From rforno at infowarrior.org Fri Feb 1 01:32:09 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 31 Jan 2008 20:32:09 -0500 Subject: [Infowarrior] - DHS Sets National Drivers License Rules Message-ID: DEPARTMENT OF HOMELAND SECURITY Office of the Secretary 6 CFR Part 37 [Docket No. DHS-2006-0030] RIN 1601-AA37 Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes < - > http://cryptome.org/dhs012908.htm From rforno at infowarrior.org Fri Feb 1 12:58:44 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 01 Feb 2008 07:58:44 -0500 Subject: [Infowarrior] - Microsoft offers to buy Yahoo for $44.6 billion Message-ID: Microsoft offers to buy Yahoo for $44.6 billion Friday February 1, 7:48 am ET http://biz.yahoo.com/rb/080201/microsoft.html?.v=11 NEW YORK (Reuters) - Microsoft Corp (NasdaqGS:MSFT - News) said on Friday it has offered to buy Yahoo Inc (NasdaqGS:YHOO - News), the popular Web portal, for $44.6 billion in cash and stock, seeking to join forces against Google Inc (NasdaqGS:GOOG - News) in what would be the biggest Internet deal since the Time Warner-AOL merger. ADVERTISEMENT Microsoft offered to buy Yahoo for $31 per share, a 62 percent premium over Yahoo's closing stock price on Nasdaq Thursday. Yahoo shares jumped to $30.75 in premarket trading. Yahoo said the online advertising market is growing rapidly and expected to reach nearly $80 billion by 2010 from over $40 billion in 2007. Yahoo added it is "increasingly dominated by one player," referring to Web search leader Google. "We have great respect for Yahoo, and together we can offer an increasingly exciting set of solutions for consumers, publishers and advertisers while becoming better positioned to compete in the online services market," Microsoft Chief Executive Steve Ballmer said in a statement. Yahoo was not immediately available for comment. The company has been losing market share to Google and warned earlier this week that it faced "headwinds" in 2008, forecasting revenue below Wall Street estimates. On Thursday, Yahoo disclosed that nonexecutive Chairman Terry Semel was leaving the board, ending its formal ties with the former chief executive, who is credited with reviving the company and then losing touch. Semel, replaced as CEO last June, had faced heavy criticism for failing to move faster to meet both rival Google's challenge in Web search and advertising and, more recently, the rise of social networking sites such as MySpace and Facebook. U.S. stock futures jumped on the Microsoft news, which offset a disappointing earnings report from Google late Thursday. Paul Mendelsohn, chief investment strategist at Windham Financial Services, said a deal made sense. "Yahoo is having a really tough time competing against Google. Whether it's a good price, I can't see anybody else who is going to outbid Microsoft," Mendelsohn said. Microsoft said it had identified four areas that would generate at least $1 billion in annual synergies for the combined entity. Tim Smalls, head of U.S. stock trading at brokerage firm Execution LLC, was less enthusiastic about the benefits of a tie-up. "Shocking! To me, the premium seems exorbitant, for what is a dwindling business. I personally don't see how the synergies of Microsoft-Yahoo is going to take on Google," Smalls said. (Reporting by Franklin Paul and Tiffany Wu; Editing by Lisa Von Ahn/Jeffrey Benkoe) From rforno at infowarrior.org Fri Feb 1 14:18:12 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 01 Feb 2008 09:18:12 -0500 Subject: [Infowarrior] - Olbermann Special Comment on FISA Showdown Message-ID: Countdown Special Comment: On FISA and Telecom Immunity http://tinyurl.com/2aq5gg From rforno at infowarrior.org Fri Feb 1 15:04:48 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 01 Feb 2008 10:04:48 -0500 Subject: [Infowarrior] - NFL Pulls Plug On Big-Screen Church Parties For Super Bowl Message-ID: More NFL lunacy................rf NFL Pulls Plug On Big-Screen Church Parties For Super Bowl http://www.washingtonpost.com/wp-dyn/content/article/2008/01/31/AR2008013103 958_pf.html By Jacqueline L. Salmon Washington Post Staff Writer Friday, February 1, 2008; A01 For years, as many as 200 members of Immanuel Bible Church and their friends have gathered in the church's fellowship hall to watch the Super Bowl on its six-foot screen. The party featured hard hitting on the TV, plenty of food -- and prayer. But this year, Immanuel's Super Bowl party is no more. After a crackdown by the National Football League on big-screen Super Bowl gatherings by churches, the Springfield church has sacked its event. Instead, church members will host parties in their homes. Immanuel is among a number of churches in the Washington area and elsewhere that have been forced to use a new playbook to satisfy the NFL, which said that airing games at churches on large-screen TV sets violates the NFL copyright. Ministers are not happy. "There is a part of me that says, 'Gee, doesn't the NFL have enough money already?'" said Steve Holley, Immanuel's executive pastor. He pointed out that bars are still allowed to air the game on big-screens TV sets. "It just doesn't make sense." The Super Bowl, the most secular of American holidays, has long been popular among churches. With parties, prayer and Christian DVDs replacing the occasionally racy halftime shows, churches use the event as a way to reach members, and potential new members, in a non-churchlike atmosphere. "It takes people who are not coming frequently, or who have fallen away, and shows them that the church can still have some fun," said the Rev. Thomas Omholt, senior pastor of St. Paul's Lutheran Church in the District. Omholt has hosted a Super Bowl party for young adults in his home for 20 years. "We can be a little less formal." The NFL said, however, that the copyright law on its games is long-standing and the language read at the end of each game is well known: "This telecast is copyrighted by the NFL for the private use of our audience. Any other use of this telecast or any pictures, descriptions, or accounts of the game without the NFL's consent is prohibited." The league bans public exhibitions of its games on TV sets or screens larger than 55 inches because smaller sets limit the audience size. The section of federal copyright law giving the NFL protection over the content of its programming exempts sports bars, NFL spokesman Brian McCarthy said. The issue came to a head last year after the NFL sent a letter to Fall Creek Baptist Church in Indianapolis, warning the church not show the Super Bowl on a giant video screen. For years, the church had held a Super Bowl party in its auditorium, attracting about 400 people and showing the game on a big screen usually reserved for hymn lyrics. The letter "was really a disturbing thing," said Marlene Broome, a spokeswoman for the church. The church canceled last year's party. This year, its adult Sunday school classes are having parties in homes, but Broome said church members miss the big gatherings. "Everybody really had a good time," she said. Large Super Bowl gatherings around big-screen sets outside of homes shrink TV ratings and can affect advertising revenue, McCarthy said. "We have no objection to churches and others hosting Super Bowl parties as long as they . . . show the game on a television of the type commonly used at home," he said. "It is a matter of copyright law." The same policy applies to all NFL games and to movie theaters, large halls and other venues with big-screen TVs, he said. The policy has prompted some drastic downscaling. Last year, Vienna Presbyterian Church planned a party in its fellowship hall for its middle school and high school students, airing the game on its 12-foot video screen. Church leaders had hoped to use the game to draw in the teenagers, often a tough crowd to get through church doors. "We thought we had found our magic bullet," said Barb Jones, the church's director of communication. The event was canceled, however, after the church heard about the Indianapolis case. This year, Vienna Presbyterian plans a party for teenagers in its basement, showing the game on smaller TV sets. Like other churches, Vienna Presbyterian will not charge admission to view the game, and it will not use the event as a fundraiser. In a testimony to the drawing power of the Super Bowl, churches do not use the Academy Awards or other high-rated televised events to evangelize. To avoid attracting the ire of the NFL, some churches are even giving Super Bowl parties a more generic name. Broadfording Bible Brethren Church in Hagerstown will call its annual event the "Big Game Party." The church still plans to show the game on its jumbo-size screen near the pulpit in its sanctuary. Pastor Bill Wyand said he has heard secondhand about the policy and is not sure whether screening the game via the church's video-projector system violates NFL policy. Still, he is looking nervously over his shoulder. On the legal flip side, the NFL's big-screen ban could end up landing the league in trouble. John Whitehead, president of the Rutherford Institute, a Charlottesville civil liberties group that focuses on religious freedom issues, is threatening to sue the NFL on behalf of an Alabama church that wants to host a big-screen Super Bowl party. He is also seeking sponsors for federal legislation to exempt churches from the ban. "It's ridiculous," Whitehead said. "You can go into these stores now and buy 100-inch screens. The law is just outdated." From rforno at infowarrior.org Sat Feb 2 04:13:12 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 01 Feb 2008 23:13:12 -0500 Subject: [Infowarrior] - Clarke OpEd: Setting a standard in fear-mongering Message-ID: http://www.philly.com/inquirer/opinion/20080201_Bush_legacy__Setting_a_stand ard_in_fear-mongering.html Bush legacy: Setting a standard in fear-mongering Richard A. Clarke is former head of counterterrorism at the National Security Council When I left the Bush administration in 2003, it was clear to me that its strategy for defeating terrorism was leaving our nation more vulnerable and our people in a perilous place. Not only did its policies misappropriate resources, weaken the moral standing of America, and threaten long-standing legal and constitutional provisions, but the president also employed misleading and reckless rhetoric to perpetuate his agenda. This week's State of the Union proved nothing has changed. Besides overstating successes in Afghanistan, painting a rosy future for Iraq, and touting unfinished domestic objectives, he again used his favorite tactic - fear - as a tool to scare Congress and the American people. On one issue in particular - FISA (Foreign Intelligence Surveillance Act) - the president misconstrued the truth and manipulated the facts. Let me be clear: Our ability to track and monitor terrorists overseas would not cease should the Protect America Act expire. If this were true, the president would not threaten to terminate any temporary extension with his veto pen. All surveillance currently occurring would continue even after legislative provisions lapsed because authorizations issued under the act are in effect up to a full year. Simply put, it was wrong for the president to suggest that warrants issued in compliance with FISA would suddenly evaporate with congressional inaction. Instead - even though Congress extended the Protect America Act by two weeks - he is using the existence of the sunset provision to cast his political opponents in a negative light. For this president, fear is an easier political tactic than compromise. With FISA, he is attempting to rattle Congress into hastily expanding his own executive powers at the expense of civil liberties and constitutional protections. I spent most of my career in government fighting to protect this country in order to defend these very rights. And I know every member of Congress - whether Democrat or Republican - holds public office in the same pursuit. That is why in 2001, I presented this president with a comprehensive analysis regarding the threat from al-Qaeda. It was obvious to me then - and remains a fateful reality now - that this enemy sought to attack our country. Then, the president ignored the warnings and played down the threats. Ironically, it is the fear from these extremely real threats that the president today uses as a wedge in a vast and partisan political game. This is - and has been - a very reckless way to pursue the very ominous dangers our country faces. And once again, during the current debate over FISA, he continues to place political objectives above the practical steps needed to defeat this threat. In these still treacherous times, we can't afford to have a president who leads by manipulating emotions with fear, flaunting the law, or abusing the very inalienable rights endowed to us by the Constitution. Though 9/11 changed the prism through which we view surveillance and intelligence, it did not in any way change the effectiveness of FISA to allow us to track and monitor our enemies. FISA has and still works as the most valuable mechanism for monitoring our enemies. In order to defeat the violent Islamist extremists who do not believe in human rights, we need not give up the civil liberties, constitutional rights and protections that generations of Americans fought to achieve. We do not need to create Big Brother. With the administration's attempts to erode FISA's legal standing as the exclusive means by which our government can conduct electronic surveillance of U.S. persons on U.S. soil, this is unfortunately the path the president is taking us down. So it is no surprise that in one of Bush's last acts of relevance, he once again played the fear card. While he has failed in spreading democracy, stemming global terrorism, and leaving the country better off than when he took power, he did achieve one thing: successfully perpetuating fear for political gain. Sadly, it may be one of the only achievements of his presidency. Richard A. Clarke is the author of "Against All Enemies: Inside America's War on Terror." E-mail him at info at nsnetwork.org. From rforno at infowarrior.org Sat Feb 2 14:50:59 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 02 Feb 2008 09:50:59 -0500 Subject: [Infowarrior] - Beloit College's Class of 2011 Mindset List Message-ID: BELOIT COLLEGE'S MINDSET LIST? FOR THE CLASS OF 2011 Most of the students entering College this fall, members of the Class of 2011, were born in 1989. For them, Alvin Ailey, Andrei Sakharov, Huey Newton, Emperor Hirohito, Ted Bundy, Abbie Hoffman, and Don the Beachcomber have always been dead. < - > http://www.beloit.edu/~pubaff/mindset/2011.php From rforno at infowarrior.org Sat Feb 2 15:38:40 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 02 Feb 2008 10:38:40 -0500 Subject: [Infowarrior] - DHS Privacy Report Released Message-ID: DHS Privacy Report Released Friday, February 01 2008 @ 05:30 PM EST Contributed by: PrivacyNews News Section: Fed. Govt. The Privacy Office of the Department of Homeland Security released the July 2006-July 2007 Privacy Report [pdf]. The Homeland Security Act of 2002 requires that the Chief Privacy Officer prepare a report to Congress on an annual basis on the activities of the Department that affect privacy, including complaints regarding program activities. http://www.pogowasright.org/article.php?story=20080201173003623 From rforno at infowarrior.org Sun Feb 3 13:26:21 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 03 Feb 2008 08:26:21 -0500 Subject: [Infowarrior] - Stupid Sports Patents Message-ID: PAT-ENTLY SMUG & SNOOTY By CHUCK BENNETT http://www.nypost.com/seven/02012008/news/regionalnews/pat_ently_smug__snoot y_587194.htm February 1, 2008 -- The Patriots are suffering from premature exhilaration. The arrogant New England team has already applied for trademarks on "19-0" and "19-0 The Perfect Season." Three days before they beat the San Diego Chargers, and more than two weeks before Super Bowl XLII, the team egotistically filed paperwork with the US Patent and Trademark Office to cash in on sales of T-shirts, caps, posters and all kinds of Pats paraphernalia. But the Pats have the wrong number. The Post, ever confident that Eli Manning and company will squash the Pats on Sunday, spent $375 for its own trademark application yesterday - on "18-1." Our application, No. 77385477, is pending. And Bill Belichick and his bozos better wait a minuteman before counting their royalties. "If the team gets wind of this and thinks, 'Maybe we jinxed ourselves,' well, the power of the human mind is incalculable, and if they begin thinking that, they will lose," warned Jordana Sands, a celebrity psychic from Manhattan. Adding to the jinx, the official online NFL Shop has already started selling "19-0 Perfect Season" Super Bowl XLII championship tees and sweatshirts. "I come from a town that's incredibly superstitious and there is a phrase, 'You don't want to disturb the gambling gods,' and there is a segment of the population that thinks they are messing with the gambling gods," said veteran Las Vegas oddsmaker Tony Sinisi. As for the Giants, they are taking everything in stride. "My reaction is this, our entire organization, from the Mara and Tisch families down, is focused on one thing: winning one game," said Giants spokesman Pat Hanlon. The Post had no luck contacting David Johanson, the attorney who applied for the New England trademarks on Jan. 17. The woman who answered his telephone yelled, "We can't talk about this!" and hung up. Several hours later, Pats spokesman Stacey James called to say the trademark filing was to protect profits, and is not a pre-emptive writing of history. "These are defensive tactics taken so people can't brand with our logo," he said. The "19-0" trademark has not yet been approved. And all James had to say about his team's patent-office prophecy was: "I am confident that we are 18-0 and we play on Sunday." For many sports watchers, the Pats' trademark application harked back to Pat Riley's days as coach of the Los Angeles Lakers. In 1989, he trademarked the phrase "three-peat" in hopes of cashing in on bringing his team to a third consecutive championship. His team failed, but ultimately Riley hit a royalties windfall anyway when the Chicago Bulls hit the "three-peat" in 1993. cbennett at nypost.com From rforno at infowarrior.org Mon Feb 4 13:47:34 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 04 Feb 2008 08:47:34 -0500 Subject: [Infowarrior] - Real ID. vs. the states Message-ID: Real ID. vs. the states By Anne Broache and Declan McCullagh Staff Writers, CNET News.com February 4, 2008 4:00 AM PST Editor's note: A May deadline looms as just one flash point in a political showdown between Homeland Security and states that oppose Real ID demands. This is the first in four-part series examining the confrontation. Shipyard Brewing Company's Maine ales, handcrafted in a former foundry on Portland's waterfront from malted barley, buckets of hop leaves, and Sebago Lake water, have risen to regional prominence. In 2007, the 14-year-old company shipped just more than 1 million cases. Expanding sales of Shipyard Export Ale, Old Thumper Extra Special, and Bluefin Stout beyond New England has meant trips out of Portland's airport every other week for Fred Forsley, the company's co-founder and president. Forsley, 47, says his most frequent sales calls are to customers in Florida, New York, California, and Arizona. But starting on May 11, Forsley may no longer be permitted to use his Maine driver's license to fly out of the Portland International Jetport. Under the federal Real ID Act, which the Bush administration has touted as an antiterrorist measure, federal screeners could be required to reject it as invalid identification. "I have been assuming the issue would get addressed and streamlined," Forsley said. "But now I can see I have to really pay attention." Forsley is hardly alone. In just more than three months, millions of law-abiding Americans might face new hassles when traveling on commercial flights if they hold driver's licenses or identification cards issued by Maine, South Carolina, Montana, Oklahoma, New Hampshire, and up to 15 other states plus the District of Columbia that have rejected the Real ID regulations on privacy and cost grounds or have not agreed to comply. (See the accompanying map.) < - BIG SNIP - > http://www.news.com/Real-ID-means-real-travel-headaches/2009-1028_3-6228133. html?part=rss&tag=2547-1_3-0-20&subj=news From rforno at infowarrior.org Mon Feb 4 13:48:32 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 04 Feb 2008 08:48:32 -0500 Subject: [Infowarrior] - The legislation behind a national ID Message-ID: The legislation behind a national ID By CNET News.com Staff http://www.news.com/The-legislation-behind-a-national-ID/2100-1028_3-6228910 .html Story last modified Mon Feb 04 04:00:01 PST 2008 Real ID became law not through the usual legislative process, but instead as part of a mammoth Iraq spending and Asian tsunami bill, the "Emergency Supplemental Appropriations Act for Defense, the Global War on Terror, and Tsunami Relief, 2005." The following is the full, unedited text of the bill: TITLE II--IMPROVED SECURITY FOR DRIVERS' LICENSES AND PERSONAL IDENTIFICATION CARDS < - SNIP - > http://www.news.com/2102-1028_3-6228910.html?tag=st.util.print From rforno at infowarrior.org Mon Feb 4 13:49:59 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 04 Feb 2008 08:49:59 -0500 Subject: [Infowarrior] - Sneaky legislation... Message-ID: You can tell how controversial a piece of legislation is by how deeply-buried it is within another must-pass, feel-good piece of legislation that won't get much of a read before being voted upon.............rf http://www.news.com/2102-1028_3-6228910.html?tag=st.util.print "Real ID became law not through the usual legislative process, but instead as part of a mammoth Iraq spending and Asian tsunami bill, the "Emergency Supplemental Appropriations Act for Defense, the Global War on Terror, and Tsunami Relief, 2005."" From rforno at infowarrior.org Mon Feb 4 13:52:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 04 Feb 2008 08:52:46 -0500 Subject: [Infowarrior] - Abracadabra! Bush Makes Privacy Board Vanish Message-ID: Abracadabra! Bush Makes Privacy Board Vanish By Ryan Singel Email 02.04.08 | 12:00 AM http://www.wired.com/politics/onlinerights/news/2008/02/privacy_board The Bush administration has failed to nominate any candidates to a newly empowered privacy and civil-liberties commission. This leaves the board without any members, even as Congress prepares to give the Bush administration extraordinary powers to wiretap without warrants inside the United States. The failure rankles Sens. Joe Lieberman (I-Connecticut) and Susan Collins (R-Maine), respectively chairman and ranking minority member of the Senate's Homeland Security Committee. "I urge the president to move swiftly to nominate members to the new board to preserve the public?s faith in our promise to protect their privacy and civil liberties as we work to protect the country against terrorism," Lieberman said. "The White House's failure to move forward with appointing the new board is unacceptable, and I call on the administration to do so as quickly as possible to prevent a gap in this vital mission," Collins said. In a 2007 measure implementing 9/11 Commission recommendations, Congress reconfigured the oversight committee, known as the Privacy and Civil Liberty Oversight Board. The intent was to make the board more independent of the White House, require it to be bipartisan and make it more accountable to the public. Those changes came after civil-liberties groups blasted the board for a lack of independence and relevance. Board chairwoman Carol Dinkins formerly served as a campaign treasurer for President Bush and was a partner at the same law firm as former Attorney General Alberto Gonzales. Also appointed to the board was formidable lawyer Ted Olson, who was named solicitor general after winning the Bush v. Gore case that settled the 2000 election dispute, and whose wife died in the 9/11 attacks. Lanny Davis -- the board's sole Democrat -- resigned in May 2007 to protest edits the White House made to the board's 2007 annual report to Congress. The board's findings about issues such as warrantless wiretapping by the National Security Agency were by-and-large administration-friendly, though the board did issue one informative but overlooked report on redress for erroneous inclusion on terrorist watch lists (.pdf). Terms for the board's original members expired on Jan. 30, but no nominations have been sent to the Senate Homeland Security Committee, which must approve appointees for the five vacancies. Civil-liberties advocates like Lisa Graves, deputy director of the Center for National Security Studies, considered the board to be apologists for the government's anti-terrorism policies, rather than independent civil-liberties watchdogs. "This board failed miserably in its mission of helping to protect Americans' privacy and instead acted mainly to help the White House whitewash programs like warrantless NSA wiretapping that violate Americans' civil liberties," Graves said. "Now that Congress has changed the board's rules to make it a little more independent, the White House appears to have no interest in appointing anyone to it." But even the newly configured board doesn't have enough power and what is really needed is a totally independent body with the ability to subpoena documents, according to Timothy Sparapani, senior legislative counsel for the American Civil Liberties Union. "We want them to be more than just the privacy version of Congressional Research Service," Sparapani said. "They need to be able to slap hands and force people to consider privacy in the initial creation of programs, and then whack people into line when privacy violations occur." The board released its second annual report (.pdf) to Congress on Jan. 30, its last day of operation. Its documents are being shipped to the National Archives for storage. The privacy board ignored repeated requests for comment for this story, and a White House press staffer did not provide information by late Friday about the status of nominees to the board. From rforno at infowarrior.org Mon Feb 4 17:07:18 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 04 Feb 2008 12:07:18 -0500 Subject: [Infowarrior] - Submarine Cable Map. Message-ID: TeleGeography is proud to announce a new edition of its popular Submarine Cable Map. The 2008 edition includes information for over 120 submarine cable systems, including major systems that are in service as well as announced cable systems expected to join a reinvigorated cable market. < - > http://www.telegeography.com/products/map_cable/index.php From rforno at infowarrior.org Tue Feb 5 00:59:30 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 04 Feb 2008 19:59:30 -0500 Subject: [Infowarrior] - FBI wants palm prints, eye scans, tattoo mapping Message-ID: FBI wants palm prints, eye scans, tattoo mapping http://www.cnn.com/2008/TECH/02/04/fbi.biometrics/ >From Kelli Arena and Carol Cratty CNN CLARKSBURG, West Virginia (CNN) -- The FBI is gearing up to create a massive computer database of people's physical characteristics, all part of an effort the bureau says to better identify criminals and terrorists. But it's an issue that raises major privacy concerns -- what one civil liberties expert says should concern all Americans. The bureau is expected to announce in coming days the awarding of a $1 billion, 10-year contract to help create the database that will compile an array of biometric information -- from palm prints to eye scans. Kimberly Del Greco, the FBI's Biometric Services section chief, said adding to the database is "important to protect the borders to keep the terrorists out, protect our citizens, our neighbors, our children so they can have good jobs, and have a safe country to live in." But it's unnerving to privacy experts. "It's the beginning of the surveillance society where you can be tracked anywhere, any time and all your movements, and eventually all your activities will be tracked and noted and correlated," said Barry Steinhardt, director of the American Civil Liberties Union's Technology and Liberty Project. The FBI already has 55 million sets of fingerprints on file. In coming years, the bureau wants to compare palm prints, scars and tattoos, iris eye patterns, and facial shapes. The idea is to combine various pieces of biometric information to positively identify a potential suspect. A lot will depend on how quickly technology is perfected, according to Thomas Bush, the FBI official in charge of the Clarksburg, West Virginia, facility where the FBI houses its current fingerprint database. VideoWatch what the FBI hopes to gain ? "Fingerprints will still be the big player," Bush, assistant director of the FBI's Criminal Justice Information Services Division, told CNN. But he added, "Whatever the biometric that comes down the road, we need to be able to plug that in and play." First up, he said, are palm prints. The FBI has already begun collecting images and hopes to soon use these as an additional means of making identifications. Countries that are already using such images find 20 percent of their positive matches come from latent palm prints left at crime scenes, the FBI's Bush said. The FBI has also started collecting mug shots and pictures of scars and tattoos. These images are being stored for now as the technology is fine-tuned. All of the FBI's biometric data is stored on computers 30-feet underground in the Clarksburg facility. In addition, the FBI could soon start comparing people's eyes -- specifically the iris, or the colored part of an eye -- as part of its new biometrics program called Next Generation Identification. Nearby, at West Virginia University's Center for Identification Technology Research, researchers are already testing some of these technologies that will ultimately be used by the FBI. "The best increase in accuracy will come from fusing different biometrics together," said Bojan Cukic, the co-director of the center. But while law enforcement officials are excited about the possibilities of these new technologies, privacy advocates are upset the FBI will be collecting so much personal information. "People who don't think mistakes are going to be made I don't think fly enough," said Steinhardt. He said thousands of mistakes have been made with the use of the so-called no-fly lists at airports -- and that giving law enforcement widespread data collection techniques should cause major privacy alarms. "There are real consequences to people," Steinhardt said. VideoWatch concerns over more data collection ? You don't have to be a criminal or a terrorist to be checked against the database. More than 55 percent of the checks the FBI runs involve criminal background checks for people applying for sensitive jobs in government or jobs working with vulnerable people such as children and the elderly, according to the FBI. The FBI says it hasn't been saving the fingerprints for those checks, but that may change. The FBI plans a so-called "rap-back" service in which an employer could ask the FBI to keep the prints for an employee on file and let the employer know if the person ever has a brush with the law. The FBI says it will first have to clear hurdles with state privacy laws, and people would have to sign waivers allowing their information to be kept. Critics say people are being forced to give up too much personal information. But Lawrence Hornak, the co-director of the research center at West Virginia University, said it could actually enhance people's privacy. "It allows you to project your identity as being you," said Hornak. "And it allows people to avoid identity theft, things of that nature." VideoWatch Hornak describe why he thinks it's a "privacy enhancer" ? There remains the question of how reliable these new biometric technologies will be. A 2006 German study looking at facial recognition in a crowded train station found successful matches could be made 60 percent of the time during the day. But when lighting conditions worsened at night, the results shrank to a success rate of 10 to 20 percent. As work on these technologies continues, researchers are quick to admit what's proven to be the most accurate so far. "Iris technology is perceived today, together with fingerprints, to be the most accurate," said Cukic. But in the future all kinds of methods may be employed. Some researchers are looking at the way people walk as a possible additional means of identification. The FBI says it will protect all this personal data and only collect information on criminals and those seeking sensitive jobs. The ACLU's Steinhardt doesn't believe it will stop there. "This had started out being a program to track or identify criminals," he said. "Now we're talking about large swaths of the population -- workers, volunteers in youth programs. Eventually, it's going to be everybody." All AboutPrivacy Rights ? Information Privacy ? Federal Bureau of Investigation Find this article at: http://www.cnn.com/2008/TECH/02/04/fbi.biometrics From rforno at infowarrior.org Tue Feb 5 12:57:58 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 05 Feb 2008 07:57:58 -0500 Subject: [Infowarrior] - Security List: Don't Talk About Holes, Or We'll Report You In-Reply-To: Message-ID: (c/o ISN) Security List: Don't Talk About Holes, Or We'll Report You http://blog.wired.com/27bstroke6/2008/02/scada-security.html By Kevin Poulsen Wired.com February 04, 2008 There's a new industry-run mailing list [1] to foster discussion of security issues on SCADA systems -- the aging and insecure computerized control networks behind the electric grid and other critical infrastructures. But watch what you say. From the announcement e-mail [2]: Due to heightened security and awareness levels worldwide, ALL MESSAGES ARE WATCHED CAREFULLY. Violators who report methods that are going to disable, damage, dismember, destroy, or disarm any control system, SCADA device, or infrastructure will be reported to DHS (and/or their respective national or federal authority). Only the SCADA community could conceive of a mailing list that tries to get you arrested for discussing security issues. And we wonder why SCADA is still insecure. [1] http://news.infracritical.com/mailman/listinfo/scadasec [2] http://lists.iinet.net.au/pipermail/scada/2008-February/003560.html From rforno at infowarrior.org Tue Feb 5 13:15:07 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 05 Feb 2008 08:15:07 -0500 Subject: [Infowarrior] - Ruptures call safety of Internet cables into question Message-ID: Ruptures call safety of Internet cables into question By Heather Timmons Monday, February 4, 2008 http://www.iht.com/bin/printfriendly.php?id=9732641 NEW DELHI: Four undersea communication cables have been cut in the past week, raising questions about the safety of the oceanic network that handles the bulk of the world's Internet and telephone traffic. Most telecommunications experts and cable operators say that sabotage seems unlikely, but no one knows what damaged the cables or whether the incidents were related. One theory - that a wayward ship traveling off course because of bad weather was responsible for cutting the first two cables last week - was dismissed by the Egyptian government over the weekend. No ships passed the area in the Mediterranean where the cables were located, the country's Ministry of Communications said Sunday. "This has been an eye-opener for us, and everyone in the telecom industry worldwide," said Colonel R.S. Parihar, the secretary of the Internet Service Providers Association of India. Today, the cause of the problem may have been an anchor, "but what if it is sabotage tomorrow?" Parihar asked. "These are owned by private operators, and there are no governments or armies protecting these cables." Most recently, a cable operated by Qatar's Q-Tel, which linked Qatar to the United Arab Emirates through the islands of Haloul and Das, was cut Friday. Communications in the Middle East have been hardest hit by the damage, though India, the United States and Europe also experienced slowdowns. Telecommunications operators have been trying to diversify the routes they can use for transmissions in recent years, said Alan Mauldin, research director with TeleGeography Research, particularly since an earthquake in Taiwan in 2006 disrupted service in Asia. The cable network contains "choke points" - like those off the coast of Egypt and Singapore where many cables run - and operators need to make sure their transmission routes are diversified, he said. Adel al Mutawa, a spokesman for Q-Tel, said Qatar was operating at about 60 percent of telephone capacity Monday, but that Internet and data transmission services were working at normal speed. Most telecommunications companies affected by the cuts during the past week rerouted service through other cables. Q-Tel will not know what caused the Qatar-UAE Submarine Cable System rupture until it sends a repair ship to pull the cable off the ocean floor, Mutawa said. Undersea cables carry about 95 percent of the world's telephone and Internet traffic, according to the International Cable Protection Committee, an 86-member group that works with fishing, mining and drilling companies to curb damage to submarine cables. Information travels faster and less expensively under the ocean than it does via satellite, and undersea cable transmission is gaining market share, the group said. The Egyptian Ministry of Communications and Information Technology said Sunday that no ships had passed through the area in the Mediterranean where two cables, known as the Sea Me We 4 and Flag's Europe-Asia cable, were cut earlier last week. "The site is a restricted area, which excludes the possibility that the malfunction resulted from a crossing ship," the ministry said in a statement. Internet efficiency in Egypt has reached about 70 percent, the statement said. A third cable, known as Falcon, was cut Friday morning about 55 kilometers, or 35 miles, off the coast of Dubai in the Gulf. Wet, windy weather in some areas around the Gulf has shut ports and delayed ships. Two of the damaged cables, the Flag Europe-Asia cable and Falcon, are owned by Flag Telecom, a subsidiary of Indian conglomerate Reliance ADA Group. Flag Telecom has never had two cables down at the same time in the region, a spokesman, Vineet Kumar, said. Flag Telecom's network is one of the "newest in existence" so it would be unlikely that the cables would break because of wear and tear or age. From rforno at infowarrior.org Tue Feb 5 13:16:10 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 05 Feb 2008 08:16:10 -0500 Subject: [Infowarrior] - Conspiracy theories emerge after internet cables cut Message-ID: Conspiracy theories emerge after internet cables cut http://www.abc.net.au/news/stories/2008/02/04/2153974.htm?section=world By Simon Lauder Posted Mon Feb 4, 2008 3:14pm AEDT Updated Mon Feb 4, 2008 4:03pm AEDT When two cables were cut off the Egyptian port city of Alexandria last week, about a 100 million internet users were affected, mainly in India and Egypt. Is information warfare to blame for the damage to underwater internet cables that has interrupted internet service to millions of people in India and Egypt, or is it just a series of accidents? When two cables in the Mediterranean were severed last week, it was put down to a mishap with a stray anchor. Now a third cable has been cut, this time near Dubai. That, along with new evidence that ships' anchors are not to blame, has sparked theories about more sinister forces that could be at work. For all the power of modern computing and satellites, most of the world's communications still rely on submarine cables to cross oceans. When two cables were cut off the Egyptian port city of Alexandria last week, about a 100 million internet users were affected, mainly in India and Egypt. The cables remain broken and internet services are still compromised. Telecommunications analyst Paul Budde says the situation demonstrates how interconnected the world is. "It clearly shows we are talking about a global network and a global world that we are living in," he said. "So wherever something happens we all get, in one way or another, affected by it." 