL has instituted a far-reaching background investigation process that goes far beyond that. At JPL, the HSPD-12 ?identification? procedure includes a potentially open-ended investigation into employees? finances, intimate relations, and personal conduct. It is roughly comparable to a security clearance background investigation, although few scientists are involved in classified research at JPL, which is mainly devoted to planetary exploration. Last year, 28 senior scientists at JPL filed a lawsuit to challenge the Lab?s implementation of HSPD-12, which they described as overly intrusive and unconstitutional. Descriptive information on the case, which remains pending, is available from the plaintiffs here. The official JPL web site states that ?The successful implementation of HSPD-12 will increase the security of Federal facilities and Federal IT systems. This will provide better protection for the employees, the information systems and the employee?s work products.? Neither the JPL public web site nor other NASA web sites mention the new badge holder safety issue. From rforno at infowarrior.org Thu Aug 28 10:53:20 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Aug 2008 06:53:20 -0400 Subject: [Infowarrior] - MIT software aims to thwart hackers Message-ID: <9FD95F0F-854E-4340-8296-746EBE1D8EEB@infowarrior.org> NETWORK SECURITY http://www.ll.mit.edu/publications/labnotes/pluggingtherightholes.html Posted July 2008 Plugging the Right Holes NetSPA software maps computer networks to find paths most vulnerable to hacking. On the night of November 1, 2004, according to published reports, hackers in the Chinese province of Guangdong broke into computers at the Army Information Systems Engineering Command in Arizona, the Defense Information Systems Agency in Virginia, the Naval Ocean Systems Center in California, and the Army Space and Strategic Defense Installation in Alabama. The attack, Time magazine and The Washington Post wrote, was part of Titan Rain, a series of breaches of U.S. government computers that occurred between 2003 and 2005 and may have captured sensitive information about military readiness. In fact, says electrical engineer Richard Lippmann, a senior staff member in Lincoln Laboratory's Information Systems Technology Group, U.S. government and defense computer networks are attacked all the time. In response to this chronic cyber threat, he and his colleagues developed NetSPA, a software tool to identify potential avenues of attack in computer networks. NetSPA (for Network Security Planning Architecture) uses information about networks and the individual machines and programs running on them to create a graph that shows how hackers could infiltrate them. Although system administrators can examine visualizations of the graph themselves to decide what action to take, NetSPA analyzes the graph and offers recommendations about how to quickly fix the most important weaknesses. NetSPA relies on vulnerability scanners, such as Nessus, to identify known vulnerabilities in network-accessible programs that might allow an unauthorized person access to a machine. Fast-spreading worms, for instance, often take advantage of weaknesses in servers or operating systems to spread from one machine to another. But simply being aware of vulnerabilities is not sufficient; NetSPA also has to analyze complex firewall and router rules to determine which vulnerabilities can actually be reached and exploited by attackers and how attackers can spread through a network by jumping from one vulnerable host to another. "It's a matter of what the attacker can get to and in what order," says Kyle Ingols, a computer scientist in Lippmann's group who is working on NetSPA, along with Seth Webster (who is focusing on ways to make the system more automated) and MIT graduate student Leevar Williams (whose master's thesis is on visualizing attack graph data). It takes a long time to patch all hosts in a network. "If you spend time patching vulnerabilities the attacker can?t get to first," Ingols says, "you've left your network exposed longer." NetSPA aims to solve that problem. "Instead of patching or fixing or blocking a thousand hosts," Lippmann explains, "we could say there are ten critical hosts and patch those first." The software finds the most critical weaknesses by combining information from vulnerability scanners with firewall rules used to allow and block access and information about the physical structure of the network. For instance, if a firewall allows a certain kind of access, hackers could use that access to reach a vulnerable machine on the inside of the network. That might grant them access to only one machine, but once they take over that machine inside the firewall, they then gain access to many more. Thus, a route through the firewall to a vulnerability on a single "steppingstone" host is much more critical than the potentially many other vulnerabilities on the network. Photonics A screen shot shows an attack graph cascade. Each of the four large rectangular regions represents one subnet in a larger network. Within each subnet, the smaller rectangular regions represent groups of hosts that are treated identically by all firewalls and that are compromised by an attacker to the same level. The dot at the center of each region signifies all hosts in that region. The attacker starts at the upper subnet ("EXTLAN") on a single host (topmost dark rectangle). Lines connecting hosts represent vulnerabilities that the attacker uses to progressively compromise more hosts. After one hop, the attacker compromises all vulnerable hosts in the upper subnet and jumps to two hosts in the next subnet ("lansubnet"). On the next hop, the attacker compromises all vulnerable hosts in the second subnet and jumps to two hosts in the third subnet ("enclave DMZ"). On the third hop, the attacker compromises one more host in the third subnet and cannot reach the fourth subnet at the bottom of the display. This insight sounds obvious, but applying it to real systems can be a huge challenge. A network comprising thousands of computers may have dozens of filtering devices such as firewalls and routers, and each device may have 200 or more different filtering rules. The multitudinous combinations of possibilities are far too many to track down by hand, and are even very complex for a computer algorithm to compute. The original version of NetSPA, in fact, could handle networks of only about 17 machines before the modeling complexities made it too slow to be useful. Since then, however, the Lincoln Laboratory researchers have developed ways to speed NetSPA up. For instance, firewalls may have rules that treat a number of different machines on the same network in the same way. Rather than modeling each of those machines individually, the software uses the same model for all of them, saving significant computing time. The researchers have also developed new types of attack graphs and efficient algorithms to compute these graphs. In examining firewall rules, NetSPA also has the potential to discover unforeseen avenues of attack. For example, a network might have had to share data with an outside vendor several years ago, so the system administrator would have added a rule to allow access from that vendor's IP address. That long-forgotten permission could be exploited by someone forging that address. Lincoln Laboratory researchers have received one patent for the first type of attack graph they developed, called a "predictive" graph, and have one patent pending for a much more efficient and recurrent type called a "multiple prerequisite" attack graph. They're testing NetSPA on different networks and developing ways to make it easier to use. A group of MIT students created a business plan for a proposed company called CyberAnalytix that could commercialize NetSPA (Lippmann and Ingols are technical advisors). This plan won $10,000 in the MIT $100K Entrepreneurship Competition in May. If CyberAnalytix fulfills the students' goals, the tool it sells could provide a protective umbrella in case anything like Titan Rain were to fall again. From rforno at infowarrior.org Thu Aug 28 11:28:55 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Aug 2008 07:28:55 -0400 Subject: [Infowarrior] - Privacy groups bristle at expanded Customs database Message-ID: <679B4C06-65B1-4F74-89CC-7D30E1A4963E@infowarrior.org> Privacy groups bristle at expanded Customs database By Julian Sanchez | Published: August 27, 2008 - 07:15PM CT http://arstechnica.com/news.ars/post/20080827-privacy-groups-bristle-at-expanded-customs-database.html A new border patrol policy made public late last month is raising hackles at the Center for Democracy and Technology. The civil liberties group is urging Customs and Border Patrol to scrap rules that would allow the retention of information about American citizens entering or leaving the the US?whether by land, sea or air?for up to 15 years. In a System of Records Notice issued at the end of July, Customs and Border Patrol disclosed that personal information and photographs of all persons crossing U.S. borders would be stored in a separate Border Crossing Information database. Records pertaining to US citizens and permanent residents would be retained for 15 years, those of noncitizens for 75 years. The data could be broadly shared with both domestic and foreign government agencies. While information has long been kept about persons entering the US by air and sea, traditionally, permanent records have not traditionally been made for the vast majority of border crossings that occur by land. But increasing prevalence of machine-readable ID documents?which will be required as of June 2009?now makes it practical to include land travelers as well. A spokesman for the Department of Homeland Security describes the expanded record-keeping rules as a way to "help frontline officers to connect the dots" in the war on terror. The privacy mavens at the Center for Democracy and Technology are somewhat less sanguine, however. In a pair of comments filed with DHS earlier this week, CDT Senior Counsel Greg Nojeim warns that Congress has never explicitly granted the agency explicit statutory authority to establish such a broad database. Nojeim argues that the 15-year retention period is excessive, and that the new rules fail to provide adequate restrictions on the sharing of information with other agencies, foreign governments, or members of the press. Perhaps most troubling, Nojeim notes that the new System of Records does not appear to distinguish between the sort of basic biographical information present on a passport or driver's license and the potentially far more sensitive data that might be gleaned from intrusive "secondary inspection" of border crossers. This is especially disconcerting in light of a recent ruling by the Ninth Circuit Court of Appeals that the traditional "border search" exception to the Fourth Amendment's warrant requirement applies to inspection of laptops and other digital storage devices, which are capable of storing vast amounts of personal data. From rforno at infowarrior.org Fri Aug 29 00:30:33 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Aug 2008 20:30:33 -0400 Subject: [Infowarrior] - Comcast to cap monthly consumer broadband Message-ID: <4FE25419-4621-4FAB-99A3-0C7460B293C5@infowarrior.org> August 28, 2008 3:32 PM PDT Comcast to cap monthly consumer broadband Posted by Josh Lowensohn http://news.cnet.com/8301-17939_109-10028506-2.html?part=rss&subj=news&tag=2547-1_3-0-20 Starting October 1 customers of Comcast's residential data services will have an invisible barrier on their monthly data usage. Under the new guidelines of Comcast's Acceptable Use Policy announced Thursday, that cap will be set at 250 gigabytes per month, per account. Users who go over the limit will get a courtesy call from Comcast's customer service for the first instance. However, under the new policy a second-time offense means the service is immediately suspended for an entire calendar year. Surprisingly the company is not providing any tools to help users monitor their current usage. An FAQ on Comcast's support site simply suggests that customers do a "Web search" for bandwidth metering software that will track this amount for them. Going forward there may be plans to set up alerts over certain thresholds, or bundle some official tool as part of the company's starter software. Comcast notes that the median usage for most residential customers falls somewhere between 2GB and 3GB, a number that is regularly broken within a matter of hours and sometimes minutes by customers taking advantage of streaming HD video and online backup services. The company breaks down basic usage numbers similar to what's seen on the marketing materials on a consumer hard drive: * Send 50 million e-mails (at 0.05KB/e-mail) * Download 62,500 songs (at 4MB/song) * Download 125 standard-definition movies (at 2GB/movie) * Upload 25,000 high-resolution digital photos (at 10MB/photo) A far greater problem may be the slighting of cloud storage services that offer file transfer and backup. Services like Carbonite and Mozy let you back up and transfer the entirety of your computer's storage several times per month, which on many standard consumer machines can be in the hundreds of gigabytes. Apple, too, is just at the beginning stages of MobileMe, a service that offers sync and file backup to multiple devices. Additionally, the rumored all-you-can-eat iTunes could drastically change how much downloading users are doing on a monthly basis. From rforno at infowarrior.org Fri Aug 29 01:07:42 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Aug 2008 21:07:42 -0400 Subject: [Infowarrior] - DARPA develops EMP countermeasures Message-ID: Original URL: http://www.theregister.co.uk/2008/08/28/darpa_pulse_weapon_countermeasure/ DARPA develops zap-bomb electropulse countermeasures By Lewis Page Published Thursday 28th August 2008 14:12 GMT US military boffins are preparing highly sophisticated technical defences against the dreaded electromagnetic pulse bomb, a weapon which has long been anticipated but never successfully built. We know about the counter-electropulse defence technology because the company which will develop it - HRL Labs of Malibu, California - announced their contract win yesterday. The programme is referred to by the Pentagon as Electromagnetic Pulse-tolerant Microwave Receiver Front-end, or EMPiRe*. The idea of the attacking e-weapon is that it would release a hugely powerful radio-frequency or microwave pulse. In the same way that a normal, very weak emission is picked up by a radio or radar antenna to produce a measurable current, the weapons-grade pulse would induce a vicious surge in exposed electronic equipment - potentially frying it for good, or at least shutting it down for a bit. Such weapons, it's often thought, might be driven by explosions or other rapid processes rather than normal batteries or generators, because of the need to release large amounts of power very fast: hence pulse bomb rather than pulse raygun etc. Normally, the defence against this sort of thing is simple. You