'Information warfare?' It was assumed a ship's anchor severed the cables, but now that is in doubt and the conspiracy theories are coming out. Egypt's Transport Ministry says video surveillance shows no ships were in the area at the time of the incident. Online columnist Ian Brockwell says the cables may have been cut deliberately in an attempt by the US and Israel to deprive Iran of internet access. Others back up that theory, saying the Pentagon has a secret strategy called 'information warfare'. But Mr Budde says it is far more likely to be a coincidence. "It is absolutely strange, of course, that that happens. At the moment it really looks like bad luck rather than anything else," he said. Telecommunications professor at the University of Melbourne, Peter Gerrand, says Australia is in a far better position than India to withstand a cable breakage. "We've got, in effect, five really major separate cables, each with high capacity, most of which have plans for upgrading their capacity in the next few years," he said. Professor Gerrand does not believe Australia is vulnerable to the types of major disruptions that India and Egypt have seen. "I gather India has most of its capacity on two cables - one's to its west and one to its east - so when the western cable got cut near Egypt, all this traffic had to then pass through a single cable and that's what's caused these very huge delays," he said. Australia's protection zones As it happens, Australia's protection against such incidents was boosted just last week. Activities that could damage submarine communications cables have been prohibited off Perth's City Beach since Friday. Australian Communications and Media Authority (ACMA) submarine cable protection manager Robyn Meikle says the events in the Middle East highlight the importance of submarine cables to all international communications. "Here in Australia, over 99 per cent of all of our international communications carried through these cables lie at the bottom of the sea," she said. "That's why the Australian Communications Authority [ACMA] has played a major role in declaring protection zones over our cables of national significance in Australia. "Each of the zones, for instance, has restrictions to do with anchoring, which are aimed at preventing the sort of damage that has happened in recent times in the Middle East. "ACMA declares protection zones over what are considered to be the main cables of national significance, and they're the ones that carry the bulk of the traffic," she said. "So really, they are the most important cables that the industry relies on to carry all communications in and out of Australia." From rforno at infowarrior.org Wed Feb 6 01:42:50 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 05 Feb 2008 20:42:50 -0500 Subject: [Infowarrior] - DHS official moots Real ID rules for buying cold medicine Message-ID: DHS official moots Real ID rules for buying cold medicine Slippery slope By Dan Goodin in San Francisco ? More by this author Published Tuesday 5th February 2008 23:18 GMT http://www.theregister.co.uk/2008/02/05/real_id_for_cold_medicine/ A senior US Department of Homeland Security official has floated the idea of requiring citizens to produce federally compliant identification before purchasing some over-the-counter medicines. "If you have a good ID ... you make it much harder for the meth labs to function in this country," DHS Assistant Secretary for Policy Stewart Baker told an audience last month at the Heritage Foundation. Cold medicines like Sudafed have long been used in the production of methamphetamine. Over the past year or so, pharmacies have been required to track buyers of drugs that contain pseudoephedrine. His comment came five days after the agency released final rules implementing the REAL ID Act of 2005 that made no mention of such requirements. It mandates the establishment uniform standards and procedures that must be met before state-issued licenses can be accepted as identification for official purposes. Beyond boarding airplanes and entering federal buildings or nuclear facilities, there are no other official purposes spelled out in the regulations. And that's just what concerns people at the Center for Democracy and Technology. They say Baker's statement underscores "mission creep," in which the scope and purpose of the REAL ID Act gradually expands over time. "Baker's suggested mission creep pushes the REAL ID program farther down the slippery slope toward a true national ID card," CDT blogger Greg Burnett wrote here. He says requiring people to produce a federally approved ID to buy cold medicine is a good example of the "significant ramifications" attached to the act. So far, 17 states have formally opposed REAL ID, which takes effect on May 11. Residents of those states will be subject to additional searches and other inconveniences when flying and may be barred from entering federal buildings and nuclear plants. Baker's statement belying the official DHS position on REAL ID isn't the first time the agency has made confusing remarks about the legal requirements surrounding identification. According to travel writer Edward Hasbrouck, DHS officials continue to plant the misunderstanding that residents from states which don't comply with REAL ID requirements won't get on planes. They will, Hasbrouck asserts here. In fact, he says, airlines are prevented by law from requiring any kind of ID. Nonetheless, the DHS website continues to claim a photo ID is needed to pass through security checkpoints. Hasbrouck has his suspicions about the motives for such statements. "The most obvious explanation is that they want to use the implied (but legally and factually empty) threat of denial of air travel to intimidate states into 'voluntarily' complying with the Real-ID Act and its rules," he writes. ? From rforno at infowarrior.org Wed Feb 6 01:46:49 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 05 Feb 2008 20:46:49 -0500 Subject: [Infowarrior] - Federal buildings become Real ID zones In-Reply-To: <0E6E608443A703489B63435E45E6427126988C1C7A@EXVMBX016-3.exch016.msoutlookonline.net> Message-ID: Via IP ------ Forwarded Message From: RJ Riley http://www.news.com/Federal-buildings-become-Real-ID-zones/2009-1028-6229133 .html?part=dht&tag=nl.e703 Federal buildings become Real ID zones By Declan McCullagh and Anne Broache Staff Writers, CNET News.com February 5, 2008 4:00 AM PST TalkBack Editor's note: A May deadline looms as just one flash point in a political showdown between Homeland Security and states that oppose Real ID demands. This is the second in a four-part series examining the confrontation. The nation's capital attracts more than 15 million visitors a year, mostly leisure travelers who often make their way to the city's official visitor center, which is conveniently located downtown in a corner of the Ronald Reagan building. Or was that inconveniently located? Starting May 11, Americans living in states that don't comply with new federal regulations could be barred from entering Washington D.C.'s visitor center and collecting the complimentary maps and brochures--unless they happen to bring a U.S. passport or military ID with them. That not-very-welcoming rule is part of a 2005 law called the Real ID Act, which takes effect in just over three months. It says that driver's licenses from states that have not agreed to Real ID mandates from the Department of Homeland Security, or which have not requested a deadline extension, can no longer be used to access "federal facilities." Because the visitor center is in a government building that checks ID, it might just become off-limits to Americans with licenses or state ID cards from the following noncompliant states: Maine, South Carolina, Montana, Oklahoma, and New Hampshire. Fifteen other states and the District of Columbia have not decided whether to comply or ask for an extension, according to a survey conducted by CNET News.com over the last two weeks, meaning the fate of driver's licenses and state ID cards used by their residents remains uncertain. This could become be a politically volatile situation for the Bush administration, which has championed Real ID as a way to identify terrorists and criminals--but now faces a groundswell of opposition by state governments, as well as the prospect of inconveniencing millions of otherwise law-abiding Americans at airports and at the entrances of buildings maintained by their own tax dollars. Homeland Security says, laconically, that it "cannot predict how individuals" from those states will be affected. No Real ID, no admittance? Starting May 11, unless your home state agrees to comply with the federal Real ID Act or unless it asks for an extension, you might have trouble getting into federal buildings. Click a state below to see what that state has told us about whether or not its ID cards will meet Real ID requirements. [cid:image009.gif at 01C86819.A92DA0B0][cid:image006.gif at 01C86801.05890160] Click a state above to see what that state has told us about whether or not it's going along with the federal Real ID Act. Alabama Alabama plans to ask for an extension. "At this point, one option that's being considered is a 'hybrid' approach to Real ID in Alabama, by which the state would offer compliant and noncompliant driver licenses and ID cards. We do plan to ask for an extension." --Dorris Teague, Public Information/Education Unit, Alabama Department of Public Safety Alaska "Alaska does indeed intend to request an extension to meet the requirements of Real ID. We haven't submitted our extension request yet, but we fully intend to do so in the very near future." --Whitney Brewster, spokeswoman, Alaska Division of Motor Vehicles Arizona Arizona says that Homeland Security has said the state will "automatically get an extension" because of an existing plan to revamp its licenses, according to Jeanine L'Ecuyer, spokeswoman for Arizona Gov. Janet Napolitano. That means its driver's licenses and state ID cards will be treated as Real ID-compliant until December 31, 2009. But L'Ecuyer added that final compliance is still an open question: "Will Arizona do Real ID? Maybe is the honest answer to that question." Arkansas "We have asked for the first extension, but in the extension letter, we say we are not committed to implementing Real ID. We just need time to look at it and evaluate it." --Mike Munns, assistant revenue commissioner for Arkansas California California reiterated in January 2008 that it has no problems complying with Real ID. Its statement did, however, mention "privacy and funding issues, which continue to be a concern for California." Colorado "We requested and received the extension until 2009, and we expect to be fully on the road to implementing Real ID satisfactorily by that point to get another extension in the future if we need to." --Mark Couch, spokesman for the Colorado Department of Revenue Connecticut Connecticut has not decided whether to comply with Real ID, reject it completely, or request an extension to keep its options open. "We are still studying the issue. (Department of Motor Vehicles Commissioner Robert Ward) remains supportive of the concept, but no firm decisions have been made." --Bill Seymour, spokesman for the motor vehicle commissioner. Delaware Delaware has not decided whether to comply with Real ID, reject it completely, or request an extension to keep its options open. "The DMV director and secretary are going to give a briefing to the governor next month, February. Because we've got until the end of March to decide...After they have this meeting with the governor is when we're going to make our official choice." --Mike Williams, spokesman, Delaware Department of Transportation Florida Florida has not announced whether it will or will not request an extension. "Thanks to the leadership of our governor, cabinet, and legislature, Florida already provides our citizens a secure and safe driver license and identification card, and we are well postured to incorporate any changes that may be required. We applaud the federal government on their efforts to protect all of our citizens with the implementation of this act." --Ann Nucatola, public information director, Department of Highway Safety and Motor Vehicles Georgia Georgia has not decided whether to comply with Real ID, reject it completely, or request an extension to keep its options open. The legislature has approved legislation authorizing the governor to reject Real ID if federal regulations do not "adequately safeguard and restrict use of the information in order to protect the privacy rights" of Georgia residents. "Our legislature has to make that determination within the next few months." --Susan Sports, public information officer, Georgia Department of Driver Services Hawaii Hawaii has filed for and received an extension. "We are moving forward on reviewing the rules and coordinating with the county DMVs to see how the rules can be implemented and coordinated." --Russell Pang, chief of Media Relations for Hawaii Gov. Linda Lingle Idaho "We've asked for an extension, but we still have serious concerns and reservations about it and its future here is to be determined." --Jon Hanian, spokesman for Idaho Gov. C.L. "Butch" Otter Illinois "We have every intention to file for an extension." --Henry Haupt, spokesman for Illinois Secretary of State Jesse White Indiana "We do intend to comply, and we have filed for and received an extension. Over the past couple of years, we've done some security enhancements to our own system that we were going to do regardless of how Real ID rolled out." --Dennis Rosebrough, spokesman, Indiana Bureau of Motor Vehicles Iowa "Yes, Iowa will be implementing Real ID and we will be requesting the first extension." --Dena Gray-Fisher, spokeswoman, Iowa Department of Transportation Kansas "Kansas has obtained authorization for the extension, which gets us out to the end of 2009 and affords us the opportunity to see where we are, negotiate a few different things with our vendor and others. It gives us a little breathing room." --Carmen Alldritt, director of the division of vehicles, Kansas Department of Revenue Kentucky "A Real ID would be an entirely new document. The current KY license would not meet the new standard...Kentucky has asked for the extension." --Mark Brown, spokesman, Kentucky Transportation Cabinet Louisiana State officials have not responded to repeated requests for information about Real ID compliance. One bill in the state legislature asks Congress to repeal Real ID, while a response to a DMV survey says that "We believe that Louisiana will meet standards." Maine Will not comply. "There is currently no effort being undertaken within the state to roll back the public law preventing the secretary from moving in the direction of Real ID. It is a situation where Mainers may face some inconvenience at airports come May 11." --Don Cookson, spokesman for Maine Secretary of State Matthew Dunlap Maryland Maryland requested a deadline extension. "We're still going through 300 pages of federal guidelines. We're currently evaluating those guidelines and then we'll develop a program that is Real ID-compliant." --Jack Cahalan, spokesman, Maryland Department of Transportation Massachusetts "Massachusetts did apply for the waiver and received it. We are basically telling (drivers who call us) that we've gotten the exemption, which means that you are going to show your valid driver's license to get on an airplane just as you have in the past until December 2009." --Ann Dufresne, spokeswoman, Massachusetts Department of Motor Vehicles. After December 2009, states can apply for a second extension, but will receive it only if they're taking affirmative steps to comply. Michigan Michigan has not decided whether to comply with Real ID, reject it completely, or request an extension to keep its options open. "At this point, we have not requested a waiver. We're still trying to work out some of the details." --Kelly Chesney, spokeswoman for Michigan Secretary of State Terri Lyn Land. The state's Web site says: "There are still many unknowns...Michigan law changes will be necessary." Minnesota "We did receive a letter from Homeland Security and it said that our extension had been granted, so that would mean that our documents, our driver's licenses, and ID cards, are compliant until December 31, 2009." --Minnesota Department of Public Safety spokeswoman Mississippi No response to repeated inquiries. Missouri No response to repeated inquiries. The state Web site says: "January 11, 2008 the U.S. Department of Homeland Security (DHS) released the final rule establishing minimum security standards for state-issued driver licenses and identification cards. The rule is 284 pages in length. The Missouri Department of Revenue is in the process of reviewing the rules to determine the impact to Missouri." Montana Montana's legislature has flatly rejected Real ID in a bill that the governor has signed into law. Gov. Brian Schwitzer has called on his colleagues in other states this month to join Montana in opposition to this "major threat to the privacy, constitutional rights, and pocketbooks of ordinary Montanans." Lynn Solomon, a spokeswoman for the Montana attorney general's office, told us: "Right now we're not even sure that the existing Montana law allows us to ask for the extension. We're just sort of sitting tight." Nebraska "Nebraska has requested and has been granted an initial extension. That extension does not require you to technically commit to Real ID compliance--it says we need some time, and that's what we said, we need some time. Whether or not Nebraska is ultimately going to be compliant is really for the most part right now in the hands of the legislature." --Beverly Neth, director, Nebraska Department of Motor Vehicles Nevada Nevada has applied for a deadline extension. "Certainly this is something that the governor supports and believes is important, although he believes in some respects it is an unfunded mandate and that the federal government should assist the states with the funding," Melissa Subbotin, spokeswoman for Nevada Gov. Jim Gibbons, told us. New Hampshire New Hampshire last year enacted a law that prohibits the state from changing its driver's license and identification card laws to comply with Real ID. It doesn't appear that is going to change. "As it stands now, the only action that has been taken is legislation to keep us out of it. There would be no way that the state could pass amending legislation or undo that within that time frame; it's just not going to happen. I don't see that anything could be done in the intervening time to change it," Jim Van Dongen, spokesman for the New Hampshire Department of Safety, told us. New Jersey New Jersey has not decided whether to comply with Real ID, reject it completely, or request an extension to keep its options open. Mike Horan, a spokesman for the New Jersey Motor Vehicle Commission, said there are a number of factors that the state is considering, including cost and wait times at the DMV. "Are the Real ID requirements going to add 15 minutes more to a person's wait? Are we going to need a new computer system to manage the requirements? We're in a bit of a fiscal crisis like many states across the country. That's a major concern--there are so many things that are in need of money." New Mexico New Mexico has applied for the first deadline extension from the Department of Homeland Security. "We have not made a final decision on whether we are going to implement Real ID or not," said David Harwell, a spokesman for the state department of taxation and revenue, which issues driver's licenses. "We are in the process of studying all of the regulations that were issued by Secretary (Michael) Chertoff several weeks ago." New York New York has already received an "unsolicited extension" from the Department of Homeland Security as part of a recent agreement to change its driver license policies, said Jennifer Givner, deputy press secretary for Gov. Eliot Spitzer. North Carolina North Carolina said it will request an extension if it's necessary for state residents to travel after May 11, but has not yet done so. "We're feeling that we are on track to follow along the Real ID plan as it is right now. We don't see any situation at this point where our citizens' driver's licenses would be in jeopardy and keeping them out of federal buildings or off of airplanes...Basically we feel like we're in a good place." --Marge Howell, spokeswoman, North Carolina Division of Motor Vehicles North Dakota North Dakota has applied for a deadline extension. "Our application is stating that we'd like the extension and we would still like to reserve the opportunity to investigate committing to full implementation," said Linda Butts, deputy director of driver and vehicle services, North Dakota Department of Transportation. "The other thing that's muddying the water is that so many of these rules are long-term and seem to continue to mutate and change a little bit, so that's another thing I think all states are looking at is the cost of implementation. Are these truly going to be the rules in 2015? Will the rules today be the rules that are implemented five, seven years down the road?" Ohio Ohio said this month that it has applied for an extension and was the first state to receive one. Oklahoma Oklahoma's legislature has approved legislation saying that Real ID "is inimical to the security and well-being of the people of Oklahoma" and, therefore, "the state of Oklahoma shall not participate in the implementation of the Real ID Act." Paul Sund, spokesman for Oklahoma governor's office, told us: "I'm not aware of any repeal efforts, but our legislature does not convene until February 4." Oregon Oregon has requested and received an extension. In the longer term, however, the state may not comply. "Oregon hasn't made a decision for or against compliance with Real ID. But since the final federal rules were released January 10, our legislature is likely to put that on its 2009 agenda." --David House, spokesman for the Oregon Department of Motor Vehicles Pennsylvania Pennsylvania has requested and received an extension. In the longer term, however, the state may not comply. "We're undergoing a comprehensive review of those regulations right now to look at some potential options, the cost that would be involved and also the impact to the citizens of Pennsylvania. Being granted this initial extension just allows us more time to do that and allows the citizens of the commonwealth to continue using their state driver's licenses and IDs through December 31, 2009." --Danielle Klinger, spokeswoman, Pennsylvania Department of Transportation Rhode Island Rhode Island has applied for and received the first deadline extension from DHS, according to state DMV spokeswoman Gina Zanni. "Our governor supports the Real ID initiative," Zanni told us. "We have applied for part of the grant money that has been made available...we'd sure like some money." South Carolina South Carolina has enacted legislation saying the state "shall not participate in the implementation of the federal Real ID Act." Beth Parks, spokeswoman for the South Carolina Department of Motor Vehicles, told us: "Yes, it is true that South Carolina is a non-participatory state for Real ID. The South Carolina legislature is the only entity that can change that position. We are comparing the new regulations to the proposed regulations and our previous cost estimates. Once we have completed our review, we will provide information to South Carolina lawmakers and answer any questions they may have." South Dakota "We've applied for an extension and received one, but we have not committed to Real ID yet," said Mitch Krebs, press secretary for South Dakota Gov. Michael Rounds. Tennessee "The Department of Safety is conducting a detailed review of the final rules in order to fully evaluate the impact Real ID implementation will have on the citizens of the state of Tennessee. While we anticipate filing an extension, no official request has been signed as of this date. Keep in mind, an extension request is not necessarily an indication of our intent to comply." --Mike Browning, spokesman, Tennessee Department of Safety Texas Texas has not decided whether to comply with Real ID, reject it completely, or request an extension to keep its options open. "We're still reading the fine print." --Tela Mange, spokeswoman, Texas Department of Public Safety Utah Utah has requested and received a deadline extension. "Our driver's license division is not a policy-making body. It would be up to the legislature and the governor. We are currently going through our legislative session--it just started. That will be one of the topics, whether to go through with it." --Sgt. Jeff Nigbur, spokesman, Utah Department of Public Safety Vermont "Vermont requested and was granted an extension until December 31, 2009." --John Zicconi, spokesman, Vermont Agency of Transportation Virginia Virginia has not decided whether to comply with Real ID, reject it completely, or request an extension to keep its options open. "The Virginia DMV is currently reviewing the regulations to determine our next steps." --Melanie Stokes, spokeswoman, Virginia Department of Motor Vehicles Washington Gov. Christine Gregoire signed legislation last year prohibiting the state from implementing Real ID unless the federal government provides funding and greater privacy protections. But, in an apparent effort to avoid inconveniencing state residents in May, Gregoire requested a compliance extension. "By not filing an extension, effective May 11, Washingtonians would have automatically been subject to additional security screenings at airports and federal buildings," Gregoire said in a recent statement. It also said: "I will not allow for confusion and chaos at our busy airports. This extension will allow our residents to continue use of their Washington state driver license or ID card to board planes and enter federal buildings...The federal regulations on Real ID compliance are ambiguous, and I share funding and privacy concerns held by many state legislators." West Virginia West Virginia has not decided whether to comply with Real ID, reject it completely, or request an extension to keep its options open. "In West Virginia we are still weighing our options based upon the recent changes to the act's requirements." --Susan Watkins, spokeswoman, West Virginia Department of Transportation Wisconsin Wisconsin has not decided whether to comply with Real ID, reject it completely, or request an extension to keep its options open. "We've not made a final determination regarding next steps for Wisconsin as it relates to Real ID," said Patrick Fernan, operations manager for the Wisconsin Department of Motor Vehicles. "We have not requested an extension as of yet." Wyoming Wyoming plans to request a deadline extension. "Unless the law for implementation of Real ID is changed in Washington D.C. or our Wyoming Legislature passes legislation not to comply with the Real ID, we will work toward implementation," said Jim O'Connor, support services administrator for the Wyoming Department of Transportation. He added, however: "We are concerned about this unfunded federal mandate and the effect it will have on the people of Wyoming." Washington, D.C. The nation's capital has not decided whether to comply with Real ID, reject it completely, or request an extension to keep its options open. "The DC DMV is still deciding on next steps," said public information officer Janis Hazel. "Nothing further to report at this time." Real ID's scope is surprisingly broad. Jurors could potentially be denied entrance to federal courthouses. So could prospective students visiting the U.S. Naval Academy in Annapolis or the U.S. Military Academy at West Point. Tours of federal buildings such as the Pentagon and the Treasury Department could be affected, as could public hearings, conferences, and even concerts. And some Americans could be denied entrance to the U.S. Capitol building, the iconic heart of the nation's democracy. "This will help demonstrate directly to federal officials how impossible Real ID is," said Jim Harper, director of information policy studies at the Cato Institute, a member of a Homeland Security advisory panel, and a critic of the law. "It'll also make constitutional challenges to the act ripe." Homeland Security declined to elaborate on exactly how federal agencies and military bases will comply with the 300 pages of regulations released last month. Amy Kudwa, a DHS representative, merely said that agencies will be "prohibited from accepting state-issued driver's licenses or photo ID cards for federal purposes unless states are in compliance with the mandatory minimum standards for Real ID." To be sure, not all federal buildings demand that visitors show identification to enter (nothing changes if no ID is required). And it's possible that Congress may alter the law before May 11 in response to pressure from irked state officials. One Senate bill would do just that--but it's been stuck in a committee ever since it was introduced in February 2007. Real ID could affect concerts, hospitals, hearings Government offices contacted by CNET News.com over the last two weeks were unsure how they will comply with Real ID, which would likely mean handing guards a list of which state driver's licenses to reject. Visitors could present other forms of identification, such as a military ID, a federal employee ID, or U.S. passport, which the State Department says typically takes four to six weeks to obtain. (Less than 30 percent of Americans have U.S. passports, according a National Business Travel Association representative.) Another option is for government offices to simply stop asking for photo ID. The Ronald Reagan building, home to the DC Chamber of Commerce's Visitor Information Center, is tight-lipped about its Real ID plans. Officials were unable to answer questions about denying non-Real ID visitors access to the center, which features a television showing a video of Pierre L'Enfant's plan for the city and touch-screen computers that print out directions to nearby landmarks. "We actually can't provide any information about that to you," said building representative Jaycie Roberts. It was a common refrain. "We have not yet determined how it will impact FAA facilities," said Federal Aviation Administration spokeswoman Alison Duquette. "Once we make that determination, we will issue guidance to all FAA facilities well ahead of the May 11 deadline." Residents of states like California and New York that have agreed to comply with Real ID, or that have requested an extension, should not be affected by the May 11 deadline. But the District of Columbia and 15 other states, including populous ones like Texas, Virginia, and Michigan, have not requested an extension, leaving the ability of their citizens to access federal facilities up in the air. "We're still reading the fine print," said Tela Mange, a spokeswoman for the Texas Department of Public Safety. Virginia was no more certain. "The Virginia DMV is currently reviewing the regulations to determine our next steps," said Melanie Stokes, a spokeswoman for the state's Department of Motor Vehicles. Other effects of Real ID include: ? Social Security: Some Social Security offices are inside federal buildings, which means that Americans trying to replace a Medicare card or apply in person for government benefits could be inconvenienced. "In terms of getting into federal buildings, that wouldn't be something I could answer," said Mark Hinkle, a Social Security Administration spokesman who referred questions to Homeland Security. ? Veterans Affairs: Family members and friends visiting patients in Veterans Affairs hospitals could encounter problems. VA says it requests a government-issued photo ID for admission during times of a heightened alert level and isn't sure how to reconcile that requirement with Real ID rules. "The final rules for the law have to be reviewed by VA's legal and policy offices before the department can determine how to implement," Veterans Affairs spokeswoman Josephine Schuda said. ? Public hearings and conferences: A nanoscience conference at Brookhaven National Laboratory in Upton, N.Y., is scheduled to begin May 19, eight days after Real ID takes effect. Attending conference seminars such as "Electrical Nanoprobes" and "Applications of Synchrotron-Based Microprobe and Imaging Techniques to Studies of Human Disease" means having to show photo ID, which could be problematic for researchers from non-Real ID states. In addition, some government hearings open to the public are held in federal buildings that require photo ID. Related story The legislation behind a national ID [cid:image007.gif at 01C86801.05890160] Read the full text of the Real ID law here. ? Concerts: Virtuoso pianist James Giles performed in a concert open to the public last November at the Argonne National Laboratory in Illinois, which requires photo ID for admission. Concerts organized by the Argonne arts council in the future could be affected. "The department is currently reviewing our existing security policies to make the necessary changes to implement the DHS Rule on Real ID Act compliance," said Joann Wardrip, a spokeswoman for the Department of Energy, which oversees the Brookhaven and Argonne laboratories. ? Military academies and bases: The picturesque U.S. Naval Academy in Annapolis requires picture ID to enter the grounds. "Currently there is no official DOD policy on the Real ID," said Ed Zeigler, director of public affairs for the Headquarters Naval District. "If and when official Real ID policy is established, we may be required to implement some changes." The Pentagon, which requires photo ID on tours, did not respond to repeated requests for comment. >From Homeland Security, an unyielding defense >From Homeland Security's perspective, the rules are clear: Real ID was signed on May 11, 2005, by President Bush, and federal agencies have had nearly three years to comply. The vote in Congress was overwhelmingly in favor of the law, part of a broader government spending and tsunami relief bill that was approved unanimously by the Senate and by a vote of 368 to 58 in the House of Representatives. Real ID's edict is unambiguous. It says that "three years after the date of the enactment of this division, a federal agency may not accept, for any official purpose, a driver's license or identification card issued by a state to any person unless the state is meeting the requirements of this section." The definition of official purposes includes "accessing federal facilities." Since its enactment, the Bush administration has been aggressively defending Real ID, noting that many of the hijackers on September 11, 2001, were able to fraudulently obtain U.S. driver's licenses. Because Real ID links state DMV databases, establishes a standard bar code that can be digitally scanned, and mandates that original documents such as birth certificates be verified, DHS officials claim the benefits extend beyond antiterror and ID fraud cases. DHS recently suggested that Real ID could be expanded into a requirement that pharmacies check ID before selling drugs with pseudoephedrine such as Sudafed. It "could have other benefits as well, such as reducing unlawful employment, voter fraud, and underage drinking," Richard Barth, Homeland Security assistant secretary, told Congress (click for PDF) last year. Barth added: "Any state or territory that does not comply increases the risk for the rest of the nation." Image trimmed. That unyielding rhetoric has not endeared Real ID to state governments, many of which have been critical of the law because of its privacy impact, sovereignty implications, and a total price tag estimated at more than $14 billion. To ease their concerns, Homeland Security last month extended the final compliance deadline to December 2017, but only states that agree to embrace Real ID and are able to demonstrate their progress qualify. The May 11 date on which Real ID takes effect has sown confusion even among federal government agencies. Some claim they will not comply, despite the fact that the law's requirements apply to "federal facilities." "Main Treasury will continue to accept a government-issued photo ID from visitors wishing to access the building. There will be no change in the IDs that are accepted for visitors," Treasury spokeswoman Eileen Gilligan said in an e-mail message. When asked whether non-Real ID driver's licenses and state identification cards will be accepted after the May deadline, Gilligan replied: "All government-issued photo IDs will be accepted." Questions about access to the U.S. Capitol building also led to mixed messages. "Entry into the Capitol will be unaffected," said Sgt. Kimberly Schneider, a public information officer with the U.S. Capitol Police. ID is required when entering the building for visitors not part of an organized tour. But Homeland Security appears to believe otherwise. "We're working with other government branches, to include Capitol and U.S. Supreme Court, to ensure applicable enforcement of the law," said DHS representative Kudwa. Because official business takes place in the Capitol building--some politicians have offices there and it is home to some committee hearings--critics of Real ID believe the law could violate Americans' First Amendment right to petition their government. "That's where you might start to see constitutional challenges," said Harper, the Cato Institute analyst. Restricting access to courthouses is another area that touches on constitutional concerns. Federal courts can set their own rules, and many require identification: That category includes courthouses in Washington, D.C., Washington state, Texas, Delaware, and Louisiana. It also includes the U.S. Court of Appeals for the Ninth Circuit. "The USMS and the courts continue to work together to address any issues that may arise as it relates to the act," said Nikki Credic, a representative of the U.S. Marshals Service in Washington, D.C. In Maine, a state that has flatly rejected Real ID and appears to have no intention of ever complying, federal officials said they did not know how jurors or people attending naturalization ceremonies would be admitted to the courthouse. Witnesses in trials and parties to lawsuits, including criminal defendants out on bail, would also be affected. "Obviously we are aware of the situation and we've been communicating with the folks at our headquarters in Virginia as to what our alternatives and options are for other solutions to people coming in," said John Clark, chief deputy marshal of the federal courthouse in Portland, Maine. "Right now I don't have a very specific answer for you." Federal officials in Montana--whose governor has dubbed Real ID (PDF)--a "major threat" to the privacy and constitutional rights of state residents--also are unsure about details. "We're just waiting to see how things play out, to know where the chips fall so we can establish our strategy on how to make this thing work," said Rod Ostermiller, the chief deputy for the federal courthouse in Billings, Mont. "It's just like everything else, there's going to be some growing pains, no doubt about it." From rforno at infowarrior.org Wed Feb 6 03:27:39 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 05 Feb 2008 22:27:39 -0500 Subject: [Infowarrior] - Bush Repeals Controversial Guard Law Message-ID: Bush Repeals Controversial Guard Law http://www.wcax.com/Global/story.asp?S=7801365&nav=menu183_2 Washington, D.C. - January 31, 2008 A bill backed by Senator Patrick Leahy, which repeals a law over who controls the National Guard, was signed by President Bush. A bill passed in 2006, allowed the President to deploy guard members for domestic missions, such as guarding the border. But many of the nation's governors complained the law made it easier for the feds, to take over control of the National Guard from the states. Governor Douglas was happy with the President's decision, saying the National Guard should be controlled by the governors for domestic emergencies. More info: http://www.dailykos.com/storyonly/2008/2/4/9234/41958/107/449417 From rforno at infowarrior.org Wed Feb 6 03:34:15 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 05 Feb 2008 22:34:15 -0500 Subject: [Infowarrior] - Fun and games with terrorist threats Message-ID: Fun and games with terrorist threats http://www.salon.com/opinion/greenwald/?last_story=/opinion/greenwald/2008/0 2/05/terrorism/ Back in August, when the Bush administration wanted to pressure Congress into passing "The Protect America Act" -- which vested in the President vast, new warrantless eavesdropping powers to spy on Americans -- they sent out Mike McConnell days before the August recess to tell everyone in Congress that they better pass the bill before they leave or The Terrorists would kill us all and the blood would be on the hands of Congress for failing to give the President what he wanted: Congressional, administration and intelligence officials last week described the events leading up to the approval of this surveillance, including a remarkable series of confrontations that ended with McConnell and the White House outmaneuvering the Democratic-controlled Congress, partly by capitalizing on fresh reports of a growing terrorism threat. . . . A critical moment for the Democrats came on July 24, when McConnell met in a closed session with senators from both parties to ask for urgent approval of a slimmed-down version of his bill. Armed with new details about terrorist activity and an alarming decline in U.S. eavesdropping capabilities, he argued that Congress had days, not weeks, to act. "At that time, the discussion changed to 'What can we do to close the gap during the August recess?'" said a senior Democratic aide who declined to be identified because the meetings were classified. As delivered by McConnell, the warnings were seen as fully credible. "He's pushing this because he thinks we're in a high-threat environment," the senior aide said. Now that Congress has a few days left in which essentially to make The Protect America Act permanent and grant amnesty to lawbreaking telecoms, this is what Mike McConnell is doing: The top American intelligence official said on Tuesday that Al Qaeda is improving its ability to attack within the United States by recruiting and training new operatives. At the same time, he said, the group's affiliate in Iraq is beginning to send militants to other countries. That caution came from Michael McConnell, director of national intelligence, as he presented to the Senate intelligence committee an annual report on threats to the United States. The report was released as his testimony began. "Al-Qa'ida is improving the last key aspect of its ability to attack the U.S.: the identification, training, and positioning of operatives for an attack in the homeland," he wrote in the 47-page document. This is really, really scary. We better forget about checks and balances and oversight and restraints of any kind and everything else and just make sure that the President can spy on our emails and telephone calls with no oversight, otherwise Al Qaeda is going to slaughter us in our Homeland. And we also better make sure that telecommunications corporations don't have consequences when they break the law, otherwise we're doomed, because Al Qaeda is coming. Or, as leading fear-mongerer and proponent of limitless surveillance powers, Jay Rockefeller, put it today: "Al Qaeda has used this border safe haven to reconstitute itself and launch offensive operations that threaten to undo the stability brought to Afghanistan and undermine, if not overthrow, the Pakistan government," said Mr. Rockefeller, a West Virginia Democrat. This, Mr. Rockefeller added, gave Al Qaeda "a base of operations from which to plot and direct attacks against the United States." After scaring everyone with the latest Al-Qaeda-is-Coming warnings, the CIA also admitted for the first time that it waterboarded detainees in its custody, but what's a little water up the nose -- or a little presidential omnipotence -- when Al Qaeda is coming to get us in our Homeland? -- Glenn Greenwald From rforno at infowarrior.org Wed Feb 6 03:36:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 05 Feb 2008 22:36:46 -0500 Subject: [Infowarrior] - New travel document requirements for USA citizens Message-ID: New travel document requirements for USA citizens http://hasbrouck.org/blog/archives/001371.html Under new regulations and procedures announced to take effect over the next month, citizens of the USA will, for the first time, be required to obtain USA government permission in order to return home to their own country from abroad -- from anywhere else in the world, by air or sea or land. On no other aspect of the right to travel is international law more clear than on the right of return to the country of one's own citizenship: "No one shall be arbitrarily deprived of the right to enter his own country." The new regulations are a flagrant violation of the obligations of the USA as a party to the International Covenant on Civil and Political Rights and other international human rights treaties, as well as a violation of the Constitutional duty of the USA government to treat such treaties as the highest law of the land. It's to be hoped that some civil liberties or human rights organization or individual will go to court before the end of this month to enjoin the government from putting these rules and procedures into effect, and that citizens will assert their rights by attempting to cross borders without papers, and suing those goons from the USA Department of Homeland Security who try to stop them. But if that doesn't happen, here's what the DHS has promulgated as "final rules" and "procedures": As I've noted previously, the so-called International APIS final rules effective 19 February 2008 will require all travellers to, from, or via the USA by air to obtain two forms of government permission to travel: (1) a passport, and (2) a "cleared" message from the DHS authorizing the airline to allow the specific person to board the specific flight or ship. One might argue that a passport is merely a travel document, not a form of permission. But that would be wrong. Because nothing in the law or the regulations for passport ?ssuance (which were revised in November 2007), guarantees anyone a right to a passport, it is in effect a travel permit, issued at the government's discretion. The individualized, per-flight, advance "clearance" message is quite unambiguously a permission-to-travel requirement. This International APIS rule as originally promulgated in August 2007 applied only to air and sea travel. So it might have allowed, for those with enough time and money, at least a theoretical possibility that, if the USA wouldn't give them permission to come home, they could fly to Canada or Mexico, and return to the USA from there by land. In practice that might be very difficult, because Canada has been barring passage to people on the USA "no-fly" list, and most flights betwen Europe and Mexico overfly the USA and thus are subject to USA jurisdiction and the APIS rules. But there are some very roundabout and expensive routes from Europe or Africa to Mexico by way of South America. The DHS has proposed that the "Western Hemisphere Travel Initiative" (WHTI) rules that already (purport to) reqire passports for USA citizens for air travel between Mexico, Canada, and the USA be extended to those crossing USA borders by land and sea. But that portion of the WHTI rulemaking proposals remains pending, with no final rules yet published.. Even this narrow loophole for return to the USA without government permission will apparently be closed, however, by new procedures announced by the DHS in a notice published in the Fegeral Register on 21 December 2007: CBP [the DHS Customs and Border Protection division] is now amending its field instructions to direct CBP Officers to no longer generally accept oral declarations as sufficient proof of citizenship and, instead, require documents that evidence identity and citizenship from U.S., Canadian, and Bermudian citizens entering the United States at land and sea ports-of-entry.... Beginning on January 31, 2008, a person claiming U.S., Canadian, or Bermudian citizenship must establish that fact to the examining CBP Officer?s satisfaction by presenting a citizenship document such as a birth certificate as well as a government-issued photo identification document. The Federal Register "Notice" acknowledges that the WHTI proposed rules to require passports for land border crossings have not been finalized. But the "Notice" claims that the new document requirement is "separate from WHTI", is not a "rule", and is not subject to any of the same procedural requirements: The instruction for CBP Officers to no longer generally accept oral declarations alone as satisfactory evidence of citizenship is a change in DHS and CBP internal operating procedures, and therefore is exempt from notice and comment rulemaking requirements under the Administrative Procedure Act, 5 U.S.C. 553(b). On the basis of this claim. the DHS "Notice" neither acknowledges nor responds to any of the numerous objections that were raised to the proposed WHTI rules from both sides of the border, including formal comments on their illegality by the Identity Project. Clearly, the DHS doesn't want to address those legal defects in its travel document amd permission schemes. The problem for the DHS is that -- regardless of the procedural requirements for changes to DHS instructions to CBP officers -- CBP officers who act on the new instructions by preventing citizens from entering or leaving the USA will be acting in violation of those citizens' rights and the obligations of the government of the USA under the Constitution and international human rights treaties. With both this document requirement for USA-Canada/Mexico land travel and the document and permission requirement for international air travel between the USA and the rest of the world coming into effect within the next month, there is an urgent need for someone to challenge these regulations. The procedural issues are quite different, but the substantive issues of the right to travel without government papers or permission are identical. For what little it's worth, the DHS followed its notice of the new procedures and document requirements for land border crossings with the announcement of the details of a new "passport card". Their idea was, apparently, to assuage the intense and widespread criticism of the new document requirements for land border crossings by promising to offer a cheaper alternative to a passport, "real soon now". But passport cards won't begin to be available until after the new procedures for USA-Canada/Mexico land border crossings take effect. As I had expected , the passport card will contain a "vicinity" RFID chip, i.e. a chip that can be read at longer range than the "proximity" chip in "RFID passports. The DHS admits that each passport card will respond to any query by sending back a unique chip ID number -- apparently in the clear. So if you want a cheaper alternative to an (RFID) passport, it will have a much longer-range identity broadcasting mechanism. And as with RFID passports, there's nothing in the new rules to restrict private and commercial tracking of passport cards by their unique chip numbers, or secret commercial aggregation, use, and sale of those tracking logs. From rforno at infowarrior.org Wed Feb 6 21:52:47 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 06 Feb 2008 16:52:47 -0500 Subject: [Infowarrior] - We Must All Do Our Part To Preserve This Climate Of Fear Message-ID: (gotta love the Onion! Thx to Anonymous. --rf) We Must All Do Our Part To Preserve This Climate Of Fear By M. Willard Thornton January 30, 2008 | Issue 44?05 http://tinyurl.com/2hwun3 The last six years have been a golden age of American apprehension and mistrust. Thanks to the events of Sept. 11, 2001, all of America was united, standing shoulder to shoulder in sheer, unrelenting fear. But tragically, that atmosphere of panic and confusion has begun to fade, and without another terrible attack to bond us as a nation, we are dangerously close to entering a post-post-9/11 era. We cannot allow that to happen. We must all do whatever we can to preserve America by refocusing our priorities back on the contemplation of lethal threats?invisible nightmarish forces plotting to destroy us in a number of horrific ways. It is only through the vigilance and determination of every patriot that we can maintain the sense of total dread vital to the prolonged existence of a thriving, quivering America. Our country deserves no less than every citizen living in apprehension. Fear has always made America strong. Were we ever more determined than during the Yellow Scare? When every Christian gentleman lived in mortal terror of his daughter being doped up on opium and raped by pagan, mustachioed Chinamen? What about the Red Scare, when citizens from all walks of life showed their pride by turning in their friends and associates to rabid anticommunists? Has America ever been more resolute? Not so very long ago, we winced every time we saw someone with facial hair or a backpack. Average people were terrified of opening their mail for fear of getting a face full of anthrax. Those were perhaps our country's greatest days. Yet that once-phobic spirit that defined our times is drastically changing. Today, people are making eye contact with strangers on the street. They are whistling on subway platforms, strolling down sidewalks, and generally behaving as if they do not feel they could be killed at any moment. Children can be seen running playfully in public parks, their parents smiling and watching idly from afar when they should be obsessing over an unseen child abductor who will snatch and rape their babies first chance they get. It breaks my heart to see the land I love fall into such a state of non-panic. My God, what have we become? We can no longer rely solely on our enemies to menace the populace?we must find that horror within ourselves. Though we have made great strides in frightening ourselves about illegal immigrants, bird-flu pandemics, and random psychotic school shootings, it is not enough. What happened to that country I used to know and love, where a Korean grocer could be killed out of irrational xenophobia merely because someone thought he was an Arab? Such an act is, I am disappointed to say, almost unthinkable in today's increasingly less-than-utterly-petrified climate. You may say, "I am only one person. What can I do?" But all of our efforts are needed if we are to maintain a state of constant anxiety. We can all do more, but here is a good starting place: Twice a week, for at least 15 minutes, take the time to worry about any Muslims who may live in your area; lose sleep each night thinking about our thousands of miles of unguarded borders; stock up on water bottles and canned goods for no discernible reason other than that vague sense that civilization will collapse any second; as the election heats up, be sure to support candidates whose rhetoric appeals to your base survival instincts and fight-or-flight reflexes rather than to your hopes and dreams. And remember: Each and every one of us, no matter how big or small, possesses the ability to jump to conclusions. The strength of our nation depends on all of us feeling?and, more importantly, acting?as if a sniper could blow our head off at any moment. Let's all come together as in fearful days of yore and do what we must to keep America free from peace of mind once and for all. From rforno at infowarrior.org Wed Feb 6 23:37:17 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 06 Feb 2008 18:37:17 -0500 Subject: [Infowarrior] - MPAA-opposed college piracy amendment vanishes Message-ID: February 6, 2008 2:19 PM PST MPAA-opposed college piracy amendment vanishes Posted by Anne Broache http://www.news.com/8301-10784_3-9866181-7.html?part=rss&subj=news&tag=2547- 1_3-0-20 As the House of Representatives presses ahead with a sweeping higher-education bill that includes new antipiracy obligations for most universities, it now appears it won't be considering an amendment designed to clarify that schools can't lose federal financial aid for failing to fulfill those requirements. By way of background, the College Opportunity and Affordability Act, which is scheduled to be debated by the House starting as soon as Thursday, dictates that universities participating in federal financial-aid programs "shall" devise plans for "alternative" offerings to unlawful downloading--such as subscription-based services--or "technology-based deterrents to prevent such illegal activity." University officials and fair-use advocates had balked at that requirement, arguing that by their interpretation, they ran the risk of being docked financial aid for their students if they failed to come up with the requisite plans. The bill's sponsors, for their part, have long disputed that interpretation, arguing that devising the antipiracy plans has no bearing whatsoever on a school's financial aid eligibility and that any suggestion otherwise is nothing but a "myth." Which brings us to the amendment we reported on Wednesday morning. Rep. Steve Cohen (D-Tenn.) had revealed his intention to propose changes (PDF) to the mammoth bill saying no higher-education institution "shall be denied or given reduced federal funding for student loan or other financial-aid programs" because of "noncompliance" with the antipiracy requirements. The Rules Committee had been scheduled to consider at a Wednesday afternoon meeting whether that amendment and others would be allowed for votes on the House floor. But since then, that amendment has been labeled "withdrawn," according to the House Rules Committee's Web site. It wasn't immediately clear why. A Cohen spokeswoman didn't have any answers right away, reporting that her boss was currently on a plane. Representatives from both the Education and Rules committees said they had no information. Perhaps the amendment was withdrawn because the bill's sponsors have steadfastly maintained that despite what university officials have said, the antipiracy obligations are not tied to financial aid eligibility, which would seem to make Cohen's amendment extraneous. There's lingering disagreement on that front from university officials, however, who contend that by their reading of the bill, noncompliance would, indeed, render a school ineligible for financial aid programs. Another potential explanation is pressure from the Motion Picture Association of America, which told CNET News.com earlier on Wednesday that it saw no need for the Cohen amendment. A few weeks ago, an MPAA executive also suggested he supported linking financial aid to progress in combating piracy. For the record, Educause, a lobby group that represents college network managers, said the amendment wouldn't have changed its opposition to the bill provision anyway. The fair-use advocacy group Public Knowledge, however, took a slightly rosier view of the proposal, saying it would have taken some of the "sting" out of the current version. From rforno at infowarrior.org Thu Feb 7 04:25:15 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 06 Feb 2008 23:25:15 -0500 Subject: [Infowarrior] - Rockefeller Lets Slip the Spying Truth: Drift Nets To Be Legalized Message-ID: Sen. Rockefeller Lets Slip the Spying Truth: Drift Nets To Be Legalized By Ryan Singel EmailFebruary 05, 2008 | 3:27:32 PMCategories: NSA http://blog.wired.com/27bstroke6/2008/02/sen-rockefeller.html In a Senate floor speech, Senator Jay Rockefeller (D-West Virginia) inadvertently made plain that the proposed changes to the nation's spying laws radically expand how the government wiretaps inside the United States. Rockefeller was decrying an amendment that would require the government to discard non-emergency evidence if a court later finds that the spying methods violate the law. Rockefeller makes clear that the impending changes to the law aren't about making it easier for the National Security Agency to listen in on a particular terrorism suspect's phone calls. Instead, the changes are about letting the nation's spooks secretly and unilaterally install filters inside America's phone and internet infrastructure. Rockefeller, the chief Democratic architect of the changes, explains: Unlike traditional [Foreign Intelligence Surveillance Act] application orders which involve collection on one individual target, the new FISA provisions create a system of collection. The courts role in this system of collection is not to consider probable cause on individual targets but to ensure that procedures used to collect intelligence are adequate. The courts' determination of the adequacy of procedures therefore impacts all electronic communications gathered under the new mechanisms, even if it involves thousands of targets. In short, the changes legalize Room 641A, the secret spying room inside AT&T's San Francisco internet switching center that was outed by former AT&T employee Mark Klein. That room sits at the center of a lawsuit against AT&T for its alleged illegal participation in the government's secret, warrantless spying program. Under the new rules, secret spying court judges will no longer be evaluating whether the government has probable cause to eavesdrop on a spy or a terrorist who is inside the United States or to wiretap a particular foreigner via wiretaps inside the United States. Instead the judges will simply evaluate descriptions of how NSA filters in the infrastructure are designed to not catch purely domestic traffic. They can also approve or disapprove of how the spooks 'disguise' or reveal the identities of Americans who are one of the parties in any communication that involves a foreigners. Rockefeller outlined the differences between the old legal architecture and the new one to argue against a amendment from Sen. Russ Feingold. That amendment would require the government to throw out non-emergency communications that were caught by filters if judges later found the filter to be illegal (and which the spooks didn't fix in 30 days). Feingold argues that without such a penalty the NSA won't care at all what the courts say since there's no penalty for intercepting purely domestic phone calls in the current bill. This marks a radical legal shift in how the nation's spooks interact with the nation's communication infrastructure. And by infrastructure, I mean telephone switches for your landline, the server farms that serve up your Google search results, and the computers that handle and store emails for your Yahoo account. The nation's current batch of politicians -- save for a handful like Rep. Rush Holt (D-New Jersey) and Sen. Russ Feingold (D-Wisconsin) -- see no problem in handing this unchecked power to the nation's spooks. They collectively have bought into the lies, FUD and politically-expedient exaggerations deployed by the administration in order to legalize the President's rogue warrantless spying on Americans. Hell, even one of Dem's blog fathers -- Markos Moulitsas Zuniga of DailyKos -- called opening the nation's infrastructure to the NSA a "single uncontroversial technical correction." For years, NSA watchers and former employees swore that NSA employees lived by the mantra 'Don't target Americans.' But as former White House General Counsel Alberto Gonzales publicly admitted in December 2005, that rule secretly went out the window after 9/11 when the President ordered the NSA to point its surveillance equipment at Americans. The NSA complied and so did the nation's phone companies, with the noted exception of Qwest, which later seems to have been punished for its belief in the nation's laws. Now that same NSA is going to be granted by Congress virtually unchecked ability to order the nation's internet providers, phone companies and email providers to let the spooks build permanent filters inside their communication flows. That NSA reports to a president who stands by his lawyers' arguments that nothing - not even the Constitution - limits his authority during the permanent war he unilaterally declared against 'terrorism.' And for the record, Sen. Jay Rockefeller denies that intriguingly-timed AT&T and Verizon contributions to his re-election campaign bought his support for amnesty for spying telcos. Hat Tip to emptywheel for noting Rockefeller's remarks. From rforno at infowarrior.org Thu Feb 7 12:38:13 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 07 Feb 2008 07:38:13 -0500 Subject: [Infowarrior] - Clarity Sought on Electronics Searches Message-ID: Clarity Sought on Electronics Searches Travelers' Devices Seized at Border By Ellen Nakashima Washington Post Staff Writer Thursday, February 7, 2008; A01 http://www.washingtonpost.com/wp-dyn/content/article/2008/02/06/AR2008020604 763_pf.html Nabila Mango, a therapist and a U.S. citizen who has lived in the country since 1965, had just flown in from Jordan last December when, she said, she was detained at customs and her cellphone was taken from her purse. Her daughter, waiting outside San Francisco International Airport, tried repeatedly to call her during the hour and a half she was questioned. But after her phone was returned, Mango saw that records of her daughter's calls had been erased. A few months earlier in the same airport, a tech engineer returning from a business trip to London objected when a federal agent asked him to type his password into his laptop computer. "This laptop doesn't belong to me," he remembers protesting. "It belongs to my company." Eventually, he agreed to log on and stood by as the officer copied the Web sites he had visited, said the engineer, a U.S. citizen who spoke on the condition of anonymity for fear of calling attention to himself. Maria Udy, a marketing executive with a global travel management firm in Bethesda, said her company laptop was seized by a federal agent as she was flying from Dulles International Airport to London in December 2006. Udy, a British citizen, said the agent told her he had "a security concern" with her. "I was basically given the option of handing over my laptop or not getting on that flight," she said. The seizure of electronics at U.S. borders has prompted protests from travelers who say they now weigh the risk of traveling with sensitive or personal information on their laptops, cameras or cellphones. In some cases, companies have altered their policies to require employees to safeguard corporate secrets by clearing laptop hard drives before international travel. Today, the Electronic Frontier Foundation and Asian Law Caucus, two civil liberties groups in San Francisco, are filing a lawsuit to force the government to disclose its policies on border searches, including which rules govern the seizing and copying of the contents of electronic devices. They also want to know the boundaries for asking travelers about their political views, religious practices and other activities potentially protected by the First Amendment. The question of whether border agents have a right to search electronic devices at all without suspicion of a crime is already under review in the federal courts. The lawsuit was inspired by some two dozen cases, 15 of which involved searches of cellphones, laptops, MP3 players and other electronics. Almost all involved travelers of Muslim, Middle Eastern or South Asian background, many of whom, including Mango and the tech engineer, said they are concerned they were singled out because of racial or religious profiling. A U.S. Customs and Border Protection spokeswoman, Lynn Hollinger, said officers do not engage in racial profiling "in any way, shape or form." She said that "it is not CBP's intent to subject travelers to unwarranted scrutiny" and that a laptop may be seized if it contains information possibly tied to terrorism, narcotics smuggling, child pornography or other criminal activity. The reason for a search is not always made clear. The Association of Corporate Travel Executives, which represents 2,500 business executives in the United States and abroad, said it has tracked complaints from several members, including Udy, whose laptops have been seized and their contents copied before usually being returned days later, said Susan Gurley, executive director of ACTE. Gurley said none of the travelers in the ACTE suit raised concerns about racial or ethnic profiling. And Gurley said none of the travelers were charged with a crime. "I was assured that my laptop would be given back to me in 10 or 15 days," said Udy, who continues to fly into and out of the United States. She said the federal agent copied her log-on and password, and asked her to show him a recent document and how she gains access to Microsoft Word. She was asked to pull up her e-mail but could not because of lack of Internet access. With ACTE's help, she pressed for relief. More than a year later, Udy has received neither her laptop nor an explanation. ACTE last year filed a Freedom of Information Act request to press the government for information on what happens to data seized from laptops and other electronic devices. "Is it destroyed right then and there if the person is in fact just a regular business traveler?" Gurley asked. "People are quite concerned. They don't want proprietary business information floating, not knowing where it has landed or where it is going. It increases the anxiety level." Udy has changed all her work passwords and no longer banks online. Her company, Radius, has tightened its data policies so that traveling employees must access company information remotely via an encrypted channel, and their laptops must contain no company information. At least two major global corporations, one American and one Dutch, have told their executives not to carry confidential business material on laptops on overseas trips, Gurley said. In Canada, one law firm has instructed its lawyers to travel to the United States with "blank laptops" whose hard drives contain no data. "We just access our information through the Internet," said Lou Brzezinski, a partner at Blaney McMurtry, a major Toronto law firm. That approach also holds risks, but "those are hacking risks as opposed to search risks," he said. The U.S. government has argued in a pending court case that its authority to protect the country's border extends to looking at information stored in electronic devices such as a laptop without any suspicion of a crime. In border searches, it regards a laptop the same as a suitcase. "It should not matter . . . whether documents and pictures are kept in 'hard copy' form in an executive's briefcase or stored digitally in a computer. The authority of customs officials to search the former should extend equally to searches of the latter," the government argued in the child pornography case being heard by a three-judge panel of the Court of Appeals for the 9th Circuit in San Francisco. As more and more people travel with laptops, BlackBerrys and cellphones, the government's laptop-equals-suitcase position is raising red flags. "It's one thing to say it's reasonable for government agents to open your luggage," said David D. Cole, a law professor at Georgetown University. "It's another thing to say it's reasonable for them to read your mind and everything you have thought over the last year. What a laptop records is as personal as a diary but much more extensive. It records every Web site you have searched. Every e-mail you have sent. It's as if you're crossing the border with your home in your suitcase." If the government's position on searches of electronic files is upheld, new risks will confront anyone who crosses the border with a laptop or other device, warned Mark Rasch, a technology security expert with FTI Consulting and a former federal prosecutor. "Your kid can be arrested because they can't prove the songs they downloaded to their iPod were legally downloaded," he said. "Lawyers run the risk of exposing sensitive information about their client. Trade secrets can be exposed to customs agents with no limit on what they can do with it. Journalists can expose sources, all because they have the audacity to cross an invisible line." Hollinger said customs officers "are trained to protect confidential information." Shirin Sinnar, a staff attorney with the Asian Law Caucus, said that by scrutinizing the Web sites people search and the phone numbers they've stored on their cellphones, "the government is going well beyond its traditional role of looking for contraband and really is looking into the content of people's thoughts and ideas and their lawful political activities." If conducted inside the country, such searches would require a warrant and probable cause, legal experts said. Customs sometimes singles out passengers for extensive questioning and searches based on "information from various systems and specific techniques for selecting