merely enclose your electronics in a conductive metallic Faraday cage, perhaps fashioned of trusty tinfoil if nothing better comes to hand. The problems of generating and focusing powerful electropulses are already enormous - so enormous, in fact, that decades of secretive US effort have failed to produce any working EMP weapons**. Producing an EMP which has range, focus and power sufficient to sizzle its way through a decent Faraday cage is just not on. But there are problems here. Some kinds of electronics are no use if you wrap them up in a radio-proof box. In particular, a microwave receiver in a communications or radar set needs to pick up RF radiation - but if you let it, an EMP bomb or whatever might fry the electronics of the connected system. HRL's proposed solution is to isolate the "front end" of the receiver, which will "sense incoming electrical fields through a high- performance microwave photonic link". The new HRL front end will pass information to the signal processors optically, meaning that no electric surge through into the protected back end is possible. "The thermal effects of a high-energy attack will be insignificant because our sensor head absorbs negligible radio-frequency power," says HRL Senior Scientist Dr James Schaffner. HRL's research is funded by DARPA, the Pentagon's elite group of paradigm-punishing, technonoclastic nerd-wranglers. DARPA's goal often appears to the outsider to be that of rendering America's latest military tech obsolete well before it actually comes into service. In this case the Pentagon brainboxes may well excel themselves, as even the more ambitious ongoing US pulse-bomb efforts (http://www.theregister.co.uk/2008/01/18/terawatt_rf_hpm_emp_zap_blaster_weapon_hera/ ) only see themselves starting a useful weapons programme from 2012. (To be fair, DARPA might be more worried about EMPs from nukes.) Needless to say, some who already prefer to be on the safe side regarding Faraday Cage protective headgear will see this instead as solid evidence that the dreaded, functional pulse bomb - or even EMP ray-cannon - is already out there. ? Bootnotes *This breaks every rule of Acronym Club. We suggest Barrier Interposed Terawatt Countermeasures against High-powered Specialist Lightning Attack Pulses. **Other than nuclear bombs, which produce a substantial EMP as a side effect when they go off. It has been suggested that if you wanted to EMP an enemy city - so knocking out all its comms and electronics, as opposed to leaving it a glowing glassy crater - you might touch off a suitable nuke above it in the extreme upper reaches of the atmosphere. Evil Sean Bean was fixing to do this to London in the Bond flick Goldeneye, using an eponymous Russkie space nuke pulse device hacked by Bean's henchmen from their thinly-disguised shopping centre base, apparently situated beneath the Arecibo radar telescope. From rforno at infowarrior.org Fri Aug 29 02:07:20 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Aug 2008 22:07:20 -0400 Subject: [Infowarrior] - More on....Comcast to cap monthly consumer broadband References: <9C0D1A9F38D23E4290347EE31C22B0AF02A33C33@e2k3.srv.cs.cmu.edu> Message-ID: <67C90DAF-5810-455C-A0C5-3F923D4237E7@infowarrior.org> Lauren makes some very good points about Comcrapst's new policy change, including some stuff I didn't know about or consider previously. Good (scary!) stuff to know about if you're on Comcrapst for your broadband. http://lauren.vortex.com/archive/000418.html From rforno at infowarrior.org Sat Aug 30 03:25:37 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 29 Aug 2008 23:25:37 -0400 Subject: [Infowarrior] - Bush Seeks to Affirm a Continuing War on Terror Message-ID: <0E5034B6-9CA8-4B9A-8271-22F55488EAB4@infowarrior.org> August 30, 2008 Bush Seeks to Affirm a Continuing War on Terror By ERIC LICHTBLAU http://www.nytimes.com/2008/08/30/washington/30terror.html?_r=1&hp=&oref=slogin&pagewanted=print WASHINGTON ? Tucked deep into a recent proposal from the Bush administration is a provision that has received almost no public attention, yet in many ways captures one of President Bush?s defining legacies: an affirmation that the United States is still at war with Al Qaeda. Seven years after the Sept. 11 attacks, Mr. Bush?s advisers assert that many Americans may have forgotten that. So they want Congress to say so and ?acknowledge again and explicitly that this nation remains engaged in an armed conflict with Al Qaeda, the Taliban, and associated organizations, who have already proclaimed themselves at war with us and who are dedicated to the slaughter of Americans.? The language, part of a proposal for hearing legal appeals from detainees at the United States naval base at Guant?namo Bay, Cuba, goes beyond political symbolism. Echoing a measure that Congress passed just days after the Sept. 11 attacks, it carries significant legal and public policy implications for Mr. Bush, and potentially his successor, to claim the imprimatur of Congress to use the tools of war, including detention, interrogation and surveillance, against the enemy, legal and political analysts say. Some lawmakers are concerned that the administration?s effort to declare anew a war footing is an 11th-hour maneuver to re-establish its broad interpretation of the president?s wartime powers, even in the face of challenges from the Supreme Court and Congress. The proposal is also the latest step that the administration, in its waning months, has taken to make permanent important aspects of its ?long war? against terrorism. From a new wiretapping law approved by Congress to a rewriting of intelligence procedures and F.B.I. investigative techniques, the administration is moving to institutionalize by law, regulation or order a wide variety of antiterrorism tactics. ?This seems like a final push by the administration before they go out the door,? said Suzanne Spaulding, a former lawyer for the Central Intelligence Agency and an expert on national security law. The cumulative effect of the actions, Ms. Spaulding said, is to ?put the onus on the next administration? ? particularly a Barack Obama administration ? to justify undoing what Mr. Bush has done. It is uncertain whether Congress will take the administration up on its request. Some Republicans have already embraced the idea, with Representative Lamar Smith of Texas, the ranking Republican on the Judiciary Committee, introducing a measure almost identical to the administration?s proposal. ?Since 9/11,? Mr. Smith said, ?we have been at war with an unconventional enemy whose primary goal is to kill innocent Americans.? In the midst of an election season, the language represents a political challenge of sorts to the administration?s critics. While many Democrats say they are wary of Mr. Bush?s claims to presidential power, they may be even more nervous about casting a vote against a measure that affirms the country?s war against terrorism. They see the administration?s effort to force the issue as little more than a political ploy. Mr. Bush ?is trying to stir up again the politics of fear by reminding people of something they haven?t really forgotten: that we are engaged in serious armed conflict with Al Qaeda,? said Laurence H. Tribe, a constitutional scholar at Harvard and legal adviser to Mr. Obama. ?But the question is, Where is that conflict to be waged, and by what means.? With violence rising in Afghanistan and Osama bin Laden still at large, there are ample signs of the United States? continued battles with terrorism. But Mr. Bush and his advisers say that seven years without an attack has lulled many Americans. ?As Sept. 11, 2001, recedes into the past, there are some people who have come to think of it as kind of a singular event and of there being nothing else out there,? Attorney General Michael B. Mukasey told House lawmakers in July. ?In a way, we are the victims of our own success, our own success being that another attack has been prevented.? Mr. Mukasey laid out the administration?s thinking in a July 21 speech to a conservative Washington policy institute in response to yet another rebuke on presidential powers by the Supreme Court: its ruling that prisoners at Guant?namo Bay , were entitled to habeas corpus rights to contest their detentions in court. The administration wants Congress to set out a narrow framework for those prisoner appeals. But the administration?s six-point proposal goes further. It includes not only the broad proclamation of a continued ?armed conflict with Al Qaeda,? but also the desire for Congress to ?reaffirm that for the duration of the conflict the United States may detain as enemy combatants those who have engaged in hostilities or purposefully supported Al Qaeda, the Taliban and associated organizations.? That broad language hints at why Democrats, and some Republicans, worry about the consequences. It could, they say, provide the legal framework for Mr. Bush and his successor to assert once again the president?s broad interpretation of the commander in chief?s wartime powers, powers that Justice Department lawyers secretly used to justify the indefinite detention of terrorist suspects and the National Security Agency?s wiretapping of Americans without court orders. The language recalls a resolution, known as the Authorization for Use of Military Force, passed by Congress on Sept. 14, 2001. It authorized the president to ?use all necessary and appropriate force? against those responsible for the Sept. 11 attacks to prevent future strikes. That authorization, still in effect, was initially viewed by many members of Congress who voted for it as the go-ahead for the administration to invade Afghanistan and overthrow the Taliban, which had given sanctuary to Mr. bin Laden. But the military authorization became the secret legal basis for some of the administration?s most controversial legal tactics, including the wiretapping program, and that still gnaws at some members of Congress. Senator Arlen Specter of Pennsylvania, the ranking Republican on the Judiciary Committee, said he wanted to make sure the Bush administration ? or a future president ? did not use that declaration as ?another far-fetched interpretation? to evade the law, the way he believes Mr. Bush and aides like Alberto R. Gonzales, the former attorney general, did in using the wiretapping program to avoid the Foreign Intelligence Surveillance Act. ?I don?t want to face another situation where we had the Sept. 14 resolution and then Attorney General Gonzales claimed that that was authorization to violate FISA,? Mr. Specter said. For Bush critics like Bruce Fein, a Justice Department official in the Reagan administration, the answer is simple: do not give the administration the wartime language it seeks. ?I do not believe that we are in a state of war whatsoever,? Mr. Fein said. ?We have an odious opponent that the criminal justice system is able to identify and indict and convict. They?re not a goliath. Don?t treat them that way.? From rforno at infowarrior.org Sat Aug 30 03:26:47 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 29 Aug 2008 23:26:47 -0400 Subject: [Infowarrior] - Internet Traffic Begins to Bypass the U.S. Message-ID: August 30, 2008 Internet Traffic Begins to Bypass the U.S. By JOHN MARKOFF http://www.nytimes.com/2008/08/30/business/30pipes.html?pagewanted=print SAN FRANCISCO ? The era of the American Internet is ending. Invented by American computer scientists during the 1970s, the Internet has been embraced around the globe. During the network?s first three decades, most Internet traffic flowed through the United States. In many cases, data sent between two locations within a given country also passed through the United States. Engineers who help run the Internet said that it would have been impossible for the United States to maintain its hegemony over the long run because of the very nature of the Internet; it has no central point of control. And now, the balance of power is shifting. Data is increasingly flowing around the United States, which may have intelligence ? and conceivably military ? consequences. American intelligence officials have warned about this shift. ?Because of the nature of global telecommunications, we are playing with a tremendous home-field advantage, and we need to exploit that edge,? Michael V. Hayden, the director of the Central Intelligence Agency, testified before the Senate Judiciary Committee in 2006. ?We also need to protect that edge, and we need to protect those who provide it to us.? Indeed, Internet industry executives and government officials have acknowledged that Internet traffic passing through the switching equipment of companies based in the United States has proved a distinct advantage for American intelligence agencies. In December 2005, The New York Times reported that the National Security Agency had established a program with the cooperation of American telecommunications firms that included the interception of foreign Internet communications. Some Internet technologists and privacy advocates say those actions and other government policies may be hastening the shift in Canadian and European traffic away from the United States. ?Since passage of the Patriot Act, many companies based outside of the United States have been reluctant to store client information in the U.S.,? said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington. ?There is an ongoing concern that U.S. intelligence agencies will gather this information without legal process. There is particular sensitivity about access to financial information as well as communications and Internet traffic that goes through U.S. switches.? But economics also plays a role. Almost all nations see data networks as essential to economic development. ?It?s no different than any other infrastructure that a country needs,? said K C Claffy, a research scientist at the Cooperative Association for Internet Data Analysis in San Diego. ?You wouldn?t want someone owning your roads either.? Indeed, more countries are becoming aware of how their dependence on other countries for their Internet traffic makes them vulnerable. Because of tariffs, pricing anomalies and even corporate cultures, Internet providers will often not exchange data with their local competitors. They prefer instead to send and receive traffic with larger international Internet service providers. This leads to odd routing arrangements, referred to as tromboning, in which traffic between two cites in one country will flow through other nations. In January, when a cable was cut in the Mediterranean, Egyptian Internet traffic was nearly paralyzed because it was not being shared by local I.S.P.?s but instead was routed through European operators. The issue was driven home this month when hackers attacked and immobilized several Georgian government Web sites during the country?s fighting with Russia. Most of Georgia?s access to the global network flowed through Russia and Turkey. A third route through an undersea cable linking Georgia to Bulgaria is scheduled for completion in September. Ms. Claffy said that the shift away from the United States was not