passengers," including the Interagency Border Inspection System, according to a Customs statement. "CBP officers may, unfortunately, inconvenience law-abiding citizens in order to detect those involved in illicit activities," the statement said. But the factors agents use to single out passengers are not transparent, and travelers generally have little access to the data to see whether there are errors. Although Customs said it does not profile by race or ethnicity, an officers' training guide states that "it is permissible and indeed advisable to consider an individual's connections to countries that are associated with significant terrorist activity." "What's the difference between that and targeting people because they are Arab or Muslim?" Cole said, noting that the countries the government focuses on are generally predominantly Arab or Muslim. It is the lack of clarity about the rules that has confounded travelers and raised concerns from groups such as the Asian Law Caucus, which said that as a result, their lawyers cannot fully advise people how they may exercise their rights during a border search. The lawsuit says a Freedom of Information Act request was filed with Customs last fall but that no information has been received. Kamran Habib, a software engineer with Cisco Systems, has had his laptop and cellphone searched three times in the past year. Once, in San Francisco, an officer "went through every number and text message on my cellphone and took out my SIM card in the back," said Habib, a permanent U.S. resident. "So now, every time I travel, I basically clean out my phone. It's better for me to keep my colleagues and friends safe than to get them on the list as well." Udy's company, Radius, organizes business trips for 100,000 travelers a day, from companies around the world. She says her firm supports strong security measures. "Where we get angry is when we don't know what they're for." Staff researcher Richard Drezen contributed to this report. From rforno at infowarrior.org Thu Feb 7 16:36:34 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 07 Feb 2008 11:36:34 -0500 Subject: [Infowarrior] - OSX Security: Lance Ulanoff's back! Message-ID: Heeeeee's Baaaaack! In 2003 I took Lance Ulanoff of PC Magazine to task over his column slamming Macs and security: Muckraking, the PC Way http://infowarrior.org/articles/2003-08.html After a few years, I guess ol' Lance got bored and needed to puff up his chest and slam the Mac OS again with another daffy piece proclaiming how insecure and vulnerable Mac computers are: Macs Need Security Software, Too http://www.pcmag.com/print_article2/0,1217,a=224225,00.asp The gist of ol' Lance's latest column? Because the SANS Institute (yeah, yeah) says the most successful computer attacks these days are not Trojans or viruses but rather phishing and social engineering, he concludes that Macs are just as insecure and vulnerable as Windows. Excuse me? It's not until the end of the article that he briefly acknowledges that humans are prone to error, and can be tricked. That's true. However, that's not a problem with nor testament to the security of their chosen computing platform, it's a question of human nature. You can build the world's most 'secure' operating system or the world's most 'secure' building or the world's most 'secure' database, and you'll still find folks able to be duped into bending the rules and circumventing the security controls to unwittingly help themselves or the bad guys. I know of no Mac user, Mac-toting IT security geek, or competent IT security professional who professes the total infallability of Mac OSX let alone its inability to provide ironclad defense against social engineering attacks against its only-human owners and operators, for such a beast does not and can not exist. Further, deploying extra security software (as his article title suggests) won't fix this problem since the problem isn't in the computer hardware or software, it's with the human wetware....and where there's a new control that requires human intervention, there's a chance for that human somehow to circumvent it, knowingly or not. Will more security software tools help reduce this vulnerability? Perhaps, but such is not a silver bullet "fire-and-forget' solution, and to think otherwise is a fools' errand. Regarding social engineering, Lance is correct in that all operating systems are vulnerable and that end-user common sense is the best countermeasure. However, his attempt to link the dangers of successful social engineering attacks as a characteristic of running insecure software is technopundit pablum at best and pretty much comparing apples to oranges, if you'll pardon the pun. Further, the overall tone of his article and comment that "the average Mac user is no smarter than the average Windows PC user" clearly suggests the continued presence of an ulterior if not unspoken motive behind his daffy and biased musings bashing MacOSX over the years. Of course, there's a (remote) chance that he might be correct -- but either way, If he truly believes what he is writing, I know of at least one Windows PC user we're all smarter than. -Rick Infowarrior.org From rforno at infowarrior.org Thu Feb 7 18:44:44 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 07 Feb 2008 13:44:44 -0500 Subject: [Infowarrior] - Gov't Says Second Life + Online Anonymity = Terrorism Message-ID: Gov't Says Second Life + Online Anonymity = Terrorism from the oh-really? dept Just as our courts on continually pointing out that anonymity is protected free speech, it appears that the federal government is trying to do away with anonymity entirely. We've already pointed out that National Intelligence Director Mike McConnell has been saying that the government should be able to monitor all internet communications. Now, the government's Intelligence Advanced Research Projects Activity has come out with a fear mongering report trying to suggest that online anonymity in 3D worlds leads to terrorism. It highlights things like Second Life as a breeding ground for terrorism. It's all quite scary if it weren't for the fact that it's totally baseless. There's no evidence at all that this kind of activity is happening in world's like Second Life. In fact, the report buries a quote from an anonymous (ha!) intelligence official admitting that there's no evidence whatsoever that any such activity is happening at all. As the EFF points out in the link above, private communications online are nothing new. The fact that they might take place in a 3D virtual is totally meaningless -- other than to suggest that there are folks involved in national "intelligence" who aren't that intelligent at all. < - > http://techdirt.com/articles/20080207/050559194.shtml From rforno at infowarrior.org Thu Feb 7 18:46:18 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 07 Feb 2008 13:46:18 -0500 Subject: [Infowarrior] - Adobe silently fixes Adobe Reader Message-ID: .....agree with Secunia -- why the need for secrecy? Disclosure, folks! -rf Stealthy Adobe Reader update fixes mystery security bugs By John Leyden ? More by this author Published Thursday 7th February 2008 11:57 GMT http://www.theregister.co.uk/2008/02/07/stealth_adobe_reader_update/ Adobe has pushed out a stealthy - but important - update to its Reader software that fixes a number of unspecified security problems. As well as fixing various performance and stability issues, Adobe Reader version 8.1.2 also resolves a number of mystery security bugs. Details of the performance tweaks, at least, are detailed in Adobe's advisory here. The update covers versions of the software on multiple platforms. According to figures from Secunia's Personal Software Inspector tool, 61 per cent of all private users need to apply the security update. The Denmark-based security notification firm notes that the update is unusual, for Adobe and the software industry at large, because it omits information on what security issues it address. "Curiously, no further details are available about the security update, which is not the norm for Adobe," Secunia said. "Past Adobe security-related releases featured information on the security problems, but Wednesday's Adobe update did not." ? From rforno at infowarrior.org Thu Feb 7 18:46:55 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 07 Feb 2008 13:46:55 -0500 Subject: [Infowarrior] - Congress bars 'automatic removal' of Do-Not-Call list numbers Message-ID: Congress bars 'automatic removal' of Do-Not-Call list numbers Posted by Anne Broache http://www.news.com/8301-10784_3-9866864-7.html Let the telemarketer-free dinner table conversations continue. Congress on Wednesday gave its final approval to a bill that would prohibit "automatic" removal of phone numbers from the national Do-Not-Call registry, which is designed to allow consumers to opt out of receiving unsolicited sales calls. The bill, called the Do-Not-Call Improvement Act of 2007, now goes to the White House for the president's signature. The latest action is a direct response to concerns from consumer advocates and politicians that under rules established in June 2003 by the Federal Trade Commission, Americans would have been forced to reregister their digits every five years. The Do-Not-Call Improvement Act effectively overturns that rule. It says numbers can only be removed from the registry under two conditions: with permission from the individual assigned it, or if the FTC determines, based on periodic checks, that the numbers have been disconnected, reassigned, or are otherwise "invalid." The FTC last fall pledged not do drop those numbers "pending final congressional or agency action on whether to make registration permanent." Congress on Wednesday evening also signed off on a related bill that gives the FTC indefinite authority to continue collecting fees of up to $17,050 from each telemarketer to bankroll the program. The bill's chief sponsor, Sen. Mark Pryor (D-Ark.), said that approach "keeps the program free, simple and effective for consumers." More than 150 million numbers are currently on the list, according to Pryor's office. From rforno at infowarrior.org Fri Feb 8 02:57:08 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 07 Feb 2008 21:57:08 -0500 Subject: [Infowarrior] - The FBI Deputizes Business Message-ID: Exclusive! The FBI Deputizes Business By Matthew Rothschild, February 7, 2008 Infragard http://www.progressive.org/mag_rothschild0308 Today, more than 23,000 representatives of private industry are working quietly with the FBI and the Department of Homeland Security. The members of this rapidly growing group, called InfraGard, receive secret warnings of terrorist threats before the public does?and, at least on one occasion, before elected officials. In return, they provide information to the government, which alarms the ACLU. But there may be more to it than that. One business executive, who showed me his InfraGard card, told me they have permission to ?shoot to kill? in the event of martial law. InfraGard is ?a child of the FBI,? says Michael Hershman, the chairman of the advisory board of the InfraGard National Members Alliance and CEO of the Fairfax Group, an international consulting firm. InfraGard started in Cleveland back in 1996, when the private sector there cooperated with the FBI to investigate cyber threats. ?Then the FBI cloned it,? says Phyllis Schneck, chairman of the board of directors of the InfraGard National Members Alliance, and the prime mover behind the growth of InfraGard over the last several years. InfraGard itself is still an FBI operation, with FBI agents in each state overseeing the local InfraGard chapters. (There are now eighty-six of them.) The alliance is a nonprofit organization of private sector InfraGard members. ?We are the owners, operators, and experts of our critical infrastructure, from the CEO of a large company in agriculture or high finance to the guy who turns the valve at the water utility,? says Schneck, who by day is the vice president of research integration at Secure Computing. ?At its most basic level, InfraGard is a partnership between the Federal Bureau of Investigation and the private sector,? the InfraGard website states. ?InfraGard chapters are geographically linked with FBI Field Office territories.? In November 2001, InfraGard had around 1,700 members. As of late January, InfraGard had 23,682 members, according to its website, www.infragard.net, which adds that ?350 of our nation?s Fortune 500 have a representative in InfraGard.? To join, each person must be sponsored by ?an existing InfraGard member, chapter, or partner organization.? The FBI then vets the applicant. On the application form, prospective members are asked which aspect of the critical infrastructure their organization deals with. These include: agriculture, banking and finance, the chemical industry, defense, energy, food, information and telecommunications, law enforcement, public health, and transportation. FBI Director Robert Mueller addressed an InfraGard convention on August 9, 2005. At that time, the group had less than half as many members as it does today. ?To date, there are more than 11,000 members of InfraGard,? he said. ?From our perspective that amounts to 11,000 contacts . . . and 11,000 partners in our mission to protect America.? He added a little later, ?Those of you in the private sector are the first line of defense.? He urged InfraGard members to contact the FBI if they ?note suspicious activity or an unusual event.? And he said they could sic the FBI on ?disgruntled employees who will use knowledge gained on the job against their employers.? In an interview with InfraGard after the conference, which is featured prominently on the InfraGard members? website, Mueller says: ?It?s a great program.? The ACLU is not so sanguine. ?There is evidence that InfraGard may be closer to a corporate TIPS program, turning private-sector corporations?some of which may be in a position to observe the activities of millions of individual customers?into surrogate eyes and ears for the FBI,? the ACLU warned in its August 2004 report The Surveillance-Industrial Complex: How the American Government Is Conscripting Businesses and Individuals in the Construction of a Surveillance Society. InfraGard is not readily accessible to the general public. Its communications with the FBI and Homeland Security are beyond the reach of the Freedom of Information Act under the ?trade secrets? exemption, its website says. And any conversation with the public or the media is supposed to be carefully rehearsed. ?The interests of InfraGard must be protected whenever presented to non-InfraGard members,? the website states. ?During interviews with members of the press, controlling the image of InfraGard being presented can be difficult. Proper preparation for the interview will minimize the risk of embarrassment. . . . The InfraGard leadership and the local FBI representative should review the submitted questions, agree on the predilection of the answers, and identify the appropriate interviewee. . . . Tailor answers to the expected audience. . . . Questions concerning sensitive information should be avoided.? One of the advantages of InfraGard, according to its leading members, is that the FBI gives them a heads-up on a secure portal about any threatening information related to infrastructure disruption or terrorism. The InfraGard website advertises this. In its list of benefits of joining InfraGard, it states: ?Gain access to an FBI secure communication network complete with VPN encrypted website, webmail, listservs, message boards, and much more.? InfraGard members receive ?almost daily updates? on threats ?emanating from both domestic sources and overseas,? Hershman says. ?We get very easy access to secure information that only goes to InfraGard members,? Schneck says. ?People are happy to be in the know.? On November 1, 2001, the FBI had information about a potential threat to the bridges of California. The alert went out to the InfraGard membership. Enron was notified, and so, too, was Barry Davis, who worked for Morgan Stanley. He notified his brother Gray, the governor of California. ?He said his brother talked to him before the FBI,? recalls Steve Maviglio, who was Davis?s press secretary at the time. ?And the governor got a lot of grief for releasing the information. In his defense, he said, ?I was on the phone with my brother, who is an investment banker. And if he knows, why shouldn?t the public know?? ? Maviglio still sounds perturbed about this: ?You?d think an elected official would be the first to know, not the last.? In return for being in the know, InfraGard members cooperate with the FBI and Homeland Security. ?InfraGard members have contributed to about 100 FBI cases,? Schneck says. ?What InfraGard brings you is reach into the regional and local communities. We are a 22,000-member vetted body of subject-matter experts that reaches across seventeen matrixes. All the different stovepipes can connect with InfraGard.? Schneck is proud of the relationships the InfraGard Members Alliance has built with the FBI. ?If you had to call 1-800-FBI, you probably wouldn?t bother,? she says. ?But if you knew Joe from a local meeting you had with him over a donut, you might call them. Either to give or to get. We want everyone to have a little black book.? This black book may come in handy in times of an emergency. ?On the back of each membership card,? Schneck says, ?we have all the numbers you?d need: for Homeland Security, for the FBI, for the cyber center. And by calling up as an InfraGard member, you will be listened to.? She also says that members would have an easier time obtaining a ?special telecommunications card that will enable your call to go through when others will not.? This special status concerns the ACLU. ?The FBI should not be creating a privileged class of Americans who get special treatment,? says Jay Stanley, public education director of the ACLU?s technology and liberty program. ?There?s no ?business class? in law enforcement. If there?s information the FBI can share with 22,000 corporate bigwigs, why don?t they just share it with the public? That?s who their real ?special relationship? is supposed to be with. Secrecy is not a party favor to be given out to friends. . . . This bears a disturbing resemblance to the FBI?s handing out ?goodies? to corporations in return for folding them into its domestic surveillance machinery.? When the government raises its alert levels, InfraGard is in the loop. For instance, in a press release on February 7, 2003, the Secretary of Homeland Security and the Attorney General announced that the national alert level was being raised from yellow to orange. They then listed ?additional steps? that agencies were taking to ?increase their protective measures.? One of those steps was to ?provide alert information to InfraGard program.? ?They?re very much looped into our readiness capability,? says Amy Kudwa, spokeswoman for the Department of Homeland Security. ?We provide speakers, as well as do joint presentations [with the FBI]. We also train alongside them, and they have participated in readiness exercises.? On May 9, 2007, George Bush issued National Security Presidential Directive 51 entitled ?National Continuity Policy.? In it, he instructed the Secretary of Homeland Security to coordinate with ?private sector owners and operators of critical infrastructure, as appropriate, in order to provide for the delivery of essential services during an emergency.? Asked if the InfraGard National Members Alliance was involved with these plans, Schneck said it was ?not directly participating at this point.? Hershman, chairman of the group?s advisory board, however, said that it was. InfraGard members, sometimes hundreds at a time, have been used in ?national emergency preparation drills,? Schneck acknowledges. ?In case something happens, everybody is ready,? says Norm Arendt, the head of the Madison, Wisconsin, chapter of InfraGard, and the safety director for the consulting firm Short Elliott Hendrickson, Inc. ?There?s been lots of discussions about what happens under an emergency.? One business owner in the United States tells me that InfraGard members are being advised on how to prepare for a martial law situation?and what their role might be. He showed me his InfraGard card, with his name and e-mail address on the front, along with the InfraGard logo and its slogan, ?Partnership for Protection.? On the back of the card were the emergency numbers that Schneck mentioned. This business owner says he attended a small InfraGard meeting where agents of the FBI and Homeland Security discussed in astonishing detail what InfraGard members may be called upon to do. ?The meeting started off innocuously enough, with the speakers talking about corporate espionage,? he says. ?From there, it just progressed. All of a sudden we were knee deep in what was expected of us when martial law is declared. We were expected to share all our resources, but in return we?d be given specific benefits.? These included, he says, the ability to travel in restricted areas and to get people out. But that?s not all. ?Then they said when?not if?martial law is declared, it was our responsibility to protect our portion of the infrastructure, and if we had to use deadly force to protect it, we couldn?t be prosecuted,? he says. I was able to confirm that the meeting took place where he said it had, and that the FBI and Homeland Security did make presentations there. One InfraGard member who attended that meeting denies that the subject of lethal force came up. But the whistleblower is 100 percent certain of it. ?I have nothing to gain by telling you this, and everything to lose,? he adds. ?I?m so nervous about this, and I?m not someone who gets nervous.? Though Schneck says that FBI and Homeland Security agents do make presentations to InfraGard, she denies that InfraGard members would have any civil patrol or law enforcement functions. ?I have never heard of InfraGard members being told to use lethal force anywhere,? Schneck says. The FBI adamantly denies it, also. ?That?s ridiculous,? says Catherine Milhoan, an FBI spokesperson. ?If you want to quote a businessperson saying that, knock yourself out. If that?s what you want to print, fine.? But one other InfraGard member corroborated the whistleblower?s account, and another would not deny it. Christine Moerke is a business continuity consultant for Alliant Energy in Madison, Wisconsin. She says she?s an InfraGard member, and she confirms that she has attended InfraGard meetings that went into the details about what kind of civil patrol function?including engaging in lethal force?that InfraGard members may be called upon to perform. ?There have been discussions like that, that I?ve heard of and participated in,? she says. Curt Haugen is CEO of S?Curo Group, a company that does ?strategic planning, business continuity planning and disaster recovery, physical and IT security, policy development, internal control, personnel selection, and travel safety,? according to its website. Haugen tells me he is a former FBI agent and that he has been an InfraGard member for many years. He is a huge booster. ?It?s the only true organization where there is the public-private partnership,? he says. ?It?s all who knows who. You know a face, you trust a face. That?s what makes it work.? He says InfraGard ?absolutely? does emergency preparedness exercises. When I ask about discussions the FBI and Homeland Security have had with InfraGard members about their use of lethal force, he says: ?That much I cannot comment on. But as a private citizen, you have the right to use force if you feel threatened.? ?We were assured that if we were forced to kill someone to protect our infrastructure, there would be no repercussions,? the whistleblower says. ?It gave me goose bumps. It chilled me to the bone.? From rforno at infowarrior.org Fri Feb 8 12:55:06 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 08 Feb 2008 07:55:06 -0500 Subject: [Infowarrior] - DHS cybersecurity officer appointed while under federal investigation In-Reply-To: Message-ID: Official named to cybersecurity post while still under federal investigation By Chris Strohm CongressDaily February 7, 2008 http://www.govexec.com/dailyfed/0108/020708cdam2.htm The Homeland Security Department has appointed an official who is under federal investigation to a key position overseeing a program worth hundreds of millions of dollars to secure computer networks across the federal government. The Feb. 1 appointment of Scott Charbo, Homeland Security's chief information officer, to be deputy undersecretary for the national protection and programs directorate, drew immediate criticism from House Homeland Security Committee Chairman Bennie Thompson, D-Miss., who was familiar with Charbo's past. In a letter to Homeland Security Secretary Michael Chertoff, Thompson said an investigation conducted by his committee last year showed Charbo failed to properly address computer security breaches within agencies housed at department headquarters, along with incompetent and possibly illegal activity by private contractor Unisys. The incidents included the exfiltration of information from Homeland Security Department networks to a Web-hosting service that connects Chinese Web sites, according to Thompson's investigation. The security breaches that occurred under Charbo's watch and the work by Unisys are now under investigation by the FBI and the Homeland Security Department inspector general, according to Thompson and congressional aides. The IG's office confirmed to CongressDaily that its investigation is continuing. The FBI would not confirm or deny the existence of an investigation. Thompson asked the department's Office of Security to conduct an investigation but has yet to get a briefing from officials despite repeated requests. Thompson said Charbo will be responsible for overseeing a critical part of a massive cybersecurity initiative that the Bush administration has launched. Chertoff announced this week that the department is requesting about $294 million in its fiscal budget request for its portion of the initiative. His department will secure computer networks across agencies under the initiative, the details of which remain classified. "Given his previous failings as chief information officer, I find it unfathomable that you would invest him [Charbo] with this authority," Thompson wrote Chertoff on Feb.1. "This decision raises concerns about the seriousness of the administration's initiative." Senate Homeland Security and Governmental Affairs Committee Chairman Joseph Lieberman, I-Conn., did not criticize Charbo's appointment but is "deeply concerned about vulnerabilities in the nation's cybersecurity, as well as DHS' own systems," according to his spokeswoman. "The committee, however, is conducting vigorous oversight of the cybersecurity initiative to ensure successful deployment and efficient spending of the increasing amount of money Congress has appropriated for the program," she said. The Homeland Security Department did not make Charbo available for comment Wednesday. A department spokeswoman issued a statement saying: "It is unfortunate that the chairman [Thompson], who has often criticized the department about vacancies in key leadership positions and the state of morale, has once again chosen to make a personal attack on a department employee who has demonstrated over a number of years his able and dedicated service to this nation." Charbo was appointed chief information officer in 2005 and later became the department's acting undersecretary for management. None of the positions, including the most recent one, required Senate confirmation. The spokeswoman said Charbo has "invaluable management skills" and "made impressive progress" on securing computers and networks while institutionalizing "rigorous network security and data and privacy protection programs." She added that the department takes Thompson's allegations "very seriously" and has provided every incident report to the department's security operations center, as well as to the House Homeland Security Committee when requested. "The vast majority of these incidents were minor in nature and were resolved quickly, often within hours," she said. "Every incident report has been provided to Chairman Thompson's committee and more than 97 percent of all incidents reported have been closed." Thompson has claimed that Unisys employees provided "inaccurate and misleading information" to Homeland Security officials about the source of attacks and attempted to hide security gaps. A Unisys spokeswoman referred to a statement the company issued in September in response to Thompson's allegations about the firm, when they were first reported by the Washington Post. "Unisys vigorously disputes the allegations . . . ," the company said. "Facts and documentation contradict the claims described in the article, but federal security regulations preclude public comment on specific incidents." The statement said the company routinely follows prescribed security protocols and had properly reported incidents to the Homeland Security Department. The department rebid its contract for computer and network security for headquarter agencies in the fall. Unisys submitted a bid but did not win. Instead, a contract worth $362 million was awarded to Lockheed Martin Corp., a Homeland Security spokesman said. From rforno at infowarrior.org Fri Feb 8 13:01:43 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 08 Feb 2008 08:01:43 -0500 Subject: [Infowarrior] - More on...The FBI Deputizes Business In-Reply-To: Message-ID: (I do agree, the original article was a bit sensational; I've worked with Infragard as well over the years and it's not the complete big brother entity the article made it out to be and I do agree it can be useful at times despite what I know are some internal issues they face.......rf) ------ Forwarded Message From: -- removed -- Hi Rich, I always enjoy your forwards, they are always of interest. This one is simply not true. I have been a member of Infragard for quite awhile. Never, repeat Never, has the subject of deadly force been brought up in any meetings or National Conferences (not in casual conversations or breakout groups either). While I am certainly *not* an industry bigwig, the InfoSec community is in many respects, fairly small conceptually, and I am grateful to have met many contacts, and, as in any group, there are the NRA types, but no more so than in any community. In the Cyber Security sector, it is interesting to note that one of our projects is tackling phishing, fraud, id theft, new viruses, cyber scams, and of course child pornography (certainly a far cry from what caliber of weapon to use in case of martial law). One of our biggest concerns is disaster preparedness (i.e. how to keep the lights on, fresh water, first responders, how to set up portable mesh networks for vital communications, what should each home stock up on, etc.). The information we receive is classified as either OFOU or LES (the latter through a "Cyber Cop" Portal. We simply do not spy on citizens or fellow employees; rather we are encouraged to report odd or possibly suspicious situations where someone is taking pictures of chemical plants, refineries, power plants and such. The Progressive.org reminds me very much of "Ramparts" magazine back in the day (not sure if you remember it). I am more alarmed at supposedly "official" whistleblowers coming up with stuff like this, and no apparent 'vetting' being done on the story. From rforno at infowarrior.org Fri Feb 8 13:08:15 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 08 Feb 2008 08:08:15 -0500 Subject: [Infowarrior] - Comcast (Sorta) Puts Its Speed Limits in Writing Message-ID: .....this looks like a cheezy lawerly way of trying to appease the FCC to drop its bandwidth-blocking investigation, I bet.........rf Comcast Puts Its Speed Limits in Writing Recent terms of service change codifies what BitTorrent users have known for a while. http://www.internetnews.com/webcontent/article.php/3726811 February 7, 2008 By Andy Patrizio: More stories by this author: Comcast, the largest cable provider in the country and second-largest Internet Service Provider behind AOL, quietly updated its Terms of Service late last month to reflect what it has been saying and users have been kvetching about for some time ? it engages in network traffic control. The acknowledgement comes in section III of the ToS, updated January 25, stating that it "uses reasonable network management practices that are consistent with industry standards." This is the same wording as found in the FCC's Internet Policy Statement from 2005, which allows ISPs to engage in "reasonable network management" and at the same time allows subscribers to run lawful applications and services as long as it doesn't harm the network. The ToS goes on to say that "Comcast tries to use tools and technologies that are minimally intrusive?" and defends itself by stating all large Internet service providers manage their networks and use the same or similar tools that Comcast does. Cox Communications, also a cable modem provider, limits traffic up and down. Time Warner, which has several million subscribers to its Roadrunner service, doesn't throttle usage but it has begun experimenting with metered use, which charges customers based on their usage. Accusations against Comcast begin to simmer on the Internet last summer before finally boiling over thanks to an in-depth Associated Press report in October. Company officials denied it was throttling BitTorrent uploads, but one month later did admit to slowing down the transmissions for the sake of network management. The company continues to be hounded by media advocacy group Free Press, which reacted to the updated ToS by stating "Comcast Puts Discrimination in the Fine Print." Comcast spokesman Charlie Douglas said the change isn't that big of a deal. "The terms of service were updated as part of the normal course of business. No practices have changed," he told InternetNews.com. After the AP expose on Comcast, numerous complaints were filed with the FCC demanding an investigation. At the recent CES show in Las Vegas, FCC Chairman Kevin Martin said there would be an investigation. TAGS: FCC, policy, ISP, Comcast, traffic From rforno at infowarrior.org Fri Feb 8 13:09:06 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 08 Feb 2008 08:09:06 -0500 Subject: [Infowarrior] - Real ID worries domestic violence groups Message-ID: Real ID worries domestic violence groups Posted by Anne Broache http://www.news.com/8301-10784_3-9867257-7.html Editor's note: A May deadline looms as just one flash point in a political showdown between Homeland Security, privacy advocates, and states that oppose Real ID demands. Friday's story follows a four-part series that we published earlier this week. Every year, about 1,000 domestic violence victims legally change their Social Security numbers in an attempt to elude people who may pose threats, and many more change their legal names, according to figures compiled by advocacy groups. But hiding from stalkers may become more difficult under a federal law called the Real ID Act that's scheduled to take effect on May 11. The U.S. Department of Homeland Security's new regulations mandate specific standards for what personal information states must print on the face of Real ID drivers licenses and encode on their machine-readable zones. Although there's some consideration for people who qualify for special confidentiality treatment, critics argue the protections don't go far enough. "The statute is troubling because it's trying very much to identify people who are dangerous, such as terrorists, and at the same time, how do you do that in a way that keeps everyday citizens and victims safe?" Cindy Southworth, technology project director for the National Network to End Domestic Violence, said of the Real ID Act, which Congress passed nearly three years ago. "I think inherently there's a conundrum there." Homeland Security did weigh some of the concerns voiced by domestic violence prevention groups, as well as existing laws like the Violence Against Women Act, before issuing its final rules. Currently, 19 states have confidentiality programs for domestic violence survivors, according to the National Conference of State Legislatures. The agency's final rule appears to preserve that, saying: "A DMV may apply an alternate address on a driver's license or identification card if the individual's address is entitled to be suppressed under state or federal law or suppressed by a court order including an administrative order issued by a state or federal court." That "alternate address"--which in many cases is a dummy address created by the government that forwards to someone's real address--is also the only address required to be encoded on the two-dimensional bar code. That means that if convenience store clerks or police officers swipe the unencrypted card, they'll in theory only gain access to limited information. Still, victims-rights and privacy advocates remain concerned about one important Real ID requirement, which dictates that state DMVs interlink their databases and make all their drivers' records and identity documents available. The final rule says that both an individual's "full legal name" and "true address" must be stored in the DMV database, regardless of what's displayed on the card and encoded on its bar code. It also requires that motor vehicle departments scan and store "source documents," such as birth certificates, to verify a driver's license applicant's identity. Homeland Security hasn't yet stipulated what information must be exchanged among the state-to-state databases, saying only that it will be "limited," nor has