limited to developing countries. The Japanese ?are on a rampage to build out across India and China so they have alternative routes and so they don?t have to route through the U.S.? Andrew M. Odlyzko, a professor at the University of Minnesota who tracks the growth of the global Internet, added, ?We discovered the Internet, but we couldn?t keep it a secret.? While the United States carried 70 percent of the world?s Internet traffic a decade ago, he estimates that portion has fallen to about 25 percent. Internet technologists say that the global data network that was once a competitive advantage for the United States is now increasingly outside the control of American companies. They decided not to invest in lower-cost optical fiber lines, which have rapidly become a commodity business. That lack of investment mirrors a pattern that has taken place elsewhere in the high-technology industry, from semiconductors to personal computers. The risk, Internet technologists say, is that upstarts like China and India are making larger investments in next-generation Internet technology that is likely to be crucial in determining the future of the network, with investment, innovation and profits going first to overseas companies. ?Whether it?s a good or a bad thing depends on where you stand,? said Vint Cerf, a computer scientist who is Google?s Internet evangelist and who, with Robert Kahn, devised the original Internet routing protocols in the early 1970s. ?Suppose the Internet was entirely confined to the U.S., which it once was? That wasn?t helpful.? International networks that carry data into and out of the United States are still being expanded at a sharp rate, but the Internet infrastructure in many other regions of the world is growing even more quickly. While there has been some concern over a looming Internet traffic jam because of the rise in Internet use worldwide, the congestion is generally not on the Internet?s main trunk lines, but on neighborhood switches, routers and the wires into a house. As Internet traffic moves offshore, it may complicate the task of American intelligence gathering agencies, but would not make Internet surveillance impossible. ?We?re probably in one of those situations where things get a little bit harder,? said John Arquilla, a professor at the Naval Postgraduate School in Monterey, Calif., who said the United States had invested far too little in collecting intelligence via the Internet. ?We?ve given terrorists a free ride in cyberspace,? he said. Others say the eclipse of the United States as the central point in cyberspace is one of many indicators that the world is becoming a more level playing field both economically and politically. ?This is one of many dimensions on which we?ll have to adjust to a reduction in American ability to dictate terms of core interests of ours,? said Yochai Benkler, co-director of the Berkman Center for Internet and Society at Harvard. ?We are, by comparison, militarily weaker, economically poorer and technologically less unique than we were then. We are still a very big player, but not in control.? China, for instance, surpassed the United States in the number of Internet users in June. Over all, Asia now has 578.5 million, or 39.5 percent, of the world?s Internet users, although only 15.3 percent of the Asian population is connected to the Internet, according to Internet World Stats, a market research organization. By contrast, there were about 237 million Internet users in North America and the growth has nearly peaked; penetration of the Internet in the region has reached about 71 percent. The increasing role of new competitors has shown up in data collected annually by Renesys, a firm in Manchester, N.H., that monitors the connections between Internet providers. The Renesys rankings of Internet connections, an indirect measure of growth, show that the big winners in the last three years have been the Italian Internet provider Tiscali, China Telecom and the Japanese telecommunications operator KDDI. Firms that have slipped in the rankings have all been American: Verizon, Savvis, AT&T, Qwest, Cogent and AboveNet. ?The U.S. telecommunications firms haven?t invested,? said Earl Zmijewski, vice president and general manager for Internet data services at Renesys. ?The rest of the world has caught up. I don?t see the AT&T?s and Sprints making the investments because they see Internet service as a commodity.? From rforno at infowarrior.org Sat Aug 30 18:15:11 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 30 Aug 2008 14:15:11 -0400 Subject: [Infowarrior] - Dumbest salvo yet in the war on terror Message-ID: Yep....fear the unknown. Fear the strange. Fear anything that you like in the name of protecting against 'terror' and report it all to those who 'keep' us 'safe.' Yeesh. :( --rf Dumbest salvo yet in the war on terror, courtesy of the London police http://www.boingboing.net/2008/08/30/dumbest-salvo-yet-in.html (pic of the poster is here, too) Today I spotted this sign at a Tesco's grocery store in Islington, London -- it might just be the single stupidest salvo in the war on terror to date, courtesy of the London Metropolitan Police: Terrorism: If you suspect it, report it TERRORISTS NEED INFORMATION Observation and surveillance help terrorists plan attacks. Have you seen anyone taking pictures of security arrangements? TERRORISTS NEED TRANSPORTATION If you work in vehicle hire or sales, has a sale or rental made you suspicious? TERRORISTS NEED TO TRAVEL Meetings, training and planning can take place anywhere. Do you know someone who travels but is vague about where they are going? TERRORISTS USE COMPUTERS Do you know someone who visits terrorism-related websites? TERRORISTS NEED COMMUNICATION Anonymous, pay-as-you-go and stolen mobiles are typical. Have you seen someone with large quantities of mobiles? Has it made you suspicious? Translation: god help you if you worry about CCTVs in your neighbourhood, get into an argument at the car-rental agency, don't feel like telling your co-workers that you go off to have regular dialysis treatments, look at websites that the guy next to you in the Internet cafe isn't familiar with, or can't get credit and use pay-as- you-go phones instead. After all, the police here don't even need to charge you with a crime in order to lock you up for 42 days. Absolutely the stupidest salvo in the war on terror to date, Tesco's, Islington, London, UK From rforno at infowarrior.org Sat Aug 30 21:34:17 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 30 Aug 2008 17:34:17 -0400 Subject: [Infowarrior] - Schneier: The TSA's useless photo ID rules Message-ID: <10AC15F6-59B0-444B-B729-54D3789450C2@infowarrior.org> The TSA's useless photo ID rules No-fly lists and photo IDs are supposed to help protect the flying public from terrorists. Except that they don't work. By Bruce Schneier August 28, 2008 http://www.latimes.com/news/opinion/la-oe-schneier28-2008aug28,0,3099808.story The TSA is tightening its photo ID rules at airport security. Previously, people with expired IDs or who claimed to have lost their IDs were subjected to secondary screening. Then the Transportation Security Administration realized that meant someone on the government's no-fly list -- the list that is supposed to keep our planes safe from terrorists -- could just fly with no ID. Now, people without ID must also answer personal questions from their credit history to ascertain their identity. The TSA will keep records of who those ID-less people are, too, in case they're trying to probe the system. This may seem