it specified exactly how the database linking will work, leaving lingering worries among privacy and victim advocates. All it would take is a determined, persuasive stalker--many have tricks, like saying an ex-spouse is suicidal or otherwise in need of help--and a gullible or corrupt DMV employee, and a victim's identity could be divulged, Southworth said. "Given that there are less than six degrees of separation between most abusers and a friend or relative who works for the DMV, we are concerned about victims' location information housed in state databases that could be searched nationally," Southworth said. "Prior to national search ability, a victim could move to a different state and increase her safety and privacy, but national search functionality could place countless victims at risk." In response to privacy groups' concerns about DMV employees' access to the databases, Homeland Security opted to require states to devise their own "security plans" for Real ID. That plan is supposed to include, among other things, "procedures to prevent unauthorized access, use, or dissemination of applicant information and images of source documents retained pursuant to the act" and background checks for some, though not all, DMV employees. The final rule has offered little comfort, however, to some privacy advocates. "We still have this problem of the backbone of this system, which is that we're creating this nationwide system of databases, all interlinked," said Guilherme Roschke, an Electronic Privacy Information Center fellow who focuses on domestic violence privacy issues. "A breach in one is a breach in all of them." From rforno at infowarrior.org Fri Feb 8 13:12:59 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 08 Feb 2008 08:12:59 -0500 Subject: [Infowarrior] - Safeguarding Critical Energy Cyber Assets Message-ID: 18 CFR Part 40 Mandatory Reliability Standards for Critical Infrastructure Protection; Final Rule http://cryptome.org/ferc020708.htm From rforno at infowarrior.org Fri Feb 8 13:19:59 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 08 Feb 2008 08:19:59 -0500 Subject: [Infowarrior] - Schneier: 'Security' Is Code for 'Control' Message-ID: With iPhone, 'Security' Is Code for 'Control' Bruce Schneier Email 02.07.08 | 12:00 AM http://www.wired.com/politics/security/commentary/securitymatters/2008/02/se curitymatters_0207 Buying an iPhone isn't the same as buying a car or a toaster. Your iPhone comes with a complicated list of rules about what you can and can't do with it. You can't install unapproved third-party applications on it. You can't unlock it and use it with the cellphone carrier of your choice. And Apple is serious about these rules: A software update released in September 2007 erased unauthorized software and -- in some cases -- rendered unlocked phones unusable. "Bricked" is the term, and Apple isn't the least bit apologetic about it. Computer companies want more control over the products they sell you, and they're resorting to increasingly draconian security measures to get that control. The reasons are economic. Control allows a company to limit competition for ancillary products. With Mac computers, anyone can sell software that does anything. But Apple gets to decide who can sell what on the iPhone. It can foster competition when it wants, and reserve itself a monopoly position when it wants. And it can dictate terms to any company that wants to sell iPhone software and accessories. This increases Apple's bottom line. But the primary benefit of all this control for Apple is that it increases lock-in. "Lock-in" is an economic term for the difficulty of switching to a competing product. For some products -- cola, for example -- there's no lock-in. I can drink a Coke today and a Pepsi tomorrow: no big deal. But for other products, it's harder. Switching word processors, for example, requires installing a new application, learning a new interface and a new set of commands, converting all the files (which may not convert cleanly) and custom software (which will certainly require rewriting), and possibly even buying new hardware. If Coke stops satisfying me for even a moment, I'll switch: something Coke learned the hard way in 1985 when it changed the formula and started marketing New Coke. But my word processor has to really piss me off for a good long time before I'll even consider going through all that work and expense. Lock-in isn't new. It's why all gaming-console manufacturers make sure that their game cartridges don't work on any other console, and how they can price the consoles at a loss and make the profit up by selling games. It's why Microsoft never wants to open up its file formats so other applications can read them. It's why music purchased from Apple for your iPod won't work on other brands of music players. It's why every U.S. cellphone company fought against phone number portability. It's why Facebook sues any company that tries to scrape its data and put it on a competing website. It explains airline frequent flyer programs, supermarket affinity cards and the new My Coke Rewards program. With enough lock-in, a company can protect its market share even as it reduces customer service, raises prices, refuses to innovate and otherwise abuses its customer base. It should be no surprise that this sounds like pretty much every experience you've had with IT companies: Once the industry discovered lock-in, everyone started figuring out how to get as much of it as they can. Economists Carl Shapiro and Hal Varian even proved that the value of a software company is the total lock-in. Here's the logic: Assume, for example, that you have 100 people in a company using MS Office at a cost of $500 each. If it cost the company less than $50,000 to switch to Open Office, they would. If it cost the company more than $50,000, Microsoft would increase its prices. Mostly, companies increase their lock-in through security mechanisms. Sometimes patents preserve lock-in, but more often it's copy protection, digital rights management (DRM), code signing or other security mechanisms. These security features aren't what we normally think of as security: They don't protect us from some outside threat, they protect the companies from us. Microsoft has been planning this sort of control-based security mechanism for years. First called Palladium and now NGSCB (Next-Generation Secure Computing Base), the idea is to build a control-based security system into the computing hardware. The details are complicated, but the results range from only allowing a computer to boot from an authorized copy of the OS to prohibiting the user from accessing "unauthorized" files or running unauthorized software. The competitive benefits to Microsoft are enormous (.pdf). Of course, that's not how Microsoft advertises NGSCB. The company has positioned it as a security measure, protecting users from worms, Trojans and other malware. But control does not equal security; and this sort of control-based security is very difficult to get right, and sometimes makes us more vulnerable to other threats. Perhaps this is why Microsoft is quietly killing NGSCB -- we've gotten BitLocker, and we might get some other security features down the line -- despite the huge investment hardware manufacturers made when incorporating special security hardware into their motherboards. In my last column, I talked about the security-versus-privacy debate, and how it's actually a debate about liberty versus control. Here we see the same dynamic, but in a commercial setting. By confusing control and security, companies are able to force control measures that work against our interests by convincing us they are doing it for our own safety. As for Apple and the iPhone, I don't know what they're going to do. On the one hand, there's this analyst report that claims there are over a million unlocked iPhones, costing Apple between $300 million and $400 million in revenue. On the other hand, Apple is planning to release a software development kit this month, reversing its earlier restriction and allowing third-party vendors to write iPhone applications. Apple will attempt to keep control through a secret application key that will be required by all "official" third-party applications, but of course it's already been leaked. And the security arms race goes on ... --- Bruce Schneier is CTO of BT Counterpane and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. You can read more of his writings on his website. From rforno at infowarrior.org Fri Feb 8 13:22:08 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 08 Feb 2008 08:22:08 -0500 Subject: [Infowarrior] - RIAA wants content filters and proposes spyware too Message-ID: http://www.publicknowledge.org/node/1388 RIAA wants content filters and proposes spyware too < - > In this abridged six minutes of video, Sherman addresses four questions about filtering: * What?s the RIAA?s stance on content filtering? * What about encryption? * What about fair use? * Should Congress mandate filters for ISPs? < - > Perhaps the most interesting part comes as a response to Question 2, where Sherman essentially proposes placing spyware on users' computers to get around the ?problem? of encryption: Filters can be put in the applications for example. You know, one could have a filter on the end user?s computer that would actually eliminate any benefit from?encryption because if you want to hear it, you?d have to decrypt it, and at that point the filter could work. And he goes on to say the spyware might be in your virus checker or media player, or even in an ISP-provided modem or somewhere else under the ISP?s control. But fear not, it's just to "notify" you so you learn what's right and wrong. http://www.publicknowledge.org/node/1388 From rforno at infowarrior.org Sat Feb 9 04:09:39 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 08 Feb 2008 23:09:39 -0500 Subject: [Infowarrior] - Friday FISA update Message-ID: House Leaders Oppose Immunity, Reid Prepares For Extended Negotiations By Ryan Singel EmailFebruary 08, 2008 | 8:39:57 PMCategories: NSA House leaders sent a letter to fellow lawmakers Friday saying they strenuously oppose handing amnesty to telecom companies that helped the government's secret, warrantless wiretapping program, even as the Senate is set to approve such a provision early next week. Perhaps in response to that letter, Senate Majority Leader Harry Reid (D-Nevada) filed a bill Firday that would give the two houses another 15 days to iron out a compromise without passing the expiration date on the extensive wiretapping powers handed to the Administration this summer. < - > http://blog.wired.com/27bstroke6/2008/02/house-leaders-o.html From rforno at infowarrior.org Sat Feb 9 04:10:16 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 08 Feb 2008 23:10:16 -0500 Subject: [Infowarrior] - Bush Administration Appeals Patriot Act Ruling Message-ID: Bush Administration Appeals Patriot Act Ruling By David Kravets EmailFebruary 08, 2008 | 7:44:51 PMCategories: Surveillance http://blog.wired.com/27bstroke6/2008/02/bush-administra.html The Bush administration on Friday appealed a federal court decision declaring as unconstitutional a central provision of the Patriot Act, which Congress quickly adopted after the Sept. 11 terror attacks. At issue is a September ruling by an Oregon judge who said the Patriot Act gave too much power to the government when it came to snooping on suspected criminals in the United States -- a violation of constitutional search-and-seizure rules. The administration is asking the San Francisco-based, 9th U.S. Circuit Court of Appeals to overturn U.S. District Judge Ann Aiken. The judge ruled that the Patriot Act made it too easy for the government to secure warrants against criminal suspects from a secret court designed to help the authorities monitor and gather intelligence on terror suspects. The secret court, known as Foreign Intelligence Surveillance Court, was established after the passage of the 1978 Foreign Intelligence Surveillance Act. Weeks following the 2001 terror attacks, Congress amended that law from allowing warrants if "foreign intelligence information" is the "primary purpose" of the search or surveillance to foreign intelligence being a "significant purpose." That opened the door for the government to obtain search and surveillance warrants to investigate criminal cases on U.S. soil without having to demonstrate probable cause, as required under the Fourth Amendment, U.S. District Judge Ann Aiken ruled in September. Unlike search and surveillance warrants doled out against criminal suspects by federal judges, the secret court hands out warrants without even asking what probable cause the government has. Also, the government is not required to disclose what it is searching for or what it found. "Since the adoption of the Bill of Rights in 1791, the government has been prohibited from gathering evidence for use in a prosecution against an American citizen in a courtroom unless the government could prove the existence of probable cause that a crime has been committed," Aiken ruled. In a 100-page brief, (giant .pdf) the Bush administration said Aiken's ruling "is the first ever to find a constitutional defect in FISA, and the constitutional rule that it adopts has damaging implications for national security." The case concerned Brandon Mayfield, a Portland, Oregon attorney who the authorities arrested and held for two weeks in May, 2004. The FBI alleged his fingerprint was found in Madrid, at the scene of a train bombing that killed 191 people two months before. The authorities obtained FISA warrants authorizing electronic surveillance and physical searches of the attorney's home and office. Two weeks after he was detained and held as a material witness in a grand jury investigation, the U.S. government freed him. The fingerprint in question matched a fingerprint of a suspected Algerian terrorist. The government settled his lawsuit for $2 million. But Mayfield litigated the provision of the Patriot Act that the judge declared as unconstitutional. From rforno at infowarrior.org Sat Feb 9 16:29:49 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 09 Feb 2008 11:29:49 -0500 Subject: [Infowarrior] - DOD Intelligence Unit Comes Off Like M*A*S*H in New Book Message-ID: CQ HOMELAND SECURITY Feb. 8, 2008 ? 8:15 p.m. Pentagon Intelligence Unit Comes Off Like M*A*S*H in New Book By Jeff Stein, CQ National Security Editor http://www.cqpolitics.com/wmspage.cfm?docID=hsnews-000002668466 Anyone who?s spent time in uniform will recognize the stories that A.J. Rossmiller tells in ?Still Broken: A Recruit?s Inside Account of Intelligence Failures, From Baghdad to the Pentagon.? Like the Army field hospital so authentically portrayed in M*A*S*H, Rossmiller?s memoir of two years as a Defense Intelligence Agency Iraq analyst is darkly funny, with its own versions of Hawkeye, B.J., Colonel Potter, and of course, Frank Burns. Unfortunately, it?s all too true. And frightening, from the viewpoint of national security. In M*A*S*H, the good guys usually win. But at the DIA, in Rossmiller?s telling, victories were rare. The intelligence analysts? carefully researched and sourced reports on Iraq were usually at odds with the rosy pronouncements of Bush administration hawks, and regularly quashed or re-written. No matter how often their forecasts proved to be accurate, or how little evidence their bosses marshalled to contradict them, the analysts were constantly browbeat and berated for being ?too negative.? Rossmiller joined the DIA in 2004, fresh from Middlebury College with a degree in political science and a concentration in Middle East Studies. A bright future lay ahead, with a multitude of possibilities. But ?infuriated? by the Sept. 11 terrorist attacks, he writes, ?it felt wrong not to contribute in such a time of national need.? The training at Fort Benning, Ga., ?was mostly tedious but occasionally entertaining,? he says. ?The sections on the region were like Middle East for morons.? The one-page summary of the ?Culture Guide to Iraq,? for example, included such gems as ?Arabs are an emotional people who use the power of emotion in forceful and appealing rhetoric that tends toward exaggeration? ? a description that just as well fits Bush officials railing about ?mushroom clouds? to build support for invading Iraq. But it?s his six-month tour at the Combined Intelligence Operations Center, or CIOC, situated at the Baghdad airport, where the M*A*S*H analogy really seems apt. For starters, his team?s arrival was a surprise, ?and nobody knew what to do with us.? The counterinsurgency intelligence operation they were supposed to set up was already in place. His leaders came up with another mission ?on the fly,? the creation of a HUMINT (human intelligence) Support Team, which would sort out information from spies (as opposed to, say, electronic intercepts) and reel it back out to military units. ?Virtually none of our extensive preparation was useful for this mission,? Rossmiller writes, but they settled in and went to work. The teams? senior intelligence officer ?looked like Burl Ives on human growth hormone,? with ?an attention span as limited as his patience,? who was ?always volunteering the group for work that had nothing to do with our assigned duties.? The captain commanding the unit was infuriated by the analysts? practice of rolling over to each others? desk on their chairs. They ignored his requests to stop it. One day he bellowed, ?I order you to get up out of your chair when you want to talk to somebody!? ?The entire aisle erupted in laughter,? Rossmiller writes. Analysts jumped up and began mocking the captain, yelling, ?I order you!? at each other. But the CIOC?s real problem was that it was ?a self licking ice cream cone,? Rossmiller writes. ?Products were written . . . and then read by other people in the CIOC. Good analysis was done . . . and never seen by anybody who could do anything about it. We rarely received feedback, and we never had a solid conception of who our customers were or what missions we were serving.? That would change when Rossmiller, a lowly GS-9, was eventually transferred to the Direct Action team, whose unofficial motto was ?track ?em and whack ?em.? There he was an uncomfortable witness to U.S. soldiers screaming in English at Iraqis they?d rounded up. When they didn?t get satisfactory answers ? there never seemed to be one ? they dispatched their bewildered, hooded and quite possibly innocent captives to the soon-to-be infamous Abu Ghraib prison for interrogation. After six months, Rossmiller left Baghdad with an assignment to the Pentagon to analyze intelligence and prognosticate on the chaotic Iraqi government. His entire time there, he and many other analysts never had their own desks or computers. Many of the computers weren?t equipped with the proper software to allow access to both top secret and unclassified materials. To Rossmiller, the DIA?s Iraq intelligence teams, located in temporary, cramped offices along a hard-to-find hallway off a corridor, seemed like a nuisance or afterthought. Unfortunately, one of his worst Baghdad bosses landed there, too, a right-wing war booster who was ?running around the office and asking people what they were working on so he could add his opinion (that is, inject his ideology)? into their intelligence reports. ?He would launch tirades over minor analytical disagreements,? Rossmiller writes, ?once telling an analyst, in all seriousness, ?Well, it?s clear I have to do more micromanaging here!? ? There were already layers upon layers of supervisors who could, and would, edit, rewrite or boil down the analysts? reports. On another occasion the boss sauntered up to a U.S.-born Hispanic on the team and asked, ?So, Jose, what do you think of these immigration protesters?? He clearly disapproved. Jose, of Puerto Rican heritage, demurred. ?Look at you,? the boss added, ?You?ve clearly adapted and assimilated. . . . And you speak English so well!? Such ignorant buffoons and bullies are all too common in Rossmiller?s devastating account. Intelligence officials constantly berated and insulted the analysts? sober reports on the growing chaos of Baghdad, the hopelessly splintered Iraqi government and the fighting among Sunnis and Shiites that had spun into a civil war. The J-2, or top intelligence officer on the Joint Chiefs of Staff, fell back on rank to intimidate them into changing, or completely repudiating, their reports. ?You?re digging yourself a hole, Mr. junior analyst,? the (unnamed) J-2 would bark, or ?I quit reading when I see stupidity in reporting.? How ironic, in hindsight. It was the Joint Chiefs and other military brass who dug themselves into a big hole in Iraq by suppressing the intelligence. After a year of that, Rossmiller quit, but not before ?speaking truth,? as he puts it, ?to power.? It was a rare practice at DIA. And a recent one, according to W. Patrick Lang, the DIA?s top Middle East analyst during the administration of President George Bush, which ousted Iraqi troops from Kuwait in the ?100 Hour War.? Hearing about Rossmiller?s account, Lang said it reminded him of ?the old joke about there being a real U.S. intelligence community somewhere for which the existing agencies provided cover.? We can only hope. From rforno at infowarrior.org Sat Feb 9 19:03:20 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 09 Feb 2008 14:03:20 -0500 Subject: [Infowarrior] - Yahoo Board to Reject Microsoft Message-ID: Report: Yahoo Board to Reject Microsoft Feb 9 01:45 PM US/Eastern http://www.breitbart.com/article.php?id=D8UMVAU80&show_article=1 SAN FRANCISCO (AP) - Yahoo Inc.'s board plans to reject Microsoft Corp.'s $44.6 billion bid to buy the Internet pioneer, The Wall Street Journal reported on its Web site Saturday. Board members concluded the unsolicited offer massively undervalues the company, a person familiar with the situation told the newspaper. The $31 per share bid was made public on Feb. 1. Board members so far would only say they were studying the offer. Yahoo's board intends to send a letter to Microsoft on Monday explaining its decision, persons close to the company said. Microsoft and Yahoo representatives did not immediately return calls for comment. The slumping Internet company's rejection of the offer might mean Yahoo is getting ready for a long battle, analysts said. Board members believe Microsoft is attempting to take advantage of a recent slump in share price to take over. But they're not ready to consider any offer below $40 per share, according to a person knowledgeable about the discussions. Yahoo appears to be counting on Microsoft's reluctance to engage in a hostile takeover. Ignoring the wishes of management and the board and creating resentment among the Web giant's engineers could also make it harder to push the deal past authorities, as Yahoo officials could try to convince regulators that the deal is anticompetitive. But analysts are uncertain whether Microsoft would be up to paying the higher price per share, which would raise its bid by about $12 billion. Copyright 2008 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. From rforno at infowarrior.org Sat Feb 9 19:52:26 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 09 Feb 2008 14:52:26 -0500 Subject: [Infowarrior] - W. Virginia assessor fights effort to put tax maps online Message-ID: W. Virginia assessor fights effort to put tax maps online By Ryan Paul | Published: February 07, 2008 - 08:21AM CT http://arstechnica.com/news.ars/post/20080207-w-virginia-assessor-fights-eff ort-to-put-tax-maps-online.html The official tax assessor of Kanawha County in West Virginia, Phyllis Gatson, has filed a lawsuit seeking an injunction to block Seneca Technologies from publishing tax maps for the entire state of West Virginia on the Internet. Citing a state law which prohibits individuals from copying and redistributing tax maps without the county tax assessor's permission, one that also enables tax assessors to sell paper copies of the maps for approximately $8 each, Gatson asserts that Seneca's actions constitute copyright infringement and have caused her to suffer financial damages. Seneca, a document indexing and data management company, began its quest to obtain tax maps for all of West Virginia last year by sending a Freedom of Information Act (FOIA) request to the state tax department, which has digital copies of all of the tax maps for internal use. When the state declined to fulfill the FOIA request and insisted that Seneca pay $8 for each of the 20,936 TIF images (a total of $167,488), the company filed a lawsuit to force the agency to comply with its obligations under the FOIA. The Judge ruled in favor of Seneca, noting that the state law requiring payment applied only to paper maps and not digital copies. The tax department was forced to provide the entire collection of maps for a single payment of $20 to compensate it for the total reproduction costs. After obtaining the maps, Seneca then made them available for free on the Internet through its own web site so that they could be accessed by the general public. Seneca plans to use its document indexing technologies to create an elaborate search system that makes it easy for users to correlate information from the tax maps with other data stored in Seneca's databases. Gatson, an individual county tax assessor, responded to Seneca's plans by filing a lawsuit in an effort to win an injunction that would force Seneca to take down the TIF images. Seneca is represented by activist group Public Citizen, which recently filed a memorandum in opposition to the injunction (PDF) which argues that publication of the maps does not cause financial damage to Gatson because anyone can now obtain the maps from the state at the cost of $20, and prohibiting publication of the maps would violate the First Amendment. The filing also describes numerous pragmatic and ethical considerations that justify publication of the maps?describing how the information is of value to diverse groups ranging from environmentalists to mineral extraction companies?and notes that broad public access to the information increases transparency and accountability in the tax assessment process. "When combined with text of other files that contain the entire state's property assessment data, including the owner's name, address, parcel identification number, assessed value, and other pertinent information, the maps provide a new level of transparency to the assessment process, thus enabling citizens to monitor the adequacy of plaintiff's performance of her public duties," the filing says. "For example, does an influential person or company, such as a particular public official or campaign contributor, have land that is assessed at significantly lower value than bordering properties? Can any differences in assessment be explained by differing size of parcel, topographical configuration, and the like?" The filing also notes that the state law barring reproduction and distribution of tax maps without written permission from county tax assessors isn't valid because federal copyright law includes a preemption provision that precludes state copyright laws. The filing notes that the state law banning free redistribution of tax maps acts like a copyright law while failing to provide any of the counterbalances found in federal copyright law, such as limited duration. And even if the maps were protected by copyright, the filing contends, Seneca's actions would still likely fall within the realm of fair use. It is worth noting that several states already broadly make tax maps available online for free. The state of Oregon, for instance, offers a highly sophisticated interactive tax map interface on its ORMAP web site. Seneca's conflict with a county tax assessor over Internet publication of public records reflects some of the problems that society will face as more government information transitions from static print into digital formats. Seneca's efforts to integrate the information into a more cohesive database that would provide significant value to citizens of West Virginia have been assaulted every step of the way by anachronistic laws and misguided government officials. It is a sad day when a company attempting to provide a public service at its own expense is barred from doing so by outdated and legally dubious state laws. From rforno at infowarrior.org Sun Feb 10 15:30:48 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 10 Feb 2008 10:30:48 -0500 Subject: [Infowarrior] - Combatting the Surveillance Industrial Complex Message-ID: Combatting the Surveillance Industrial Complex (8/9/2004) THE PRIVATIZATION OF SURVEILLANCE The U.S. security establishment is rapidly increasing its ability to monitor average Americans by hiring or compelling private-sector corporations to provide billions of customer records. The explosive growth in surveillance by government and business is creating a "Surveillance-Industrial Complex" (PDF) that threatens all of our privacy. ABOUT THE REPORT This report makes the case that, across a broad variety of areas, the same dynamic of the "privatization of surveillance" is underway. Different dimensions of this trend are examined in depth in four separate sections of the report: "Recruiting Individuals." Documents how individuals are being recruited to serve as "eyes and ears" for the authorities even after Congress rejected the infamous TIPS (Terrorism Information and Prevention System) program that would have recruited workers like cable repairmen to spy on their customers. "Recruiting Companies." Examines how companies are pressured to voluntarily provide consumer information to the government; the many ways security agencies can force companies to turn over sensitive information under federal laws such as the Patriot Act; how the government is forcing companies to participate in watchlist programs and in systems for the automatic scrutiny of individuals' financial transactions. "Mass Data Use, Public and Private." Focuses on the government's use of private data on a mass scale, either through data mining programs like the MATRIX state information-sharing program, or the purchase of information from private-sector data aggregators. "Pro-Surveillance Lobbying." Looks at the flip side of the issue: how some companies are pushing the government to adopt surveillance technologies and programs based on private-sector data. < - > http://www.aclu.org/safefree/resources/18512res20040809.html From rforno at infowarrior.org Sun Feb 10 15:31:30 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 10 Feb 2008 10:31:30 -0500 Subject: [Infowarrior] - 'Surveillance-Industrial Complex' Turbo-Charging Government Monitoring In-Reply-To: <000901c86bda$758da9c0$0201a8c0@DB0PJ521> Message-ID: Published on Science Blog (http://www.scienceblog.com/cms) 'Surveillance-Industrial Complex' Turbo-Charging Government Monitoring By BJS Created 02/09/2008 - 17:01 The government is rapidly increasing its ability to monitor average Americans by tapping into the growing amount of consumer data being collected by the private sector, according to a major report released today by the American Civil Liberties Union. "The U.S. security establishment is reaching deeper and deeper into our private lives by forcing the corporate sector to inform on the activities of individuals," said Anthony D. Romero, Executive Director of the ACLU. "The government has always recruited informers to help convict criminals, but today that recruitment is being computerized, automated, and used against innocent individuals on a massive scale that is unprecedented in the history of our nation." The release of the 38-page report, entitled "The Surveillance-Industrial Complex: How the American Government is Conscripting Businesses and Individuals in the Construction of a Surveillance Society," marks the launch of the ACLU's Surveillance Campaign, which is designed to regain consumers' personal privacy rights by mobilizing people to contact prominent companies - such as drugstore chains, insurance companies and retailers - to ask them to take a "no-spy pledge" to defend their customers' privacy against government intrusion. A list of suggested companies for consumers to contact is available online at www.aclu.org/privatize [1]. "An important step in regaining control of our personal privacy is to demand that businesses not acquiesce in being drafted into adjuncts of a surveillance state," said Barry Steinhardt, Director of the ACLU's Technology and Liberty Program, which produced the report. "If a big company won't defend its customers' privacy, then consumers should take their business to a company that will." The report makes the case that, across a broad variety of areas, the same dynamic of the "privatization of surveillance" is underway. Different dimensions of this trend are examined in-depth in four separate sections of the report: * Recruiting Individuals. Documents how individuals are being recruited to serve as "eyes and ears" for the authorities even after Congress rejected the infamous TIPS (Terrorism Information and Prevention System) program that would have recruited workers like cable repairmen to spy on their customers. * Recruiting Companies. Examines how companies are pressured to voluntarily provide consumer information to the government; the many ways security agencies can force companies to turn over sensitive information under federal laws such as the Patriot Act; how the government is forcing companies to participate in watchlist programs and in systems for the automatic scrutiny of individuals' financial transactions. * Mass Data Use, Public and Private. Focuses on the government's use of private data on a mass scale, either through data mining programs like the MATRIX state information-sharing program, or the purchase of information from private-sector data aggregators. * Pro-Surveillance Lobbying. Looks at the flip side of the issue: how some companies are pushing the government to adopt surveillance technologies and programs based on private-sector data. "Government security agencies all too often act on the false premise that they can stop terrorism by tracking information about everyone, while at the same time, private companies are increasingly collecting more information on their customers," said Jay Stanley, Communications Director of the ACLU's Technology and Liberty Program and the author of the report. "Sometimes willingly, sometimes not, the private sector is playing a key role in the push toward a frightening new surveillance society." As part of the public awareness component of its Surveillance Campaign, the ACLU recently released an online video to dramatize how new technologies and weak privacy laws may over time be used to strip us of our privacy. In the video, a pizza parlor uses its access to a wide variety of sensitive information to guide its treatment of a customer calling to order dinner. To view the video, go to http://www.aclu.org/pizza/index.html?orgid=EA071904&MX=1414&H=1 [2]. "The amount of direct surveillance that government security agencies can conduct, and the number of people they can hire, will always be limited," said Stanley. "But leveraging the private sector vastly expands the government's capacity to invade our lives." The report ends with six conclusions, including the need for individuals to take action, the need for the legal system to catch up to a fast-changing reality, and the fact that mass surveillance is not only intrusive but also a poor way to fight terrorism. "With this report we want to help people see beyond particular stories to grasp the big picture," said Steinhardt. "If we want to preserve the privacy Americans have always enjoyed, we need to act now." The report is available online at www.aclu.org/surveillance [3] To learn more about the ACLU's Surveillance Campaign, go to www.aclu.org/privatize [4] Source URL: http://www.scienceblog.com/cms/surveillance-industrial-complex-turbo-chargin g-government-monitoring-15440.html Links: [1] http://www.aclu.org/privatize [2] http://www.aclu.org/pizza/index.html?orgid=EA071904&MX=1414&H=1 [3] http://www.aclu.org/surveillance [4] http://www.aclu.org/privatize From rforno at infowarrior.org Sun Feb 10 22:52:40 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 10 Feb 2008 17:52:40 -0500 Subject: [Infowarrior] - UK Olympians forced to sign no-criticism of China paper Message-ID: Britain kow tows to China as athletes are forced to sign no criticism contracts By ROB DRAPER and DANIEL KING - More by this author ? Last updated at 13:07pm on 10th February 2008 British Olympic chiefs are to force athletes to sign a contract promising not to speak out about China's appalling human rights record ? or face being banned from travelling to Beijing. The move ? which raises the spectre of the order given to the England football team to give a Nazi salute in Berlin in 1938 ? immediately provoked a storm of protest. The controversial clause has been inserted into athletes' contracts for the first time and forbids them from making any political comment about countries staging the Olympic Games. It is contained in a 32-page document that will be presented to all those who reach the qualifying standard and are chosen for the team. >From the moment they sign up, the competitors ? likely to include the Queen's granddaughter Zara Phillips and world record holder Paula Radcliffe ? will be effectively gagged from commenting on China's politics, human rights abuses or illegal occupation of Tibet. Prince Charles has already let it be known that he will not be going to China, even if he is invited by Games organisers. His views on the Communist dictatorship are well known, after this newspaper revealed how he described China's leaders as ?appalling old waxworks? in a journal written after he attended the handover of Hong Kong. The Prince is also a long-time supporter of the Dalai Lama, the Tibetan leader. Yesterday the British Olympic Association (BOA) confirmed to The Mail on Sunday that any athlete who refuses to sign the agreements will not be allowed to travel to Beijing. < -- > http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id= 513362&in_page_id=1770&ct=5 From rforno at infowarrior.org Mon Feb 11 04:16:47 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 10 Feb 2008 23:16:47 -0500 Subject: [Infowarrior] - Welcome to Cyberwar Country, USA Message-ID: Welcome to Cyberwar Country, USA By Marty Graham Email 02.11.08 | 12:00 AM At least 15 locations around the U.S. are competing for the Air Force's new Cyber Command, only the 10th major command in Air Force history. Rob Beschizza BARKSDALE AIR FORCE BASE, Louisiana -- When a reporter enters the Air Force office of William Lord, a smile comes quickly to the two-star general's face as he darts from behind his immaculate desk to shake hands. Then, as an afterthought, he steps back and shuts his laptop as though holstering a sidearm. Lord, boyish and enthusiastic, is a new kind of Air Force warrior -- the provisional chief of the service's first new major command since the early 1990s, the Cyber Command. With thousands of posts and enough bandwidth to choke a horse, the Cyber Command is dedicated to the proposition that the next war will be fought in the electromagnetic spectrum, and that computers are military weapons. In a windowless building across the base, Lord's cyber warriors are already perched 24 hours a day before banks of monitors, scanning Air Force networks for signs of hostile incursion. "We have to change the way we think about warriors of the future," Lord enthuses, raising his jaw while a B-52 traces the sky outside his windows. "So if they can't run three miles with a pack on their backs but they can shut down a SCADA system, we need to have a culture where they fit in." < - big snip - > http://www.wired.com/politics/security/news/2008/02/cyber_command From rforno at infowarrior.org Mon Feb 11 04:26:07 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 10 Feb 2008 23:26:07 -0500 Subject: [Infowarrior] - RealPlayer users held to ransom Message-ID: RealPlayer users held to ransom RSS RSS - All Blogs Feb 9th, 2008, 7:36 pm http://www.daniweb.com/blogs/entry2060.html It has been a couple of months now since a Russian security researcher, Evgeny Legerov, confirmed that the widely deployed media software RealPlayer was vulnerable to a zero-day exploit. The Russian company, Gleg, is in the business of selling information on such exploits and security flaws. Unfortunately, according RealNetworks's Vice President Jeff Chasen, Gleg has been unwilling or unable to provide the necessary data to allow the alleged gaping security hole to be patched despite repeated requests from both RealNetworks and CERT. Gleg has, on the other hand, posted a video showing the heap overflow/code execution exploit in action. According to Chris Wysopal, CTO for application secure code testing company, Veracode, it was only ever a matter of when rather than if the zero day exploit commercial market would find a vulnerability in widely deployed software such as this. "We don't know when this unpatched RealPlayer vulnerability was introduced into the code" Wysopal says "It has probably been latent for many months. Real's customers were vulnerable as soon as they downloaded this version of RealPlayer. There is currently knowledge circulating in criminal circles and attackers are using it to compromise Real's customers." The fact that Gleg apparently knew how to reproduce this problem at least a month beforehand, but did not inform the vendor, is quite frankly appalling. Indeed, there appears to be a legitimate concern over what benefit the customers of Gleg, who were informed about the problem, would get by having such client side exploit information before the vendor can patch it. Legerov has responded to criticism by arguing that the exclusivity is required so that his customers can better understand the level of risk that they face. Again, this beggars belief. What do they need to understand other than the client software is broken and needs to be fixed ASAP, unless there were some ulterior motive. As Wysopal says "I know that users with RealPlayer 11 installed will undoubtedly stumble across a malicious music file and their system will have a bot installed running with their logged in privilege level. I'm not sure what additional value I would get as a Gleg customer." Unless, of course, you were RealNetworks in which case you might be able to run the exploit in lab conditions and patch that vulnerability. But then isn't that tantamount to blackmail? Wysopal argues with plenty of merit that a cooperative solution is a much safer way for customers to understand the risks of the code they run, promoting good security hygiene on the vendor side. "We have found that once vendors know that their big customers are using an independent review service they are more likely to proactively start doing security testing within their SDLC" he continues "A vendor can't bluff their way out of a comprehensive code assessment like they can from just a single (or a few) vulnerabilities publicly reported. If their code is full of vulnerabilities their customers will know." - Davey Winder, staff writer aka happygeek From rforno at infowarrior.org Mon Feb 11 04:30:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 10 Feb 2008 23:30:46 -0500 Subject: [Infowarrior] - How Sticky Is Membership on Facebook? Just Try Breaking Free Message-ID: February 11, 2008 How Sticky Is Membership on Facebook? Just Try Breaking Free By MARIA ASPAN http://www.nytimes.com/2008/02/11/technology/11facebook.html Are you a member of Facebook.com? You may have a lifetime contract. Some users have discovered that it is nearly impossible to remove themselves entirely from Facebook, setting off a fresh round of concern over the popular social network?s use of personal data. While the Web site offers users the option to deactivate their accounts, Facebook servers keep copies of the information in those accounts indefinitely. Indeed, many users who have contacted Facebook to request that their accounts be deleted have not succeeded in erasing their records from the network. ?It?s like the Hotel California,? said Nipon Das, 34, a director at a biotechnology consulting firm in Manhattan, who tried unsuccessfully to delete his account this fall. ?You can check out any time you like, but you can never leave.? It took Mr. Das about two months and several e-mail exchanges with Facebook?s customer service representatives to erase most of his information from the site, which finally occurred after he sent an e-mail threatening legal action. But even after that, a reporter was able to find Mr. Das?s empty profile on Facebook and successfully sent him an e-mail message through the network. In response to difficulties faced by ex-Facebook members, a cottage industry of unofficial help pages devoted to escaping Facebook has sprung up online ? both outside and inside the network. ?I thought it was kind of strange that they save your information without telling you in a really clear way,? said Magnus Wallin, a 26-year-old patent examiner in Stockholm who founded a Facebook group, ?How to permanently delete your facebook account.? The group has almost 4,300 members and is steadily growing. The technological hurdles set by Facebook have a business rationale: they allow ex-Facebookers who choose to return the ability to resurrect their accounts effortlessly. According to an e-mail message from Amy Sezak, a spokeswoman for Facebook, ?Deactivated accounts mean that a user can reactivate at any time and their information will be available again just as they left it.? But it also means that disenchanted users cannot disappear from the site without leaving footprints. Facebook?s terms of use state that ?you may remove your user content from the site at any time,? but also that ?you acknowledge that the company may retain archived copies of your user content.? Its privacy policy says that after someone deactivates an account, ?removed information may persist in backup copies for a reasonable period of time.? Facebook?s Web site does not inform departing users that they must delete information from their account in order to close it fully ? meaning that they may unwittingly leave anything from e-mail addresses to credit card numbers sitting on Facebook servers. Only people who contact Facebook?s customer service department are informed that they must painstakingly delete, line by line, all of the profile information, ?wall? messages and group memberships they may have created within Facebook. ?Users can also have their account completely removed by deleting all of the data associated with their account and then deactivating it,? Ms. Sezak said in her message. ?Users can then write to Facebook to request their account be deleted and their e-mail will be completely erased from the database.? But even users who try to delete every piece of information they have ever written, sent or received via the network have found their efforts to permanently leave stymied. Other social networking sites like MySpace and Friendster, as well as online dating sites like eHarmony.com, may require departing users to confirm their wishes several times ? but in the end they offer a delete option. ?Most sites, even online dating sites, will give you an option to wipe your slate clean,? Mr. Das said. Mr. Das, who joined Facebook on a whim after receiving invitations from friends, tried to leave after realizing that most of his co-workers were also on the site. ?I work in a small office,? he said. ?The last thing I want is people going on there and checking out my private life.? ?I did not want to be on it after junior associates at work whom I have to manage saw my stuff,? he added. Facebook?s quiet archiving of information from deactivated accounts has increased concerns about the network?s potential abuse of private data, especially in the wake of its fumbled Beacon advertising feature. That application, which tracks and publishes the items bought by Facebook members on outside Web sites, was introduced in November without a transparent, one-step opt-out feature. After a public backlash, including more than 50,000 Facebook users? signatures on a MoveOn.org protest petition, Facebook executives apologized and allowed such an opt-out option on the program. Tensions remain between making a profit and alienating Facebook?s users, who the company says total about 64 million worldwide (MySpace has an estimated 110 million monthly active users). The network is still trying to find a way to monetize its popularity, mostly by allowing marketers access to its wealth of demographic and behavioral information. The retention of old accounts on Facebook?s servers seems like another effort to hold onto ? and provide its ad partners with ? as much demographic information as possible. ?The thing they offer advertisers is that they can connect to groups of people. I can see why they wouldn?t want to throw away anyone?s information, but there?s a conflict with privacy,? said Alan Burlison, 46, a British software engineer who succeeded in deleting his account only after he complained in the British press, to the country?s Information Commissioner?s Office and to the TRUSTe organization, an online privacy network that has certified Facebook. Mr. Burlison?s complaint spurred the Information Commissioner?s Office, a privacy watchdog organization, to investigate Facebook?s data-protection practices, the BBC reported last month. In response, Facebook issued a statement saying that its policy was in ?full compliance with U.K. data protection law.? A spokeswoman for TRUSTe, which is based in San Francisco, said its account deletion process was ?inconvenient,? but that Facebook was ?being responsive to us and they currently meet our requirements.? ?I kept getting the same answer and really felt that I was being given the runaround,? Mr. Burlison said of Facebook?s customer service representatives. ?It was quite obvious that no amount of prodding from me on a personal level was going to make a difference.? Only after he sent a link to the video of his interview with Britain?s Channel 4 News to the customer service representatives ? and Facebook executives ? was his account finally deleted. Steven Mansour, 28, a Canadian online community developer, spent two weeks in July trying to fully delete his account from Facebook. He later wrote a blog entry ? including e-mail messages, diagrams and many exclamations of frustration ? in a post entitled ?2504 Steps to closing your Facebook account? (www.stevenmansour.com). Mr. Mansour, who said he is ?really skeptical of social networking sites,? decided to leave after a few months on Facebook. ?I was getting tired of always getting alerts and e-mails,? he said. ?I found it very invasive.? ?It?s part of a much bigger picture of social networking sites on the Internet harvesting private data, whether for marketing or for more sinister purposes,? he said. His post, which wound up on the link-aggregator Digg.com, has been viewed more than 87,000 times, Mr. Mansour said, adding that the traffic was so high it crashed his server. And his post became the touchstone for Mr. Wallin, who was inspired to create his group, ?How to permanently delete your Facebook account,? after joining, leaving and then rejoining Facebook, only to find that all of his information from his first account was still available. ?I wanted the information to be available inside Facebook for all the users who wanted to leave, and quite a few people have found it just by using internal search,? said Mr. Wallin. Facebook has never contacted Mr. Wallin about the group. Mr. Wallin said he has heard through members that some people have successfully used his steps to leave Facebook. But he is not yet ready to leave himself. ?I don?t want to leave yet; I actually find it really convenient,? he said. ?But someday when I want to leave, I want it to be simple.? From rforno at infowarrior.org Mon Feb 11 12:36:52 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 11 Feb 2008 07:36:52 -0500 Subject: [Infowarrior] - Security Cartoon Message-ID: Somehow DOD and USG came to mind when I read this..... http://www.dilbert.com/comics/dilbert/archive/dilbert-20080211.html From rforno at infowarrior.org Mon Feb 11 15:01:06 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 11 Feb 2008 10:01:06 -0500 Subject: [Infowarrior] - Bush orders clampdown on flights to US Message-ID: Bush orders clampdown on flights to US EU officials furious as Washington says it wants extra data on all air passengers # Ian Traynor in Brussels # The Guardian, # Monday February 11 2008 http://www.guardian.co.uk/world/2008/feb/11/usa.theairlineindustry/print This article appeared in the Guardian on Monday February 11 2008 on p1 of the Top stories section. It was last updated at 13:53 on February 11 2008. Jet aeroplane taking off at night Bush administration is calling for armed air marshals on transatlantic flights. Photograph: Eric Meola/Getty Images The US administration is pressing the 27 governments of the European Union to sign up for a range of new security measures for transatlantic travel, including allowing armed guards on all flights from Europe to America by US airlines. The demand to put armed air marshals on to the flights is part of a travel clampdown by the Bush administration that officials in Brussels described as "blackmail" and "troublesome", and could see west Europeans and Britons required to have US visas if their governments balk at Washington's requirements. According to a US document being circulated for signature in European capitals, EU states would also need to supply personal data on all air passengers overflying but not landing in the US in order to gain or retain visa-free travel to America, senior EU officials said. And within months the US department of homeland security is to impose a new permit system for Europeans flying to the US, compelling all travellers to apply online for permission to enter the country before booking or buying a ticket, a procedure that will take several days. The data from the US's new electronic transport authorisation system is to be combined with extensive personal passenger details already being provided by EU countries to the US for the "profiling" of potential terrorists and assessment of other security risks. Washington is also asking European airlines to provide personal data on non-travellers - for example family members - who are allowed beyond departure barriers to help elderly, young or ill passengers to board aircraft flying to America, a demand the airlines reject as "absurd". Seven demands tabled by Washington are contained in a 10-page "memorandum of understanding" (MOU) that the US authorities are negotiating or planning to negotiate with all EU governments, according to ministers and diplomats from EU member states and senior officials in Brussels. The Americans have launched their security drive with some of the 12 mainly east European EU countries whose citizens still need visas to enter the US. "The Americans are trying to get a beefing up of their visa-waiver programmes. It's all contained in the MOU they want to put to all EU member states," said a diplomat from a west European country. "It's a very delicate problem." As part of a controversial passenger data exchange programme allegedly aimed at combating terrorism, the EU has for the past few months been supplying the American authorities with 19 items of information on every traveller flying from the EU to the US. The new American demands go well beyond what was agreed under that passenger name record (PNR) system and look certain to cause disputes within Europe and between Europe and the US. Brussels is pressing European governments not to sign the bilateral deals with the Americans to avoid weakening the EU bargaining position. But Washington appears close to striking accords on the new travel regime with Greece and the Czech Republic. Both countries have sizeable diaspora communities in America, while their citizens need visas to enter the US. Visa-free travel would be popular in both countries. A senior EU official said the Americans could get "a gung-ho frontrunner" to sign up to the new regime and then use that agreement "as a rod to beat the other member states with". The frontrunner appears to be the Czech Republic. On Wednesday, Richard Barth of the department of homeland security was in Prague to negotiate with the Czech deputy prime minister, Alexandr Vondra, Prague hoped to sign the US memorandum "in the spring", Vondra said. "The EU has done nothing for us on visas," he said. "There was no help, no solidarity in the past. It's in our interest to move ahead. We can't just wait and do nothing. We have to act in the interest of our citizens." While the Czechs are in a hurry to sign up, Brussels is urging delay in order to try to reach a common European position. "There is a process of consultation and coordination under way," said Jonathan Faull, a senior European commission official involved in the negotiations with the Americans. To European ears, the US demands sound draconian. "This would oblige the European countries to allow US air marshals on US flights. It's controversial and difficult," an EU official said. At the moment the use of air marshals is discretionary for European states and airlines. While armed American guards would be entitled to sit on the European flights to the US, the Americans also want the PNR data transfers extended from travellers from Europe to the US to include the details of those whose flights are not to America, but which overfly US territory, say to central America or the Caribbean. Brussels has told Washington that its demands raise legal problems in Europe over data protection, over guarantees on how the information is handled, over which US agencies have access to it or with whom it might be shared, and over issues of redress if the data is misused. The Association of European Airlines, representing 31 airlines, including all the big west European national carriers, has told the US authorities that there is "no international legal foundation" for supplying them with data about passengers on flights overflying US territory. The US Transport Security Administration has also asked the European airlines to supply personal data on "certain non-travelling members of the public requesting access to areas beyond the screening checkpoint". The AEA said this was "absurd" because the airlines neither obtain nor can obtain such information. The request was "fully unjustified". If the Americans persevere in the proposed security crackdown, Brussels is likely to respond with tit-for-tat action, such as calling for visas for some Americans. European governments, however, would probably veto such action, one official said, not least for fear of the "massive disruption given the huge volume of transatlantic traffic". From rforno at infowarrior.org Mon Feb 11 19:00:13 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 11 Feb 2008 14:00:13 -0500 Subject: [Infowarrior] - Microsoft buying Danger Inc Message-ID: Microsoft?s Other Takeover Deal: Danger Inc. February 11, 2008, 9:51 am http://dealbook.blogs.nytimes.com/2008/02/11/microsofts-other-takeover-deal- danger-inc/?hp Not everyone is so reluctant to be bought by Microsoft these days. As Microsoft was bracing early Monday for a rejection from Yahoo, the software giant announced another takeover deal ? a much smaller and apparently much friendlier one. The company said it would buy Danger Inc., the Silicon Valley firm that created the Sidekick smart phone. The deal, whose price wasn?t disclosed, would seem to emphasize Microsoft?s increasingly aggressive acquisition strategy. In an article Monday, The New York Times described the role of Microsoft?s chief financial officer, Christopher Liddell, a former banker from New Zealand, in this transformation, which moves Microsoft away from a ?not-invented-here? culture to one that knows how to buy technology elsewhere and integrate it. Buying Danger could advance Microsoft?s efforts to compete in the area of providing consumer-friendly mobile applications. Founded in 1999, Danger has a rich pedigree in the Valley: One of its co-founders, Andy Rubin, is now Google?s director of mobile platforms. Its investors include a host of well-known venture firms, such as Redpoint Ventures and Mobius Technology Ventures, and cell-phone giants such as Motorola and T-Mobile. As of Sept. 30, Danger claimed more than 923,000 subscribers to its mobile-data services. (Incidentally, the company?s name has an interesting history as well: It is a reference to the arm-waving warning from the robot in the campy television series ?Lost in Space.?) Selling a company to Microsoft can be a daunting decision for a relatively small firm used to being its own boss. But these days, it may be a more palatable option than seeking to go public. Danger filed in December to raise as much as $100 million through a new listing on the Nasdaq. Maybe the money-losing company saw January?s choppy markets ? which helped trigger a series of withdrawn public offerings ? and found Microsoft?s call more tempting than the alternatives. From rforno at infowarrior.org Tue Feb 12 03:24:34 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 11 Feb 2008 22:24:34 -0500 Subject: [Infowarrior] - EU plans to require biometrics of all non-European visitors Message-ID: Another victory for the idiotic New Normal.....wonder how much of this is in direct response to the US' forcing such requirements on EU folks? -rf International Herald Tribune EU plans to require biometrics of all non-European visitors By Stephen Castle Sunday, February 10, 2008 http://www.iht.com/bin/printfriendly.php?id=9910780 BRUSSELS: All non-Europeans would need to submit biometric data before crossing Europe's frontiers under sweeping European Union proposals to combat illegal migration, terrorism and organized crime that are to be outlined this week. The plans - arguably the biggest shake-up of border management in Europe since the creation of an internal travel zone - would apply to citizens of the United States and all other countries that now enjoy visa-free status. They would, however, allow EU citizens and "low risk" frequent travelers from outside the bloc to pass through automated, fast-track frontier checkpoints without coming into contact with border guards. Voluntary programs for prescreening such visitors, who would register fingerprints and other data, would be stepped up. The proposals, contained in draft documents examined by the International Herald Tribune and scheduled to go to the European Commission on Wednesday, were designed to bring the EU visa regime into line with a new era in which passports include biometric data. The commission, the EU executive, argues that migratory pressure, organized crime and terrorism are obvious challenges to the Union and that the bloc's border and visa policy needs to be brought up to date. It also wants a new European Border Surveillance System to be created, to use satellites and unmanned aircraft to help track the movements of suspected illegal migrants. If approved by the commission this week, the measures would need the approval of all EU states. The United States routinely requires European citizens to submit fingerprints when crossing its borders and the commission's document notes that America plans to introduce an electronic travel-authorization system for people from countries like Britain, France and Germany that are in its Visa Waiver Program. The commission's proposals cover the Schengen zone, Europe's internal free-travel area named after the village in Luxembourg near where the original agreement between five countries was signed on June 14, 1985. Twenty-four countries are now members. It is unclear whether Britain and Ireland, which along with Cyprus are not members of Schengen, would opt into the program. Each year more than 300 million travelers cross EU borders, but there is no obligation for countries inside the Schengen free-travel zone to keep a record of entries and exits of non-European third-country nationals in a dedicated database. Moreover, if the visitor leaves from another Schengen country, it is often impossible to determine whether or not the visitor overstayed his or her visa. The proposals, drafted by the European commissioner for justice and home affairs, Franco Frattini, suggest that non-Europeans on a short-stay visa would be checked against a Visa Information System that is already under construction and should be operational in 2012. Frattini also is calling for a new database to be set up to store information on the time and place of entry and exit of non-European nationals, using biometric identifiers. Once a person's visa expired, an alert would go out to all national authorities that the visitor had overstayed his or her allotted time. Travelers from countries with a visa requirement would need to provide biometric data at European consulates before leaving their home country. Those arriving from nations not requiring visas, like the United States, would also need to submit fingerprints and a digitalized facial image. But the European Union would try to make the system more user-friendly for Europeans and some categories of bona fide visitors by granting them the status of "registered traveler." They would be able to have their biometric travel documents scanned and checked by machines. All Europeans should be able to use such a system when EU countries complete the task of issuing passports with two biometric identifiers, by 2019 at the latest. The 27 EU countries started issuing passports with a digitalized facial image in August 2006 and, in June 2009, will add the holder's fingerprints. European residence permits will also contain the same identifiers. Non-Europeans could gain the same, fast-track status providing they have not overstayed previous visas, have proof of sufficient funds to pay for their stay in Europe and hold a biometric passport. All non-European nationals would be asked to make an electronic application, supplying key data, before their arrival, allowing them to be checked against anti-terror databases in advance. The draft documents also highlight weaknesses in Europe's efforts to guard its borders. One paper points out that, in the eight EU countries with external borders in the Mediterranean Sea and southern Atlantic, frontier surveillance is carried out by about 50 authorities from 30 institutions, sometimes with competing competencies and systems. The plans foresee increased use of satellites and unmanned surveillance aircraft to monitor unauthorized movements, and a computerized communication network to share information. Frattini also wants to see a bigger role for the agency that coordinates cooperation over external borders, known as Frontex. Although the agency has been criticized in some southern European nations for failing to match the scale of the challenge over illegal migration, the commission argues that it has achieved impressive results. In 2006 and 2007 more than 53,000 people were apprehended or denied entry at a frontier and at least 2,900 false travel documents were seized. In addition, 58 people suspected of links to illegal trafficking have been arrested. From rforno at infowarrior.org Tue Feb 12 04:48:10 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 11 Feb 2008 23:48:10 -0500 Subject: [Infowarrior] - PGP: Whole disk encryption for Mac OS X is 'in active development' Message-ID: PGP: Whole disk encryption for Mac OS X is 'in active development' Posted by Declan McCullagh | 5 comments http://www.news.com/8301-10784_3-9869812-7.html?part=rss&subj=news&tag=2547- 1_3-0-20 PGP Corp. is planning to release a version of its whole-disk encryption software for Apple Macintosh computers running OS X. Jon Callas, PGP's chief technology officer, told me on Monday that the software is "in active development" and will run on Intel-based Macs. Callas didn't want to elaborate on a shipping date, unfortunately. This promises to be a boon for OS X users, especially laptop users who are more likely to lose their machines or run into snoopy border police and airport security guards who want to poke around the contents of their hard drives. Right now there's no way for OS X users to encrypt their entire boot disks. OS X already features FileVault, of course, but that focuses on encrypting the user's home directory. Without whole-disk encryption, Unix-derived systems including OS X store in unencrypted form details about VPN usage, login times, and what applications are installed in the default location. Some applications including Thunderbird save working copies of documents in an unencrypted area outside the home directory. Another problem with FileVault is that it hasn't always been implemented that securely. Earlier versions of OS X didn't encrypt the swapfile used for virtual memory, meaning the password could in many cases be easily extracted. And a paper (click for PDF) published last year by Jacob Appelbaum and Ralf-Philipp Weinmann found other potential security weaknesses. PGP released its whole-disk encryption utility for Windows in May 2005. A perpetual license for PGP Whole Disk Encryption 9.8 for Windows costs $149. I should also note here that a free volume encryption utility called TrueCrypt was released for OS X last week (it was previously available for Windows and Linux). TrueCrypt doesn't do whole-disk encryption, but it does offer a way to conceal the fact that an encrypted volume exists--although that handy feature isn't yet available on OS X and Linux. From rforno at infowarrior.org Tue Feb 12 04:55:43 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 11 Feb 2008 23:55:43 -0500 Subject: [Infowarrior] - USA Blackberry Outage #2 Message-ID: BlackBerry Blackout Strands Users Failure Was Second In Less Than a Year By Cecilia Kang Washington Post Staff Writer Tuesday, February 12, 2008; Page D01 http://www.washingtonpost.com/wp-dyn/content/article/2008/02/11/AR2008021101 947.html As the doors closed on the Metrorail train he was riding home from work yesterday, ABC News senior political reporter Rick Klein reached for his BlackBerry to encounter his worst nightmare: no new e-mails. Earlier, Klein had been getting hundreds of e-mails an hour for his political blog "The Note" in preparation for today's Potomac Primary. But like millions of BlackBerry users across the country, he was caught up in an afternoon blackout that lasted for more than three hours. For Klein, being cut off from e-mail, even during his half-hour commute to his home on Capitol Hill, seemed intolerable. "It was like being underwater without an oxygen tank. It felt like every minute was an hour," Klein said. The failure appeared to affect users on all U.S. wireless carriers from about 3:30 p.m. to 6:50 p.m., an AT&T spokesman said. It was not clear that it affected all BlackBerry subscribers and appeared to only involve e-mail, representatives from AT&T and Sprint Nextel said. Phone service on the devices was not affected, a Sprint spokesman said. Research in Motion, which makes the ubiquitous handheld device and operates the BlackBerry e-mail servers, did not respond to phone messages and e-mails seeking comment. It was the second major failure for RIM in less than a year. Last April, the company's e-mail service was interrupted for several hours overnight. The company later said its system crashed during a software upgrade to the servers that run the BlackBerry network. The cause of yesterday's blackout was not known. The BlackBerry has had a loyal following, particularly among business users, since its introduction nine years ago. RIM has 12 million subscribers for its BlackBerry service worldwide and about 8 million in North America. The interruption yesterday may have inconvenienced some customers, but faithful users such as Klein say the glitch has not changed their view of the service. "It couldn't have come at a worse time for me, but I think it was just an occasional problem," he said. "I'm too wedded to the technology at this point to change." From rforno at infowarrior.org Tue Feb 12 04:58:52 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 11 Feb 2008 23:58:52 -0500 Subject: [Infowarrior] - OpEd: Rethinking Surveillance Message-ID: Rethinking Surveillance Monday, February 11, 2008; D03 http://www.washingtonpost.com/wp-dyn/content/article/2008/02/10/AR2008021002 128_pf.html Video surveillance has become a fact of everyday life. Each time you withdraw cash from the corner ATM, travel through an airport or visit a national monument, your image is probably being recorded. But you may be surprised to learn that there are no federal laws governing how these images can be used, where they should be stored, with whom they may be shared and when they must be destroyed. In this age of YouTube, TMZ and "Cops," it's hard to know where your image might reappear. Supreme Court rulings suggest that individual freedoms are not violated by the placement of surveillance cameras, without a warrant, in public spaces. Unless audio recordings are paired with your image, it's unlikely that your privacy has been violated. And, in the absence of federal legislation, state and local governments continue to create a hodgepodge of occasionally conflicting regulations. In the Washington region, that complicates cooperation across jurisdictional lines. The laissez-faire approach of our national legislators is no longer an option. As an increasingly sophisticated surveillance blanket covers more of the United States, we need federal laws to preserve an individual's right to privacy while setting principles governing the use of closed circuit television and other surveillance technologies for bona fide security purposes. Specifically, Congress should consider establishing laws to: ?? Ensure that surveillance technologies satisfy their mission for crime and terror control without the potential for misuse. ?? Reassure the public that their images are being collected for bona fide objectives, and that there are penalties for those who misuse surveillance recordings. ?? Promote the adoption of open standards to ensure interoperability, which in turn would promote the introduction of emerging technologies. The need for such legislation is clear. Governments, operators of transportation systems, and private businesses are increasingly using video surveillance to protect us from street crime and terrorist threats. The trend is particularly pronounced in the Washington area, where many cameras have been added since the Sept. 11, 2001, terrorist attacks. New surveillance technologies, meanwhile, are emerging at a dizzying pace. The blurry videotape scenes of convenience store robberies are rapidly being replaced by crystal-clear video digitally recorded on computer hard drives. As the number of cameras watching us grows, the surveillance industry is wrestling with the emerging problem of an overabundance of images and properly controlling their distribution. Software that highlights suspicious images can help sort through video. However, federal government leadership is necessary to provide guidance in managing and securing these images. For an example of how such legislation could work, Congress need only look to Britain. In response to a wave of Irish Republican Army terrorism in the 1970s, closed-circuit cameras were deployed throughout the country, making Britain the world leader in video surveillance. Today, there are more than 4 million such cameras in use there, according to British government figures. Britain's