like an improvement, except that the photo ID requirement is a joke. Anyone on the no-fly list can easily fly whenever he wants. Even worse, the whole concept of matching passenger names against a list of bad guys has negligible security value. How to fly, even if you are on the no-fly list: Buy a ticket in some innocent person's name. At home, before your flight, check in online and print out your boarding pass. Then, save that web page as a PDF and use Adobe Acrobat to change the name on the boarding pass to your own. Print it again. At the airport, use the fake boarding pass and your valid ID to get through security. At the gate, use the real boarding pass in the fake name to board your flight. The problem is that it is unverified passenger names that get checked against the no-fly list. At security checkpoints, the TSA just matches IDs to whatever is printed on the boarding passes. The airline checks boarding passes against tickets when people board the plane. But because no one checks ticketed names against IDs, the security breaks down. This vulnerability isn't new. It isn't even subtle. I first wrote about it in 2006. I asked Kip Hawley, who runs the TSA, about it in 2007. Today, any terrorist smart enough to Google "print your own boarding pass" can bypass the no-fly list. This gaping security hole would bother me more if the very idea of a no-fly list weren't so ineffective. The system is based on the faulty notion that the feds have this master list of terrorists, and all we have to do is keep the people on the list off the planes. That's just not true. The no-fly list -- a list of people so dangerous they are not allowed to fly yet so innocent we can't arrest them -- and the less dangerous "watch list" contain a combined 1 million names representing the identities and aliases of an estimated 400,000 people. There aren't that many terrorists out there; if there were, we would be feeling their effects. Almost all of the people stopped by the no-fly list are false positives. It catches innocents such as Ted Kennedy, whose name is similar to someone's on the list, and Islam Yusuf (formerly Cat Stevens), who was on the list but no one knew why. The no-fly list is a Kafkaesque nightmare for the thousands of innocent Americans who are harassed and detained every time they fly. Put on the list by unidentified government officials, they can't get off. They can't challenge the TSA about their status or prove their innocence. (The U.S. 9th Circuit Court of Appeals decided this month that no-fly passengers can sue the FBI, but that strategy hasn't been tried yet.) But even if these lists were complete and accurate, they wouldn't work. Timothy McVeigh, the Unabomber, the D.C. snipers, the London subway bombers and most of the 9/11 terrorists weren't on any list before they committed their terrorist acts. And if a terrorist wants to know if he's on a list, the TSA has approved a convenient, $100 service that allows him to figure it out: the Clear program, which issues IDs to "trusted travelers" to speed them through security lines. Just apply for a Clear card; if you get one, you're not on the list. In the end, the photo ID requirement is based on the myth that we can somehow correlate identity with intent. We can't. And instead of wasting money trying, we would be far safer as a nation if we invested in intelligence, investigation and emergency response -- security measures that aren't based on a guess about a terrorist target or tactic. That's the TSA: Not doing the right things. Not even doing right the things it does. Bruce Schneier, chief security technology officer of BT Global Services, is author of the forthcoming book "Schneier on Security." From rforno at infowarrior.org Sat Aug 30 21:46:24 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 30 Aug 2008 17:46:24 -0400 Subject: [Infowarrior] - Mythbusters segment on RFID vulns suppressed by credit card companies Message-ID: Here we go again.....gods forbid we show the world (again) how bad RFID security is. We can't let anyone know these chips may (and do) have problems, can we? After all, all these newfangled national ID cards and passports and credit cards now use RFID chips, right? We don't DARE want folks to know these documents have vulnerabilities....it might be embarrasing or force us to rethink our entire notion of "security". These folks are idiots. Again. -rf Credit card companies successfully nixed a Mythbusters segment exposing RFID's security flaws, according to Arbiter of Truth and Mythbusters co-host, Adam Savage. < - > http://consumerist.com/5043831/mythbusters-gagged-credit-card-companies-kill-episode-exposing-rfid-security-flaws From rforno at infowarrior.org Sat Aug 30 21:53:01 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 30 Aug 2008 17:53:01 -0400 Subject: [Infowarrior] - ITAA Forum on our National Cyber Security Posture Message-ID: A Forum on our National Cyber Security Posture: Featuring Remarks by Secretary Michael Chertoff on the National Cyber Security Initiative Ronald Reagan Center, Washington DC September 15, 2008 8:00 a.m. - 12:00 p.m. (ET) Event Details: http://www.itaa.org/events/event.cfm?EventID=2745 The ITAA Cyber Initiative Event will highlight key elements of the Administration's Cyber Initiative launched early this year as well as other cyber security partnership efforts. Secretary Michael Chertoff and other senior Administration officials will discuss their programs. 8:00-9:00 Registration and Breakfast 9:00-9:30 Keynote on the National Cyber Security Initiative by Secretary of Homeland Security Michael Chertoff 9:30-10:30 Panel One Understanding the National Cyber Security Initiative An exploration of the initiative with intra-government coordinators 10:30-10:45 Break 10:45-11:45 Panel Two Forging Partnerships and Advancing the Cause A look at public-private partnerships and other key aspects of advancing cyber security 11:45 Closing Remarks Registration Online: https://www.itaa.org/events/registersec.cfm?EventID=2745 ITAA member rate $75 Non-member rate $125 Government rate $50 From rforno at infowarrior.org Sat Aug 30 21:59:17 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 30 Aug 2008 17:59:17 -0400 Subject: [Infowarrior] - Massive raids on suspected protestors in Minneapolis Message-ID: Massive police raids on suspected protestors in Minneapolis Protesters here in Minneapolis have been targeted by a series of highly intimidating, sweeping police raids across the city, involving teams of 25-30 officers in riot gear, with semi-automatic weapons drawn, entering homes of those suspected of planning protests, handcuffing and forcing them to lay on the floor, while law enforcement officers searched the homes, seizing computers, journals, and political pamphlets. Last night, members of the St. Paul police department and the Ramsey County sheriff's department handcuffed, photographed and detained dozens of people meeting at a public venue to plan a demonstration, charging them with no crime other than "fire code violations," and early this morning, the Sheriff's department sent teams of officers into at least four Minneapolis area homes where suspected protesters were staying. Jane Hamsher and I were at two of those homes this morning -- one which had just been raided and one which was in the process of being raided. Each of the raided houses is known by neighbors as a "hippie house," where 5-10 college-aged individuals live in a communal setting, and everyone we spoke with said that there had never been any problems of any kind in those houses, that they were filled with "peaceful kids" who are politically active but entirely unthreatening and friendly. Posted below is the video of the scene, including various interviews, which convey a very clear sense of what is actually going on here. In the house that had just been raided, those inside described how a team of roughly 25 officers had barged into their homes with masks and black swat gear, holding large semi-automatic rifles, and ordered them to lie on the floor, where they were handcuffed and ordered not to move. The officers refused to state why they were there and, until the very end, refused to show whether they had a search warrant. They were forced to remain on the floor for 45 minutes while the officers took away the laptops, computers, individual journals, and political materials kept in the house. One of the individuals renting the house, an 18-year-old woman, was extremely shaken as she and others described how the officers were deliberately making intimidating statements such as "Do you have Terminator ready?" as they lay on the floor in handcuffs. The 10 or so individuals in the house all said that though they found the experience very jarring, they still intended to protest against the GOP Convention, and several said that being subjected to raids of that sort made them more emboldened than ever to do so. Several of those who were arrested are being represented by Bruce Nestor, the President of the Minnesota chapter of the National Lawyers' Guild. Nestor said that last night's raid involved a meeting of a group calling itself the "RNC Welcoming Committee", and that this morning's raids appeared to target members of "Food Not Bombs," which he described as an anti-war, anti-authoritarian protest group. There was not a single act of violence or illegality that has taken place, Nestor said. Instead, the raids were purely anticipatory in nature, and clearly designed to frighten people contemplating taking part in any unauthorized protests. Nestor indicated that only 2 or 3 of the 50 individuals who were handcuffed this morning at the 2 houses were actually arrested and charged with a crime, and the crime they were charged with is "conspiracy to commit riot." Nestor, who has practiced law in Minnesota for many years, said that he had never before heard of that statute being used for anything, and that its parameters are so self- evidently vague, designed to allow pre-emeptive arrests of those who are peacefully protesting, that it is almost certainly unconstitutional, though because it had never been invoked (until now), its constitutionality had not been tested. There is clearly an intent on the part of law enforcement authorities here to engage in extreme and highly intimidating raids against those who are planning to protest the Convention. The DNC in Denver was the site of several quite ugly incidents where law enforcement acted on behalf of Democratic Party officials and the corporate elite that funded the Convention to keep the media and protesters from doing anything remotely off-script. But the massive and plainly excessive preemptive police raids in Minnesota are of a different order altogether. Targeting people with automatic-weapons-carrying SWAT teams and mass raids in their homes, who are suspected of nothing more than planning dissident political protests at a political convention and who have engaged in no illegal activity whatsoever, is about as redolent of the worst tactics of a police state as can be imagined. < - > http://www.salon.com/opinion/greenwald/2008/08/30/police_raids/ From rforno at infowarrior.org Sun Aug 31 04:24:07 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 31 Aug 2008 00:24:07 -0400 Subject: [Infowarrior] - Surveillance Society Sparks Psychosis Message-ID: <5A0C4FCE-054E-4C10-B7F2-E553D77C0F98@infowarrior.org> Surveillance Society Sparks Psychosis By Kim Zetter EmailAugust 29, 2008 | 12:46:27 PM http://blog.wired.com/27bstroke6/2008/08/surveillance-so.html If you think someone is watching you, you're probably right. But this doesn't mean you're not also crazy, according to psychiatrists who say that our surveillance and reality TV society is spawning a new kind of psychosis. They're calling it the Truman Show delusion. Psychiatrists in the U.S. and Britain say they're seeing a growing number of psychotic patients who are paranoid that cameras are watching their every move. Not sure why they might think this. Others fear the World Wide Web is monitoring their lives or being used to transmit photographs or personal information. The psychiatrists say such patients are often mirroring -- albeit, to an extreme -- what is occurring in the environment around them. One way of looking at the delusions and hallucinations of the mentally ill is that they represent extreme cases of what the general population, or the merely neurotic, are worried about. Schizophrenics and other paranoid patients can take common fears - like identity theft because of information transmitted on the Internet, or the loss of privacy because of the prevalence of security cameras to fight crime - and magnify them, psychiatrists say. Which would seem to suggest that these patients might not be so delusional after all. The Diagnostic and Statistical Manual of Mental Disorders defines a delusion, considered still to be little understood in psychiatry, as, essentially, a false belief that is not grounded in reality and that is held with absolute conviction despite proof to the contrary. The manual lists a caveat that a belief is not delusional if it is something widely accepted by other members of a person's culture or subculture . . . From rforno at infowarrior.org Sun Aug 31 04:26:32 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 31 Aug 2008 00:26:32 -0400 Subject: [Infowarrior] - iPods In Combat (as translators) Message-ID: <15A633A0-D3EC-4172-A84A-721352531A42@infowarrior.org> iPods In Combat by James Dunnigan August 27, 2008 http://www.strategypage.com/dls/articles/200882721413.asp The U.S. military went into Iraq with few troops able to speak Arabic. Now they can use their iPods to do the talking for them. A new software product, VCommunicator Mobile, and a speaker than plugs into where the ear buds go, enables troops to quickly access a library of phrases. There is also a set of protective covers for the iPod and speaker, with Velcro straps so that you can attach both to your arm. If all this sounds very soldier-friendly, that's because the product was designed with the help of troops from the 10th Mountain division, who have been using 260 of these specially equipped iPods for the last year. This cost the army $800,000, and included language modules for Iraqi Arabic (it's a distinct dialect) and Kurdish (an Indo-European language spoken in the north). There are also modules for languages spoken in Afghanistan (Dari and Pushto). Over 700 troops are using the device in Iraq and Afghanistan. The VCommunicator Mobile software and libraries takes up four gigabytes per language, so it can be used on the smaller, and more rugged, Nano iPods. The software displays graphics, showing either the phrase in Arabic, or a video of a soldier making the appropriate hand gesture (there are a lot of those in Arabic.) There are collections of phrases for specific situations, like checkpoint, raid or patrol. You can use any accessory made for the iPod, like larger displays or megaphones. The army has been developing translation devices like this since 2001. All previous ones needed a laptop or PDA (a device being made obsolete by more powerful cell phones). The