experience has been helped by legislation passed 10 years ago that put public surveillance under national control. The Data Protection Act of 1998 set clear and consistent guidelines for video monitoring of public spaces, and created the information commissioner's office as the regulatory authority. A code of practice established privacy principles, provided guidelines for safeguarding the use of video images and gave industry a framework for doing business. The British government also created a partnership between the criminal justice system, local police forces, government departments, the closed-circuit television industry and the Home Office (similar to our Department of Homeland Security) that resulted in a consensus on how and when video surveillance should be used in public spaces. In the United States, we have a high regard for personal privacy. There are laws to ensure the privacy of medical, credit and tax records. And yet, video surveillance remains largely unregulated. This lack of a national strategy will inevitably result in an incident in which an individual's rights are compromised, or evidence of a significant crime is disallowed in court. Surveillance technologies will continue to gain in capability -- and become more intrusive. Issues of privacy and public surveillance may appear vexing, but the United States must move forward with laws to effectively adapt to the inevitable spread of this technology. If the public is to trust business and government to watch over us, we need to follow the lessons of Britain and protect video images as we do other private data. Frank Baitman is president of Petards, the Baltimore-based subsidiary of Britain-based Petards Group, a developer of advanced surveillance systems with installations throughout the Washington region and in more than 40 countries. From rforno at infowarrior.org Tue Feb 12 05:25:23 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Feb 2008 00:25:23 -0500 Subject: [Infowarrior] - Rules Eased to Expedite Green Card Applications Message-ID: February 12, 2008 Rules Eased to Expedite Green Card Applications By JULIA PRESTON http://www.nytimes.com/2008/02/12/washington/12checks.html?hp=&pagewanted=pr int Searching for ways to reduce a huge backlog of visa applications, immigration authorities have eased requirements for background checks by the F.B.I. of immigrants seeking to become permanent United States residents, federal officials said Monday. If an immigrant?s application for a residence visa has been in the system for more than six months and the only missing piece is a name check by the F.B.I., immigration officers will now be allowed to approve the application, according to a memorandum posted Monday on the Web site of the federal Citizenship and Immigration Services agency. The memorandum states that ?in the unlikely event? that the F.B.I. name check turns up negative information about an immigrant after a residence visa has been granted, the authorities can cancel the visa and begin deportation proceedings. The document was written by Michael Aytes, the agency?s associate director for domestic operations. Under the new policy, which was first reported by the McClatchy news service, immigrants applying for the permanent visas, which are known as green cards, will still be required to complete two other security checks: an F.B.I. criminal fingerprint check and a search in a federal criminal and anti-terrorist database known as Interagency Border Inspection Services. The F.B.I. will eventually complete name checks for all green card applicants, officials said. Immigrants seeking to become citizens will still have to wait until the name check is completed. ?Only after we received assurances that this would not compromise national security or the integrity of the immigration system did we go forward,? said Christopher S. Bentley, a spokesman for Citizenship and Immigration Services. ?This will allow us to give benefits to people who deserve them in a much quicker time frame.? The policy is intended to speed processing for tens of thousands of immigrants with no criminal records who are living in the United States and have been waiting for years for green cards because their names turned up matches in the F.B.I?s records. Often an immigrant?s name hits a match, immigration lawyers said, because the F.B.I. files include a vast range of names, including those of people mentioned in criminal investigations, even if they had no role in a crime. F.B.I. agents must investigate each name match by manual searches of voluminous records. The previous policy ?was just stalling adjustment of status for hundreds of thousands of people who posed no security threat, without any demonstrable improvement to our national security,? said Bo Cooper, an immigration lawyer who was formerly general counsel for the immigration service. Currently the agency processes about 1.5 million applications requiring name checks each year, Mr. Bentley said, and 99 percent are cleared by the F.B.I. in less than six months. But about 140,000 applications have been hung up in the system for more than six months because of the name checks, he said, including applications both for green cards and citizenship. Some critics said the agency would be cutting security corners and bending federal law. ?They are knowingly granting a benefit to a person who may be a national security threat or a serious criminal,? said Rosemary Jenks, director of government relations for NumbersUSA, an organization that favors reduced immigration. ?These are people who are asking permission to stay in this country permanently,? Mrs. Jenks said, ?and we have a right to make sure we know who they are. If it takes a few extra months, so be it.? But Representative Zoe Lofgren, Democrat of California and chairwoman of the House immigration subcommittee, said the number of immigrants who had ever been rejected solely as a result of an F.B.I. name check was ?microscopic.? From rforno at infowarrior.org Tue Feb 12 13:45:23 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Feb 2008 08:45:23 -0500 Subject: [Infowarrior] - A School That's Too High on Gizmos Message-ID: (....this is one of my big pet peeves, and something I discussed in 2003's 'Weapons of Mass Delusion'....sounds like things are only getting worse....rf) A School That's Too High on Gizmos http://www.washingtonpost.com/wp-dyn/content/article/2008/02/08/AR2008020803 271_pf.html By Patrick Welsh Sunday, February 10, 2008; B01 What's wrong with the teachers at T.C. Williams High School? Last September, we moved into a new $98 million building in Alexandria, one of the most expensive high schools ever built. Natural light floods the classrooms, and each one is equipped with a ceiling-mounted LCD projector, which transfers anything I can put on my laptop computer -- from poetry readings at the Library of Congress to YouTube interviews with Toni Morrison and other writers -- onto a large screen at the front of the room. Students' behavior seems much improved: A cafeteria that looks like something out of an upscale mall has had a curiously pacifying effect on them, as has the presence of 126 security cameras. So you'd think T.C. teachers would be ecstatic. But it's just the opposite -- faculty morale is the lowest and cynicism the highest I've seen in years. The problem? What a former Alexandria school superintendent calls "technolust" -- a disorder affecting publicity-obsessed school administrators nationwide that manifests itself in an insatiable need to acquire the latest, fastest, most exotic computer gadgets, whether teachers and students need them or want them. Technolust is in its advanced stages at T.C., where our administrators have made such a fetish of technology that some of my colleagues are referring to us as "Gizmo High." Science and math teachers, for instance, have been told that they can't use traditional overhead projectors to present material to classes, even though the teachers say that in many cases, they're far superior to computers for getting certain concepts across. But the measure of teachers now is not whether they can convey their subject matter to students but how "paperless" their classrooms are -- how many new gizmos they use. To paraphrase the movie "Field of Dreams," if a computer company makes a classroom gizmo, the Alexandria school system will buy it. The latest is the "school pad" -- a hand-held device that allows a teacher to roam around the room and underline whatever the LCD projects onto the screen. In other words, it saves teachers from walking a few feet to their desks to click the computer mouse. The school system ordered 77 school pads for T.C. at $495 apiece, even though one teacher said they reminded her of "the Magna Doodle pads we had as kids. It's another way to waste money for people who are too lazy to write on the board." For a while, I thought it was just older teachers like me -- immigrants to the Internet world -- who were chafing at the so-called technology initiative, but it turns out that even the youngest teachers are fed up. "They would rather have a cyborg teaching than me," one young English teacher complained to me. "It's technology for the sake of technology -- not what works or helps kids learn, but what makes administrators look good, what the public will think is cutting edge." The school admits as much on its Web site, which includes this entry addressing teachers: "Imagine this headline: '[Alexandria City Public Schools] Recognized for its Premiere Educational Technology Program, Student Achievement Correlated to Technology Implementation.' What kind of technology exists at the high school that would create a headline like this?" Principals and other administrators may live off headlines, but teachers live off whether their students learn. "Teachers shouldn't have to change how they teach to fit some technological device," said Peter Cevenini, who heads up the K-12 education division of Cisco's Internet Business Solutions Group. "Teaching is a craft, and many great teachers instruct in totally different ways. Too many school systems are becoming device-driven -- they're buying computer devices because they're there." Kids certainly aren't fooled by all the gizmos. "The most effective teacher I have is Mr. Nickley," said senior Jamal Stone. "He isn't into all this computer stuff. All he uses is the board -- the whole board. He's lively, energetic, witty and really knows his math. He forces you to pay attention; you can't drift off even if you want to." Stone said he feels sorry for many of the "paperless" teachers who are always having students use their school-issued laptops in class. "The teachers think their students are engrossed in class research when they're actually playing video games and surfing the Net," he said. "Whenever the computer Nazis block one game, kids just find new ones." Senior Katerina Savchyn confirmed that she sometimes uses her laptop to escape the boredom of class by playing the online "Helicopter Game." In fact, the school-issued laptops are a problem in many ways. Students say all kinds of class time is wasted as they struggle to upload programs for class. The laptops constantly fail to connect to the wireless server, even though the computer geeks came around to every classroom a few months ago and installed new memory in every computer. The school system, which rushed into giving kids laptops three years ago, is constantly trying to play catch up with the technology. What's truly disconcerting is that the technology overkill is turning off talented young teachers. As one of the best here -- someone whom parents seek out and students love -- put it: "There's a lot of things I like about the computers, but we're being forced to do an unreasonable number of computer activities. Many of them don't fit my teaching style. We have so many hoops to jump through that some days I come in and I'm not excited to teach. All the computer activities just take us away from students." The administration doesn't seem to care about that. Recently, we English teachers had to get substitutes for our classes and attend an all-day technology session. An e-mail from the central office informed us that we would "examine methods for integrating technology to deepen student understanding by increasing rigor, creating relevance and building relationships with students and among students." Apparently administrators really do believe that computers are the key to building relationships. The human voice and face-to-face contact have been replaced by e-mail and Blackboard, a computer program that allows teachers and students to communicate via the Internet. I've always thought that in some ways schools should be like families, but as one experienced teacher puts it, "We're becoming like a correspondence school where all communication is faceless." You can walk around T.C. and peer into offices and classrooms and see administrators, guidance counselors and teachers staring at their computers instead of interacting with students. To some, T.C.'s principal of two years seems more comfortable in cyberspace than in face-to-face interaction. His preferred method of communicating with teachers seems to be via e-mail, and some say they think he doesn't know who they are or what they teach. I love my computer and all I can do with it; on the few days when it's been in for repairs, I've felt a bit lost at first, the way I do when I can't find my cellphone or my TiVo remote. But as classes go on, I feel much closer to my students without the distraction of the laptop. Of course, the big question isn't whether teachers like spending their time learning one new gizmo after another, but whether a parade of new technologies will help kids learn. From what I can see, that's not the case. Says one math teacher: "Math grows out of the end of a pencil. You don't want the quick answer; you want students to be able to develop the answer, to discover the why of it. The administration seems to think that computers will make math easy, but it has to be a painful, step-by-step process." A social studies teacher agrees. More than ever, he says, "our students want to push a button or click a mouse for a quick A, B or C answer. Fewer and fewer of them want to think anymore because good thinking takes time." I see the same thing in my classes, especially when it comes to writing essays. Many students send their papers in over the Internet, and while the margins are correct and the fonts attractive, the writing is worse than ever. It's as if the rule is: Write one draft, run spell check, hit "send" and pray. Alexandria isn't the only school system bitten by the technology bug. Many rushed into giving every student a laptop in the hopes of finding a quick fix to the technological and academic performance gaps between the well-to-do and those less so. But now, a number are abandoning the programs, saying there's no evidence that the laptops are helping students academically -- and that they may even be a distraction. North Point High School for Science, Technology and Industry in Waldorf went with ceiling-mounted LCD projectors but nixed the idea of laptops for all students. "Our philosophy is to have whatever technology our teachers want to do their jobs better available to them," Principal Kim Hill told me. "Technology is just a tool, not an end in itself. It will never replace good teaching." Are you listening, Alexandria? patrwelsh at gmail.com Patrick Welsh has taught English at T.C. Williams High School in Alexandria for more than 30 years. From rforno at infowarrior.org Tue Feb 12 14:59:10 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Feb 2008 09:59:10 -0500 Subject: [Infowarrior] - POGO: Army Missile Program Dependent on Flawed Contractor Plan In-Reply-To: Message-ID: Army Missile Program Dependent on Flawed Contractor Plan February 12, 2008 Army Missile Program Dependent on Flawed Contractor Plan Requirements Shortfalls Could Result in Weapon "Of Little Value" For Immediate Release Contact: Nick Schwellenbach, (202) 347-1122 For several years, the Army ceded its oversight to a contractor resulting in a situation where the Army lacked any means of ensuring that taxpayer money is well-spent and that weapons met requirements. By relying on the contractor's plan instead of developing its own, the Army lacked ways to gauge the performance of the Raytheon Company which led to a missile program that is not cost-effective, according to a recent Department of Defense Inspector General (DoD IG) December 2007 "For Official Use Only" audit obtained by POGO through the Freedom of Information Act. The Army's $623 million Surface-Launched Advanced Medium Range Air-to-Air Missile (SLAMRAAM) is a weapons system meant to protect U.S. ground forces from attacks from the air from unmanned aerial vehicles, cruise missiles, helicopters and planes. The DoD IG found that the Army needs to "rebaseline"—in other words, change the goals—of the contract due to "contractor technical difficulties" and "increased contract costs," stemming in large part from the Army's mismanagement of the program and its dependence on the contractor's inadequate plan. Raytheon's systems engineering management plan lacked criteria for the Army to review and manage progress on technical, cost and schedule goals, making it difficult to define success in meeting program requirements—a violation of DoD policy dated February 2004. In July 2007, the Army presented its own new draft plan in response the DoD IG's probe. However, that draft also contains many of the same deficiencies as Raytheon's, according to the audit. The Army defended its delayed action since a key acquisition decision on SLAMRAAM preceded the February 2004 DoD policy by several months. The DoD IG held that the DoD policy "clearly explained the benefits" of developing an adequate plan early on which would have helped the Army "more effectively manage the systems engineering process." The audit also states that even if "SLAMRAAM could fully meet all key performance parameters" that are currently spelled out, it could "still be of little value, if it cannot meet system effectiveness requirements." Further details of the point were redacted. Furthermore, an additional DoD oversight agency, the Defense Contract Management Agency, failed to hew to its own instructions and guidelines. "As is often the case, the problem is not with the rules, but that so few people follow them. The all-too-predictable result is contractor failure," said Nick Schwellenbach, national security investigator at the Project On Government Oversight. For example, Boeing-Huntsville's subcontractor work on the SLAMRAAM control system increased by 67% from an original $18.9 million estimate to $31.5 million. Formal reporting from the DCMA office with oversight over Boeing-Huntsville to the DCMA office with responsibility for SLAMRAAM was non-existent and the informal reporting was missing critical information—such as cost and schedule analysis. The DoD IG suggested that this had a role in the cost increase of Boeing's work, stating that it believes that "formalized reporting…would have given the project manager more meaningful information on the subcontractors' progress towards satisfying SLAMRAAM cost, schedule, and performance requirements." The final problem with the SLAMRAAM detailed by the DoD IG was inadequate guidance for assuring the security of information technology systems. Numerous problems "places the information contained in the SLAMRAAM system at greater risk of loss, misuse, or unauthorized access to or modification of the information contained in the system," the audit states. ### Founded in 1981, the Project On Government Oversight is an independent nonprofit which investigates and exposes corruption and other misconduct n order to achieve a more accountable federal government. From rforno at infowarrior.org Tue Feb 12 18:36:11 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Feb 2008 13:36:11 -0500 Subject: [Infowarrior] - Senate Moves to Shield Telecoms on Eavesdropping Message-ID: Senate Moves to Shield Telecoms on Eavesdropping By THE ASSOCIATED PRESS Published: February 12, 2008 Filed at 12:52 p.m. ET http://www.nytimes.com/aponline/us/AP-Terrorist-Surveillance.html?_r=2&hp&or ef=slogin&oref=slogin WASHINGTON (AP) -- The Senate voted Tuesday to shield from lawsuits telecommunications companies that helped the government eavesdrop on their customers without court permission after the Sept. 11 terrorist attacks. After nearly two months of stops and starts, the Senate rejected by a vote of 31 to 67 a move to strip away a grant of retroactive legal immunity for the companies. President Bush has promised to veto any new surveillance bill that does not protect the companies that helped the government in its warrantless wiretapping program, arguing that it is essential if the private sector is to give the government the help it needs. About 40 lawsuits have been filed against telecom companies by people alleging violations of wiretapping and privacy laws. The Senate also rejected two amendments that sought to water down the immunity provision. One, co-sponsored by Republican Arlen Specter of Pennsylvania and Democrat Sheldon Whitehouse of Rhode Island, would have substituted the government for the telecoms in lawsuits, allowing the court cases to go forward but shifting the cost and burden of defending the program. The other, pushed by California Democrat Dianne Feinstein, would have given a secret court that oversees government surveillance inside the United States the power to dismiss lawsuits if it found that the companies acted in good faith and on the request of the president or attorney general. Full telecom immunity must still be approved by the House; its version of the surveillance bill does not provide immunity. At issue is the government's post-9/11 Terrorist Surveillance Program, which circumvented a secret court created 30 years ago to oversee such activities. The court was part of the 1978 Foreign Intelligence Surveillance Act, a law written in response to government abuse of its surveillance authority against Americans. The surveillance law has been updated repeatedly since then, most recently last summer. Congress hastily adopted a FISA modification in August in the face of dire warnings from the White House that changes in telecommunications technology and FISA court rulings were dangerously constraining the government's ability to intercept terrorist communications. Shortly after its passage, privacy and civil liberties groups said the new law gave the government unprecedented authority to spy on Americans, particularly those who communicate with foreigners. That law expires Feb. 15, the deadline against which the Senate is now racing to pass a new bill. In a separate voice vote Tuesday, the Senate expanded the power of the court to oversee government eavesdropping on Americans. The amendment would give the Foreign Intelligence Surveillance Court the authority to monitor whether the government is complying with procedures designed to protect the privacy of innocent Americans whose telephone or computer communications are captured during surveillance of a foreign target. The bill would also require FISA court orders to eavesdrop on Americans who are overseas. Under current law, the government can wiretap or search the possessions of anyone outside the United States--even a soldier serving overseas-- without court permission if it believes the person may be a foreign agent. ''You don't lose your rights when you leave American soil,'' Sen. Ron Wyden, D-Ore., said in an interview. Wyden wrote the provision into the bill when it was still being considered by the Senate Intelligence Committee. ''In the digital age, an American's rights shouldn't depend on their physical geography.'' The House approved its own update last fall. If the Senate passes its bill, differences between the two versions remain to be worked out, approved by both houses, and delivered to the president for his signature. More Articles in National ? From rforno at infowarrior.org Tue Feb 12 18:46:59 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Feb 2008 13:46:59 -0500 Subject: [Infowarrior] - Dodd Floor Speech on FISA Message-ID: Dodd: The Rule of Law, or the Rule of Men http://dodd.senate.gov/index.php?q=node/4265 From rforno at infowarrior.org Tue Feb 12 23:43:39 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Feb 2008 18:43:39 -0500 Subject: [Infowarrior] - Bush administration touts rise in piracy cases, convictions Message-ID: February 11, 2008 1:40 PM PST Bush administration touts rise in piracy cases, convictions Posted by Anne Broache | 8 comments http://www.news.com/8301-10784_3-9869492-7.html Editor's note: This blog was updated at 6:58 a.m. PST Tuesday to add a link to the report. WASHINGTON--The Bush administration witnessed a "record" uptick in intellectual property-related investigations and prosecutions last year, according to a new government report released Monday. (Credit: U.S. government) During the 2007 fiscal year, the U.S. Department of Justice filed 217 of those cases--up 7 percent from the 204 cases lodged in 2006 and 33 percent from the 169 such cases in 2005--according to the report (PDF) produced by the National Intellectual Property Law Enforcement Coordination Council. The NIPLECC, as it's known in Washington, consists of the Justice, State, Commerce, and Homeland Security departments and the Office of the U.S. Trade Representative. Of course, merely filing a case doesn't necessarily mean that the alleged culprit was ultimately found guilty. But the report also found that the number of defendants sentenced for intellectual property-related crimes grew to 287, up from 213 in 2006 and 149 in 2005. To be sure, intellectual property-related enforcement actions represent just a tiny sliver of the Justice Department's overall work. To put those numbers into perspective, the Justice Department filed 719 drug-related cases and 572 "re-entry of deported aliens" cases in federal district courts during August 2007 alone, according to the latest government data compiled by the Syracuse University Transactional Records Access Clearinghouse. There's still much more work to be done on the antipiracy front, Deputy Assistant Attorney General Sigal Mandelker said during a Monday afternoon briefing on Capitol Hill. She said the Bush administration is still hoping that Congress will enact a set of sweeping intellectual-property law changes recommended last year. It would like politicians to criminalize "attempting" to infringe copyrights, permit wiretaps for piracy investigations, and increase penalties for intellectual-property violations, among other things. A controversial copyright bill pending in the U.S. House of Representatives Judiciary Committee would do some, but not all, of those things. "We're always evaluating our cases and what additional tools we need to enhance our ability to bring more cases, bigger cases, and to send the message to these criminals that if they perpetrate these crimes, they're going to face particularly stiff penalties," Mandelker said. The annual report also lists the following among the accomplishments of the Bush administration's antipiracy apparatus: ? Posting seven new "IP attaches" around the world--in Bangkok; Sao Paolo, Brazil; Cairo, Egypt; Moscow; New Delhi; and China. Stationed in areas known for having intellectual-property enforcement "issues," they're designed to be ambassadors of sorts, helping work out agreements with foreign governments to beef up crackdowns on counterfeit and pirated goods. ? Launching educational campaigns to promote the importance of intellectual-property protection for small- and midsize businesses and at international trade fairs. ? Using international trade agreements to pressure other countries, most notably China and Russia, not to look the other way when piracy occurs. From rforno at infowarrior.org Tue Feb 12 23:44:26 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Feb 2008 18:44:26 -0500 Subject: [Infowarrior] - Is it time to consider PDF a threat? Message-ID: Is it time to consider PDF a threat? By Joel Hruska | Published: February 12, 2008 - 02:05PM CT http://arstechnica.com/news.ars/post/20080212-is-it-time-to-consider-pdf-a-t hreat.html Adobe released patches for its Reader and Acrobat programs last Wednesday, but there's reason to suspect that the company has closed the barn door long after the cattle fled. According to a blog entry at the SANS Internet Storm Center, this particular vulnerability has been exploited in the wild for several weeks. In this case, hackers use malicious banner ads as a host for an infected PDF. The PDF then installs the Zonebac Trojan, which sets to work deactivating antivirus products, modifying search results, and changing banner ads. Adobe's 8.12 update supposedly plugs the loopholes that the Zonebac delivery system exploited, but the company has declined to give any information on what, exactly, the update changed. The lack of information is disappointing (though not surprising), but Adobe's failure to address the issue in a timely manner raises questions about the firm's commitment to security. An 18-day gap between the appearance of a verified exploit and the release of a patch isn't exactly impressive, and this particular issue had been on Adobe's radar for months. iDefense Labs first reported the existence of this particular buffer overflow vulnerability in early October 2007. The attack has raised some questions regarding the security of the PDF standard?Symantec researcher Hon Lau discusses the relevant PDF vulnerability in his blog before rhetorically asking: "With more and more of these attacks happening, how much longer will it be before people implicitly attach a higher risk association to PDF files and avoid them altogether?" To answer his question, some of us already do. While there's not a whole lot of evidence suggesting that the PDF standard is under concerted attack, there mere existence of these exploits affects perception of them, and Adobe is doing itself no favors. Granted, we still know far, far more people who were infected via JPGs, DOCs, and the like, but this isn't Adobe's first high-profile security issue. Hon Lau covered a different cross-scripting attack that also exploited a PDF vulnerability back in January 2007. Ironically, Adobe recommended users update to Reader 8 as one way of solving the problem. Given the file format's popularity and ubiquity, Adobe has a very strong interest in keeping PDF as secure as possible; if it fails to do so, it opens the door for competing standards such as Microsoft's XML Paper Specification (XPS). These recent attacks, in and of themselves, aren't enough to steer businesses away from a trusted format they may have been using for decades, but Adobe may need to adjust the way in which it communicates with customers and the speed with which it delivers its security patches. PDF files have been traditionally represented as safe for download or viewing, which makes the need to stay ahead of hackers?rather than nearly three weeks behind them?all the more important. From rforno at infowarrior.org Wed Feb 13 03:52:34 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Feb 2008 22:52:34 -0500 Subject: [Infowarrior] - Comcast Defends Role As Internet Traffic Cop Message-ID: (Remember last week they changed their ToS to reflect such traffic shaping, and I said it was likely done to head off FCC investigations...... --rf) Comcast Defends Role As Internet Traffic Cop By Cecilia Kang Washington Post Staff Writer Wednesday, February 13, 2008; D01 http://www.washingtonpost.com/wp-dyn/content/article/2008/02/12/AR2008021202 778_pf.html Comcast said yesterday that it purposely slows down some traffic on its network, including some music and movie downloads, an admission that sparked more controversy in the debate over how much control network operators should have over the Internet. In a filing with the Federal Communications Commission, Comcast said such measures -- which can slow the transfer of music or video between subscribers sharing files, for example -- are necessary to ensure better flow of traffic over its network. In defending its actions, Comcast stepped into one of the technology industry's most divisive battles. Comcast argues that it should be able to direct traffic so networks don't get clogged; consumer groups and some Internet companies argue that the networks should not be permitted to block or slow users' access to the Web. Comcast's FCC filing yesterday was in response to petitions to the agency by the consumer group Free Press and the online video provider Vuze, which claimed that the cable company was abusing its control over its network to impede video competition. Separately, the FCC began an investigation of Comcast's network practices after receiving those complaints. That review is ongoing, according to Comcast, which said it hasn't received any specific orders based on the complaints. The FCC prohibits network operators from blocking applications but opens the door to interpretation with a footnote in a policy statement that provides for an exemption for "reasonable management." Rep. Edward J. Markey (D-Mass.), chairman of the House Energy and Commerce Committee's subcommittee on telecommunications and the Internet, plans to introduce a bill today calling for an Internet policy that would prohibit network operators from unreasonably interfering with consumers' right to access and use content over broadband networks. The bill also calls for the FCC to hold eight meetings around the nation to assess whether there is enough competition among network providers and whether consumers' rights are being upheld. "Our goal is to ensure that the next generation of Internet innovators will have the same opportunity, the same unfettered access to Internet content, services and applications that fostered the developers of Yahoo, Netscape and Google," Markey said in a written statement yesterday. The case with Comcast illustrates the high-stakes battle between those who argue that the Internet should remain open to all traffic, and the companies who argue that some governance of their networks is in the best interest of their customers. In its comments, Comcast said network controls are necessary, especially for heavy Web users. Specifically, the company imposes "temporary delays" of video, music and other files shared between computers using such technologies as BitTorrent. Comcast compared its practices to a traffic-ramp control light that regulates the entry of additional vehicles onto a freeway during rush hour. "One would not claim that the car is 'blocked' or 'prevented from entering the freeway; rather it is briefly delayed," the company's statement said. Marvin Ammori, the general counsel for Free Press, said Comcast's behavior is the second major example of an service provider overstepping its authority in an attempt to quash competition. In March 2005, the FCC fined Madison River Communications for blocking calls by competitor Vonage, which provided free calls over the Internet. Ammori said that by interfering with video transfers, Comcast is trying to protect its television and On Demand video services. BitTorrent said Comcast should respond by increasing bandwidth on its networks and upgrading its systems rather than limiting how customers use its service. "It's like putting a Band-Aid on the problem to achieve a short-term fix," said Ashwin Navin, co-founder and president of San Francisco-based BitTorrent. From rforno at infowarrior.org Wed Feb 13 04:02:13 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 12 Feb 2008 23:02:13 -0500 Subject: [Infowarrior] - Tagoo Emerging as the Russian Napster? Message-ID: Tagoo Emerging as the Russian Napster? By David Kravets EmailFebruary 12, 2008 | 3:24:05 PMCategories: Copyrights and Patents http://blog.wired.com/27bstroke6/2008/02/tagoo-emerging.html Ever heard of Tagoo.ru? Until Tuesday, it wasn't on THREAT LEVEL's radar. But it appears to be a new site offering virtually any copyrighted music downloads for free. It's as easy to use as iTunes, minus the credit card. (Soon after this story was posted, the site was periodically crashing because of "too many connections," according to a warning.) The site, based in Russia, is on Tuesday's "hotlist" in the popular social-bookmarking site del.icio.us. The apparent popularity of the music-pilfering site underscores what is already largely known: Russia, like China, is often a haven for intellectual property piracy. John Kennedy, chairman and chief executive of the International Federation of the Phonographic Industry, noted that point two weeks when Swedish authorities charged four men in Sweden who operate The Pirate Bay, perhaps the world's most notorious avenue to free intellectual property. "The Pirate Bay has managed to make Sweden, normally the most law abiding of EU countries, look like a piracy haven with intellectual property laws on a par with Russia," Kennedy said. The apparent popularity of Tagoo also shows that, for now, combating online piracy is like playing Whac-a-Mole. Each time the authorities nab a site, another takes its place. In Russia, for example, the authorities last summer shut down AllofMP3.com, which was selling dirt cheap downloads without the authorization of the rights holders. The Russians shuttered the site in a bid to win entry into the World Trade Organization. That site was quickly replaced by others, including Tagoo. And a week ago, a Denmark court pulled the plug on that country's largest internet service provider from offering The Pirate Bay, a BitTorrent tracking service that points the way to free music, movies, games, software and other material -- much of which is copyrighted. But The Bay reports that its traffic is up a dozen percent in Denmark, as BitTorrent users find other solutions to click onto the site. The Bay founders have also created thejesperbay, an alternative for its Denmark followers. What's more, days after the British authorities last year arrested the operator of OiNK, the popular music-sharing site, an even more popular site emerged: Waffles. Tens of thousands of people are feeding and seeding on that site. Let's not forget that the United States is home to plenty of piracy sites. Yet entertainment industry lawsuits against Napster, for example, have turned some of them into legit, fee paying music-downloading services. Other entertainment sites like TorrentSpy have blocked U.S-based traffic because of litigation. The entertainment industry, which has sued thousands of indivuals and web sites for copyright violations in the United States alone, claims California-based Seeqpod is a piracy vehicle, too. It's a search engine that returns links containing "unauthorized and illegal copies of copyrighted music," according to a lawsuit by Warner Music Group. From rforno at infowarrior.org Wed Feb 13 12:56:09 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Feb 2008 07:56:09 -0500 Subject: [Infowarrior] - More on...Is it time to consider PDF a threat? In-Reply-To: Message-ID: ---------- Forwarded message ---------- From: security curmudgeon : Is it time to consider PDF a threat? : : By Joel Hruska | Published: February 12, 2008 - 02:05PM CT : : http://arstechnica.com/news.ars/post/20080212-is-it-time-to-consider-pdf-a-t : hreat.html Article references and somewhat based on: http://www.symantec.com/enterprise/security_response/weblog/2008/02/pidief_a _byword_for_0day_explo.html Pidief, the Word for Exploits? Posted by Hon Lau on February 9, 2008 09:31 AM : The attack has raised some questions regarding the security of the PDF : standard?Symantec researcher Hon Lau discusses the relevant PDF : vulnerability in his blog before rhetorically asking: "With more and : more of these attacks happening, how much longer will it be before : people implicitly attach a higher risk association to PDF files and : avoid them altogether?" : : To answer his question, some of us already do. While there's not a whole : lot of evidence suggesting that the PDF standard is under concerted : attack, there mere existence of these exploits affects perception of : them, and Adobe is doing itself no favors. In case it wasn't rhetorical, and in case everyone else isn't aware, PDF documents are just as vulnerable as any other popular format these days. According to OSVDB, a sampling: 41495 2008-02-07 Adobe Reader / Acrobat Unspecified JavaScript Methods Multiple Unspecified Overflows 41494 2008-02-07 Adobe Reader / Acrobat EScript.api Plug-in Crafted PDF Arbitrary Code Execution 41492 2008-02-05 Adobe Reader / Acrobat Multiple Unspecified Issues 35872 2007-03-07 Adobe Acrobat Reader AcroPDF.DLL Crafted .pdf URL Remote DoS 33897 2007-02-28 Adobe Reader PDF file:// URI Arbitrary File Access 32871 2007-01-17 Multiple Product Adobe PDF Specification Invalid Tree Node DoS 32870 2007-01-17 Multiple Product Adobe PDF Specification Malformed Catalog Dictionary DoS 31596 2007-01-03 Adobe Acrobat Reader Plugin PDF URL Memory Corruption DoS 31056 2006-12-27 Adobe Acrobat Reader Browser Plug-in for MSIE Malformed PDF Request DoS 31048 2006-12-27 Adobe Acrobat Reader Browser Plug-in PDF Handling Memory Corruption 31046 2006-12-27 Adobe Acrobat Reader Browser Plug-in PDF XSS 31047 2006-12-27 Adobe Acrobat Reader Browser Plug-in PDF CSRF [..] Apparently, security professionals were not taken seriously 15+ years ago when they warned not to open untrusted attachments (meaning ANY kind) from strangers. Word, Excel, PowerPoint, GIF, JPG, PDF .. doesn't matter. You double-click to open, you probably deserve what you get, unless you were one of the handful bitching at these vendors to deliver secure products. From rforno at infowarrior.org Wed Feb 13 12:57:57 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Feb 2008 07:57:57 -0500 Subject: [Infowarrior] - 5 things you need to know about laptop searches at U.S. Borders In-Reply-To: Message-ID: 5 things you need to know about laptop searches at U.S. borders By Jaikumar Vijayan February 12, 2008 Computerworld http://tinyurl.com/2ejwny A lawsuit filed last week over warrantless searches of laptops and other electronic devices at U.S. borders highlights an issue that all travelers, U.S. citizens and others, need to be aware of when entering the country, according to the executive director of the Association of Corporate Travel Executives (ACTE). The suit was filed by the Electronic Frontier Foundation (EFF) and the Asian Law Caucus, two California-based civil rights groups. It asks the U.S. Department of Homeland Security (DHS) to disclose information on its policies for inspecting the contents of laptops and other electronic devices at the country's ports of entry. The lawsuit was prompted by what the two groups contended were the growing number of reports they were receiving from travelers who claimed to have been subjected to such searches. In most instances, the searches were conducted without apparent reason and with no details offered on what information might have been viewed or downloaded by customs officials, the suit alleged. Susan Gurley, executive director of the Alexandria, Va.