VCommunicator Mobile approach took advantage of the fact that most troops had iPods and knew how to operate them. That saved a lot of training time. It was also discovered that many Iraqis were familiar with iPods, or had their own. They were fascinated by this use of the iPod, and this helped break the tension. While the translation is one way, but asking for "yes/no" answers, or directions (to an arms cache, a wanted man, or someone in need of medical help), the VCommunicator Mobile worked quite well. While troops quickly pick up a basic vocabulary of phrases, the VCommunicator Mobile accelerates the process, as troops can use it to help them learn more Arabic (or Dari or Phusto). VCommunicator Mobile also comes with an editor, that runs on a laptop, enabling troops to edit their libraries, adding new phrases or reorganizing them. The army has found that the troops can handle a lot of technology, if the stuff is actually useful. In that case, soldiers will often buy stuff with their own money. Not so much with VCommunicator Mobile, as it costs $2,000 to have an iPod loaded with just one language. The army has also provided a solar recharger for the iPods of troops spending a lot of time out in the hills of Afghanistan. From rforno at infowarrior.org Sun Aug 31 15:38:31 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 31 Aug 2008 11:38:31 -0400 Subject: [Infowarrior] - Blackwater Preps for Hurricane Gustav Message-ID: <67468F14-3792-48E3-8314-01097A1FB692@infowarrior.org> Blackwater Preps for Hurricane Gustav By Noah Shachtman EmailAugust 31, 2008 | 10:21:00 AM New Orleans is being evacuated once again, as Hurricane Gustav lumbers towards the Gulf Coast. Everyone from the U.S. military to the British Royal Navy to Blackwater is gearing up to respond. < - > But perhaps the most startling call for forces comes from Blackwater, the controversial prviate security contractor. The firm -- which famously patrolled New Orleans after Katrina -- is "compiling a list of qualified security personnel for possible deployment into areas affected by Hurricane Gustav," according to an e-mail obtained by R.J. Hillhouse. They're looking for current sworn law enforcement officers, with "arrest powers" and "armed status (must indicate Armed and/or Semi Auto. Revolver only not accepted)." The firm is also looking for "current/active/licensed/registered armed security officer[s]," but "only from the following states: OR, WA, CA, NV, NM, AZ, TX, FL, GA, SC, NC, VA, MD, IL, OK." Applicants "must be US citizens," the e-mail notes. "Contract length is TBD." < - > http://blog.wired.com/defense/2008/08/officials-made.html From rforno at infowarrior.org Sun Aug 31 17:19:43 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 31 Aug 2008 13:19:43 -0400 Subject: [Infowarrior] - Judges consider whether FBI violated free speech Message-ID: <7C015108-D61E-498C-A200-C471B104F31B@infowarrior.org> Judges consider whether FBI violated free speech Wed Aug 27, 2008 7:12pm EDT http://www.reuters.com/article/topNews/idUSN2750234720080827?feedType=RSS&feedName=topNews&rpc=22&sp=true NEW YORK (Reuters) - A panel of federal appeals court judges pushed a U.S. government lawyer on Wednesday to answer why FBI letters sent out to Internet service providers seeking information should remain secret. A panel of three judges from the U.S. Second Circuit Court of Appeals heard arguments on whether a provision of the Patriot Act, which requires people who are formally contacted by the Federal Bureau of Investigation for information to keep it a secret, is constitutional. The American Civil Liberties Union filed suit in 2004 on behalf of an undisclosed Internet service provider against the U.S. government challenging the so-called National Security Letters (NSL) as well as gag orders placed on the recipients. The appeals courts on Wednesday questioned a lawyer representing the U.S. government on whether the FBI violated free speech rights in placing the gag orders. The government argues they are in place for national security concerns, such as keeping terrorists from learning what they are investigating. "You can't tell me that any terrorist is going to make anything out of the fact you issued NSLs to AT&T and Verizon," said Circuit Judge Sonia Sotomayor, using a hypothetical example. U.S. Assistant Attorney General Gregory Katsas said the FBI "assesses the need for secrecy in each particular case." Between 2003 and 2006 nearly 200,000 national security letters were sent out. Of those about 97 percent received gag orders. ACLU lawyer Jameel Jaffer said the gag order had prevented the small Internet service provider the ACLU was representing from speaking out "against an FBI investigation that he believes is illegitimate." The government is appealing a lower court ruling that said the gag order violated the First Amendment guarantee of free speech and was unconstitutional. The judges will rule on the issue in the coming months. (Reporting by Christine Kearney, editing by Michelle Nichols) ? Thomson Reuters 2008 All rights reserved From rforno at infowarrior.org Sun Aug 31 17:20:53 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 31 Aug 2008 13:20:53 -0400 Subject: [Infowarrior] - Court says AT&T can't force arbitration Message-ID: <73A3923B-F604-44E2-A023-F999743EF8FC@infowarrior.org> Court says AT&T can't force arbitration http://blog.seattlepi.nwsource.com/consumersmarts/archives/147348.asp The Washington state Supreme Court on Thursday upheld an AT&T customer's right to file a class-action lawsuit against the company, saying the customer-service agreement stripped away some important consumer protections. Michael McKee, of East Wenatchee, filed a class-action suit against AT&T, alleging it wrongly charged him and others for city utility surcharges and usurious late fees. McKee didn't think it was fair that he got charged a city-utility fee even though he lived outside city limits. Though the charges were small -- no more than $2 in any given month -- he noted that it added up after many years and many customers. So McKee took his case to court. Meanwhile, AT&T argued that the dispute should be settled through arbitration, noting that McKee agreed to mandatory arbitration when he signed up for service in 2002. Such arbitration clauses are ubiquitous, and often consumers must agree to them as a condition of accepting a credit card, a cell phone or other services. A Chelan County Superior Court found the dispute-resolution provision of AT&T's Consumer Services Agreement "unconscionable" and denied AT&T's motion to compel arbitration. AT&T appealed. On Thursday, in an unanimous decision, the Supreme Court upheld the lower court's ruling. Justice Tom Chambers concludes: A&T's Consumer Services Agreement is substantively unconscionable and therefore unenforceable to the extent that it purports to waive the right to class actions, require confidentiality, shorten the Washington Consumer Protection Act statute of limitations, and limit availability of attorney fees. We emphasize that these provisions have nothing to do with arbitration. Arbitrators supervise class actions, conduct open hearings, apply appropriate statutes of limitations, and award compensatory and punitive damages, as well as attorney fees, where appropriate. Courts will not be easily deceived by attempts to unilaterally strip away consumer protections and remedies by efforts to cloak the waiver of important rights under an arbitration clause. Read the Supreme Court opinion here (PDF). http://blog.seattlepi.nwsource.com/consumersmarts/archives/147348.asp