-based ACTE, said that international travelers need to be aware of and prepared for such border searches, even though they are relatively rare. This is especially true because so far little is known about the DHS's policies relating to the practice and what it does with the information collected during searches of electronic devices, she said. We think people should know that they basically are leaving their right to privacy at the door when they cross the U.S. border. There is no assumption of privacy [at a port of entry]. Susan Gurley, executive director of the Association of Corporate Travel Executives "This is by far not an epidemic of any sort," Gurley said. "But we think people should know that they basically are leaving their right to privacy at the door when they cross the U.S. border. There is no assumption of privacy," at a port of entry, she said. Here are five factors Gurley says travelers should know about: 1. No evidence needed to take your laptop Border agents do not need any evidence or suspicion of illegal activity to examine a laptop or other electronic device. Every time you cross the border, customs officials have the right to look at anything in your possession, including the content on your laptop, handheld device, cell phone, USB memory stick and digital cameras, Gurley said. They have the right to both view that information and to download or mirror it if they think it's necessary, she said. 2. Anything can be searched Everything on an electronic device is open to search. This includes personal photographs, personal banking, any business documents and stored or unopened e-mail, Gurley said. 3. Your PC might not be returned right away Seized devices may be kept for an indefinite period of time. Carry only a laptop or electronic device you can afford to lose or hand over for an unspecified period of time. Sensitive data should be sent by e-mail before crossing the border in case the data becomes unavailable if the device is seized, she said. 4. Don't take anything you don't want to share Don't carry anything on these devices that could potentially embarrass you or that you don't want others to see, Gurley said. If it's information you don't want to share, don't carry it. That includes data such as personal banking information, photos, correspondence, health and password information. If the device is a company-owned computer, don't carry proprietary business information or personnel records on it, the ACTE advised. 5. Be cooperative Cooperate with customs officials. Ask for a receipt and a badge number if your computer is seized. Try and get whatever information you can on the reason why it was seized. The goal is not to hide data from border officials or the U.S government, Gurley said. Rather, it is about being aware that your laptop and other electronic devices in your possession could be searched and to prepare for that eventuality, Gurley said. ACTE's surveys in the past have shown that very few travelers are aware of the potential for such searches. "Our primary concern is to alert travelers that their laptops and other electronic devices can be seized at a border without explanation, provocation or even likely cause," she said. The lawsuit and the advice come at a time when U.S courts have sent mixed messages on the constitutionality of such searches. In one case, the Appeals Court for the Ninth Circuit ruled that at a minimum, customs officials needed to have reasonable cause for conducting such searches. In another case, an appeals court ruled that such searches can be conducted without a warrant or reasonable cause. Both cases involved child pornography. From rforno at infowarrior.org Wed Feb 13 13:40:15 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Feb 2008 08:40:15 -0500 Subject: [Infowarrior] - More trademark yukks: Yoko sues "Lennon" Message-ID: Yoko sues "Lennon" Posted by Xeni Jardin, February 12, 2008 4:56 PM | permalink Yoko Ono, widow of former Beatles member John Lennon, is suing singer-songwriter (and Suicide Girl) Lennon Murphy for alleged "tarnishment" of John Lennon's name. Ms. Murphy's band is called Lennon, and she is attempting to register that band name as a trademark. Here's a PDF of the court papers, here's a snip from Lennon Murphy's response on her MySpace page. < - > http://www.boingboing.net/2008/02/12/yoko-sues-lennon.html From rforno at infowarrior.org Thu Feb 14 01:16:33 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Feb 2008 20:16:33 -0500 Subject: [Infowarrior] - Yahoo Is Said to Be in Talks With News Corp. Message-ID: February 13, 2008 Yahoo Is Said to Be in Talks With News Corp. By ANDREW ROSS SORKIN and MIGUEL HELFT http://www.nytimes.com/2008/02/13/technology/13cnd-yahoo.html?hp=&pagewanted =print Yahoo has begun discussions with News Corporation to explore alternatives to Microsoft?s buyout offer, people familiar with the talks said on Wednesday. The preliminary discussions stem from an approach Yahoo?s bankers made to News Corporation last week as part of Yahoo?s effort to find a ?white knight? and avoid a hostile takeover by Microsoft. The talks, which were described by both sides as a ?long shot,? center on merging Fox?s interactive assets ? led by the social networking site MySpace ? with Yahoo. News Corporation is participating in the talks, in part, because, as one participant said, ?there?s nothing to lose.? Either News Corporation clinches a deal, or more likely, its interest pushes up the price of Yahoo for its competitor, Microsoft. The Microsoft bid, a mix of cash and stock, is now worth $42.1 billion. News Corporation had sought a similar merger with Yahoo last year, people involved in the talks said, but Yahoo rebuffed its overture before News Corporation ever made a formal bid. At the time, News Corporation had teamed up with Providence Equity Partners, a private equity firm that focuses on media companies. The latest round of discussions are unlikely to include Providence, these people said, though it remains possible. The conversations between Yahoo and News Corporation follow Yahoo?s rejection of Microsoft?s buyout offer on Monday. Yahoo said the offer, which was worth $44.6 billion when it was made public on Feb. 1, was too low. Following Yahoo?s rejection, Microsoft vowed to press ahead with its bid, saying its offer was ?full and fair.? Representatives of Yahoo, Microsoft and News Corporation declined to comment on Wednesday. The existence of the talks was first reported by the Web site Silicon Alley Insider. From rforno at infowarrior.org Thu Feb 14 01:17:35 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Feb 2008 20:17:35 -0500 Subject: [Infowarrior] - Bill Bars Web Traffic Discrimination Message-ID: Bill Bars Web Traffic Discrimination http://www.nytimes.com/aponline/technology/AP-Data-discrimination-Bill.html By THE ASSOCIATED PRESS Published: February 13, 2008 Filed at 3:57 p.m. ET WASHINGTON (AP) -- A Democratic lawmaker on Wednesday proposed legislation to stop network providers from playing traffic cop on the Internet. Rep. Edward Markey, D-Mass., chairman of the House Energy and Commerce Committee's subcommittee on telecommunications and the Internet, introduced the bill to promote the principle, known as ''Net neutrality,'' of treating all Internet traffic equally. Markey, who introduced similar legislation in 2006, said the bill doesn't regulate the Internet, only makes sure the rules of online engagement are fair. His spokeswoman said he wanted to defuse critics' arguments that the bill amounts to regulation, which she called inaccurate. ''It does, however, suggest that the principles which have guided the Internet's development and expansion are highly worthy of retention, and it seeks to enshrine such principles in the law as guide stars for U.S. broadband policy,'' Markey said of The Internet Freedom Preservation Act Phone and cable companies say they want the freedom to charge content providers for access to the Internet's fast lane. Any legislation affirming Net neutrality, they argue, would harm investment and innovation in the Internet. The Hands Off the Internet coalition, whose members include AT&T, Qwest Communications International Inc. and others, said Markey's bill leaves regulatory fingerprints, regardless of what he calls it. Supporters of the bill, including Google and public interest groups, contend it just protects consumers without hamstringing development or driving up costs. The bill, co-sponsored by Rep. Chip Pickering, R-Miss., requires the Federal Communications Commission to assess whether broadband providers are ''blocking, thwarting or unreasonably interfering'' with consumers' rights to access, send, receive or offer content, applications and services over networks. The FCC would also be required to determine whether providers charge extra for certain services and if it's lawful. The bill also requires the agency to hold at least eight summits around the country to get input from various groups about Internet service competition and services. An FCC spokesman declined to comment on pending legislation. The bill was drafted in response to reports that some companies, including Comcast Corp., are unfairly stifling communications over the Internet. Markey spokeswoman Jessica Schafer said the agency already has the authority to enforce such practices. She cited the agency's investigation of Philadelphia-based Comcast, the country's second-largest Internet provider. On Tuesday, Comcast told the FCC in formal comments that hampering some file-sharing by its subscribers was a justifiable way to keep Web traffic flowing for everyone. Consumer groups, lawmakers and other critics have complained that Comcast violated Net neutrality. The company declined to comment on Markey's bill. Schafer also said a North Carolina telephone company, Madison River Communications LLC, paid $15,000 to the FCC in 2005 to settle allegations it blocked phone lines that customers used to make calls over the Internet. Under the settlement, the company could not block Internet calls in the future, but did not admit to violating any rules. From rforno at infowarrior.org Thu Feb 14 04:01:01 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 13 Feb 2008 23:01:01 -0500 Subject: [Infowarrior] - House Rejects Extension of Surveillance Act Message-ID: House Rejects Extension of Surveillance Act http://www.washingtonpost.com/wp-dyn/content/article/2008/02/13/AR2008021300 959_pf.html By Paul Kane Washington Post Staff Writer Wednesday, February 13, 2008; 5:25 PM The House today overwhelmingly rejected an attempt by Democratic leaders to extend a controversial surveillance law by 21 days, increasing pressure on lawmakers to approve White House-backed legislation by the end of the week. The 229-191 vote to kill the extension followed a toughly worded veto threat from President Bush, who said he would reject any delay and urged the House to adopt surveillance legislation approved by the Senate Tuesday. "Terrorists are planning new attacks on our country...that will make Sept. 11 pale by comparison," Bush said. Today's vote is a setback for Democrats in the House, who oppose granting legal immunity from lawsuits to telecommunication providers who helped the government conduct a warrantless wiretapping program after the terrorist attacks more than six years ago. The Senate yesterday approved a sweeping measure that would expand the government's clandestine surveillance powers, delivering a key victory to the White House by approving the telecom immunity provision. On a 68 to 29 vote, the Senate approved the reauthorization of a law that would give the government greater powers to eavesdrop in terrorism and intelligence cases without obtaining warrants from a secret court. The Senate's action came days before a temporary surveillance law expires Friday, and set up a clash with House Democrats, who have previously approved legislation that does not contain immunity for the telecommunications industry. The chambers have been locked in a standoff over the immunity provision since the House vote Nov. 15, with President Bush demanding the protection for the industry. House leaders vowed again yesterday to oppose the telecom immunity provision until the White House releases more information about the controversial warrantless surveillance program it initiated shortly after the terrorist attacks. But Bush appeared before reporters this morning to applaud the Senate bill and warn House Democrats that he would not agree to any more extensions or temporary measures. "The time for debate is over," Bush said, noting that the Senate version of the bill has drawn some bipartisan support in the House and urging lawmakers to pass it immediately. "The lives of countless Americans depend on our ability to monitor these communications," Bush said. "We must be able to find out who the terrorists are talking to, what they are saying and what they are planning." The House and Senate bills both include major revisions to the 30-year-old Foreign Intelligence Surveillance Act, which established a secret court to issue warrants for domestic spying on suspects in terrorism and intelligence cases. The National Security Agency, however, secretly bypassed the court for years as it obtained information from telecommunication companies, until media reports revealed the arrangement. The most important change approved by the Senate yesterday would make permanent a law approved last August that expanded the government's authority to intercept -- without a court order -- the phone calls and e-mails of people in the United States communicating with others overseas. U.S. intelligence agencies previously had broad leeway to monitor the communications of foreign terrorism suspects but needed warrants to monitor calls intercepted in the United States, regardless of where they originated. The House and Senate versions of the new FISA provisions differ slightly, but leaders on both sides acknowledged that the major stumbling block is immunity for the telecommunications industry, which faces dozens of lawsuits for providing personal information to intelligence agencies without warrants. Senate Democrats' split on immunity echoes past party divisions over national security issues, including how strongly to confront Bush on the tools the administration uses to target suspected terrorists and their allies. "This is the right way to go, in terms of the security of the nation," said Sen. John D. Rockefeller IV (D-W.Va.), chairman of the intelligence committee, which wrote the Senate bill. Rockefeller was one of 17 Democrats who joined 49 Republicans and one independent to reject an amendment offered by Sen. Christopher J. Dodd (D-Conn.) that would have stripped the immunity provision from the bill. Two-thirds of the Democratic caucus opposed immunity. "It is inconceivable that any telephone companies that allegedly cooperated with the administration's warrantless wiretapping program did not know what their obligations were. And it is just as implausible that those companies believed they were entitled to simply assume the lawfulness of a government request for assistance," said Sen. Russell Feingold (D-Wis.), who co-sponsored the amendment. Sen. Barack Obama (D-Ill.), who is locked in a tight race with Sen. Hillary Rodham Clinton (D-N.Y.) for the Democratic presidential nomination, opposed immunity for the industry, along with the entire elected Democratic leadership team. Clinton, who has publicly opposed immunity in the past, was campaigning during yesterday's primaries and did not attend the vote. Sen. John McCain (R-Ariz.), the front-runner for the GOP nomination, supported the overall bill and the immunity provision. Neither Clinton nor Obama was on hand for the vote on final passage of the bill. McCain was. Congressional leaders have until Friday -- when a two-week extension of the temporary law that authorizes expanded surveillance powers expires -- to iron out differences between the House and Senate versions. Republican leaders in both chambers have pushed for passage of the Senate bill without a House-Senate conference. "I don't think there's a need to do a conference. This bill has been vetted and vetted and vetted," said Sen. Jon Kyl (R-Ariz.), the Republican whip. Rep. Lamar Smith (R-Tex.), the ranking Republican on the House Judiciary Committee, warned Democrats not to expect a softening of the administration's position. "I think the Democrats would be making a mistake if they felt the president was not going to be serious about vetoing any further extension or insisting that the immunity provisions be in there," Smith said. But House Democratic leaders continued pushing for more information about the warrantless spying that telephone companies aided after the 2001 attacks. Available documents on the program "raise important questions, and it will take some time to gather enough information to make a determination on the issue of retroactive immunity," House Intelligence Committee Chairman Silvestre Reyes (D-Tex.) said yesterday. Staff writers Michael Abramowitz and Debbi Wilgoren and washingtonpost.com staff writer Ben Pershing contributed to this report. From rforno at infowarrior.org Thu Feb 14 14:13:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 14 Feb 2008 09:13:46 -0500 Subject: [Infowarrior] - Army blocks public access to ATDL Message-ID: (c/o Secrecy News) ARMY BLOCKS PUBLIC ACCESS TO DIGITAL LIBRARY Public access to the Reimer Digital Library, which is the largest online collection of U.S. Army doctrinal publications, has been blocked by the Army, which last week moved the collection behind a password-protected firewall. http://www.train.army.mil/ But today the Federation of American Scientists filed a Freedom of Information Act request asking the Army to provide a copy of the entire unclassified Library so that it could be posted on the FAS web site. http://www.fas.org/sgp/news/2008/02/reimer.pdf The Army move on February 6 marks the latest step in an ongoing withdrawal of government records from the public domain. "It was a policy decision to put it behind the AKO [Army Knowledge Online] firewall and to restrict public access," said Don Gough of the system development division at the Army Training Support Center at Fort Eustis, Virginia, which operates the Reimer Digital Library. The move came as a surprise since only unclassified and non-sensitive records had ever been made available at the Library site. Isn't it true, Secrecy News asked, that the only documents that had been accessible to the public were those that had been specifically... "'Approved for public release,' yes," said Mr. Gough, completing our sentence. "I understand your concern," he added. The FAS Freedom of Information Act request is intended to reverse the Army action. "We hope to restore public access to the Reimer Digital Library by obtaining all of its publicly releasable contents and posting that material on our own website," the FAS request explained. "Furthermore, in order to preserve the status quo, we expect to file regular FOIA requests for updates to the RDL two or three times a month, so that we may add them to our mirror site." "Alternatively, if the Army were to restore the prior level of public access to the RDL, that would fulfill this request and make future requests unnecessary," the FAS request stated. Among the many thousands of documents that were formerly available to the public on the Reimer Digital Library, two of the latest additions are these. "The Modular Force," Field Manual Interim FMI 3-0.1, January 2008: http://www.fas.org/irp/doddir/army/fmi3-0-1.pdf "Chemical, Biological, Radiological, Nuclear, and High Yield Explosives Operational Headquarters," Field Manual Interim FMI 3-90.10, January 2008: http://www.fas.org/irp/doddir/army/fmi3-90-10.pdf From rforno at infowarrior.org Thu Feb 14 21:42:54 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 14 Feb 2008 16:42:54 -0500 Subject: [Infowarrior] - SSRN Article: Warrantless Location Tracking Message-ID: (c/o Pogowasright) Article: Warrantless Location Tracking Thursday, February 14 2008 @ 03:38 PM EST Contributed by: PrivacyNews News Section: Surveillance Samuel, Ian J., "Warrantless Location Tracking" . New York University Law Review, Vol. 83, No. 4, 2008 Abstract: The ubiquity of cell phones has transformed police investigation. Tracking a suspect's movements by following her phone is now a common but largely unnoticed surveillance technique. It is useful, no doubt, precisely because it is so revealing; it also raises significant privacy concerns. In this Note, Ian Samuel examines what the proper procedural requirements for these searches should be, by examining the relevant statutory and Constitutional law. Ultimately, the best standard is probable cause; only an ordinary warrant can satisfy the text of the statutes and the mandates of the Constitution. Full-text article available as a free download at SSRN http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1092293#PaperDownload From rforno at infowarrior.org Sat Feb 16 03:01:02 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Feb 2008 22:01:02 -0500 Subject: [Infowarrior] - James Bond-inspired submarine ready for launch Message-ID: James Bond-inspired submarine ready for launch Posted 2 hours 34 minutes ago The sQuba submersible car http://www.abc.net.au/news/stories/2008/02/16/2164494.htm The sQuba, touted at the world's first submersible car, can descend up to 10 metres underwater. The sQuba will be unveiled next month at the International Geneva Motor Show. (Rinspeed) A car that can be driven underwater is set to be unveiled next month at the International Geneva Motor Show, the Swiss manufacturer of the prototype announced. The 'sQuba', reminiscent of James Bond's underwater car in the 1977 film The Spy Who Loved Me is, according to manufacturer Rinspeed, the world's first real submersible car. Rinspeed's head, Frank Rinderknecht, is a James Bond enthusiast who has dreamed of making the amphibious vehicle come true. "For three decades I have tried to imagine how it might be possible to build a car that can fly under water," said Mr Rinderknecht in a statement. "Now we have made this dream come true." The convertible sports car transforms into an underwater vehicle in which passengers breathe with the help of compressed air masks. "It is undoubtedly not an easy task to make a car watertight and pressure resistant enough to be manoeuvrable under water," said Mr Rinderknecht. "The real challenge however was to create a submersible car that moves like a fish in water." Propelled by electric motors, the car can descend up to 10 metres underwater. Aesthetic appeal aside, the open-top design of the car is actually a safety feature that permits passengers to get out quickly during an emergency and avert the problem of excessive water pressure on the windows of a closed car. The invention will be presented at the car show in Geneva, which opens to the press March 4 and runs for the public from March 6 to 16. Rinspeed was not available to specify the sale price of the new model. - AFP Tags: automotive, offbeat, From rforno at infowarrior.org Sat Feb 16 03:08:29 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Feb 2008 22:08:29 -0500 Subject: [Infowarrior] - Protect America Act Debate: Truth or Fear Mongering? Message-ID: Protect America Act Debate: Truth or Fear Mongering? By David Kravets EmailFebruary 15, 2008 | 4:09:50 PMCategories: Surveillance http://blog.wired.com/27bstroke6/2008/02/protect-ameri-1.html We all should be very scared -- very, very scared. Beginning Saturday, those living on American soil are likely to suffer a "horrendous act." That's what Director of National Intelligence Mike McConnell told Americans on Friday. The reason is that the Democratic-controlled House of Representatives won't re-authorize President Bush's warrantless spying powers, which are expiring Saturday. The Senate did days ago, and even agreed to immunize telecommunications companies from lawsuits for assisting the administration. "More than likely we would miss the very information we need to prevent some horrendous act from taking place in the United States," McConnell said. President Bush has some bone chilling things to say as well. After the House on Wednesday refused to follow the Senate's footsteps and re-authorize the Protect America Act, which sunsets Saturday, the chief executive said Americans' lives were hanging in the balance. "At this moment, somewhere in the world terrorists are planning new attacks on our country," the president said. "Their goal is to bring destruction to our shores that will make Sept. 11 pale by comparison." And on Friday, hours before the Protect America Act expires, Bush reiterated the point. "By blocking this piece of legislation, our country is more in danger of an attack," he said. The verbiage from McConnell, Bush and a string of Republican lawmakers is, to say the least, frightening. The words are scary because they portend the end of civilization, as we know it. Has Nancy Pelosi, the House speaker from San Francisco, doomed us all? Pelosi countered that the president was "misrepresenting the facts on our nation's electronic surveillance capabilities." Illinois Rep. Rahm Emanuel, who heads the House Democratic Caucus, said Friday that "This is not about protecting Americans. The president just wants to protect American telephone companies." But what if Pelosi, Emanuel and other Democrats are wrong? What if Bush and company are telling the truth? What if it isn't fear mongering? The Bush believers, however, are not flocking across the border. Do they not believe him? With the nation on the brink of destruction with Saturday's deadline looming, many Republican and Democratic lawmakers have left Washington and returned to their home districts for a 12-day Presidents' Day recess. Perhaps the headlines of the pending apocalypse are simply headlines -- a regurgitation of post 9-11 political theater, and devoid of any real meaning to those who bother to read them. At bottom, the debate is whether the nation's intelligence-gathering agencies need warrants -- from a secret court -- to snoop on suspected terrorists via telecommunication facilities within the United States. Starting on Saturday, the law brokered last year authorizing warrantless searches expires. But such warrantless spying has already occurred in a program the Bush administration authorized following the Sept. 11 attacks. The president, as chief commander, maintains the Constitution grants him such powers notwithstanding the Fourth Amendment. We all should be very scared -- very, very scared. From rforno at infowarrior.org Sat Feb 16 03:24:43 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 15 Feb 2008 22:24:43 -0500 Subject: [Infowarrior] - USG shuts down "best-of-web" economicindicators.gov Message-ID: .....not seen any MSM news stories mentioning this, but given the current US economic climate, you have to wonder the rationale behind this decision. Budget considerations? They're still collecting the data.....and besides, it's not *that* expensive to maintain a website in 2008. --rf Administration shuts down "best-of-web" economicindicators.gov Wed, 2008-02-13 21:29 ? jrjacobs http://freegovinfo.info/node/1627 Forbes has awarded EconomicIndicators.gov one of its ?Best of the Web? awards. As Forbes explains, the government site provides an invaluable service to the public for accessing U.S. economic data: This site is maintained by the Economics and Statistics Administration and combines data collected by the Bureau of Economic Analysis, like GDP and net imports and exports, and the Census Bureau, like retail sales and durable goods shipments. The site simply links to the relevant department?s Web site. This might not seem like a big deal, but doing it yourself -- say, trying to find retail sales data on the Census Bureau?s site -- is such an exercise in futility that it will convince you why this portal is necessary. Yet the Bush administration has decided to shut down this site because of ?budgetary constraints,? effective March 1. Here's a cross-section of the data available: Advance Monthly Sales for Retail and Food Services | Advance Report on Durable Goods | Construction Put in Place | Corporate Profits | Current Account Balance (International Transactions) | Gross Domestic Product | Housing Vacancies and Homeownership | Manufacturer's Shipments, Inventories, and Orders | Manufacturing and Trade: Inventories and Orders | Manufacturing and Trade: Inventories and Sales | Monthly Wholesale Trade | New Residential Construction | New Residential Sales | Personal Income and Outlays | Quarterly Financial Report | Quarterly Services | Retail E-Commerce Sales | U.S. International Trade in Goods and Services | U.S. International Transactions | From rforno at infowarrior.org Sat Feb 16 14:38:12 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 16 Feb 2008 09:38:12 -0500 Subject: [Infowarrior] - White House objects to plan for .gov P2P security Message-ID: White House objects to plan for .gov P2P security Posted by Anne Broache | 5 comments http://www.news.com/8301-10784_3-9872366-7.html WASHINGTON--The Bush administration on Thursday questioned a proposed law that would force federal agencies to develop specific plans for guarding government computers and networks against "risks" posed by peer-to-peer file sharing. The Democratic-sponsored bill, called the Federal Agency Data Protection Act, contains a section asking federal agencies to report to Congress what "technological" (e.g., software and hardware) and "nontechnological" methods (such as employee polices and user training) they would employ to ensure peer-to-peer file-sharing programs do not harm the security of government systems. The proposal, introduced late last year, is the latest manifestation of congressional Democrats' concern about the perils of so-called "inadvertent" file-sharing--that is, when inexperienced or uninformed peer-to-peer users set their applications to share folders containing sensitive files without realizing they're doing so. At a hearing last summer, Rep. Henry Waxman, chairman of the House of Representatives Committee on Oversight and Government Reform, said such a practice can pose a national security threat and warned of plans for new legislation. He and others grilled the founder of Lime Wire, a popular P2P application, about how his service warns users about the files and folders they're poised to share. At the time, a Federal Trade Commission official told politicians that it has found any risks are largely rooted in how individuals use the technology. The Bush administration appears to be backing up that view. Without naming the peer-to-peer file-sharing provision in particular, Karen Evans, the federal government's chief information officer, told a House information policy subcommittee that she objects to singling out a particular technology when issuing computer security requirements. "While we recognize that technologies that are improperly implemented introduce increased risk, we recommend any potential changes to the statute be technology-neutral," Evans said at the sparsely attended hearing, which barely lasted an hour. Federal agencies are already required to report on information security plans and risks annually under a law known as the Federal Information Security Management Act, or FISMA. Based on those plans, members of Congress have taken to issuing a yearly "report card" assessing agencies' status. Without ever mentioning the Democrats' bill, Rep. Tom Davis (R-Va.), FISMA's original author, said he agreed that a "technology-neutral" approach, which refrains from being "overly prescriptive," is the best way to go. Davis went on to urge passage of his own federal computer security bill, which passed the last Republican-controlled House but died in the Senate. It would require federal agencies to give "timely" notice to Americans if their sensitive personal information is compromised, as there's currently no legal requirement that they do so. Some security experts warned the committee that piling on paperwork for federal agencies, as FISMA requires, isn't necessarily the most efficient way to improve security. Alan Paller, director of research for the Sans Institute, which does computer security training, said agencies need more guidance on what security-related steps to prioritize, rather than just a long list of items to complete. "We want to avoid a 'check the box' mentality," added Tim Bennett, president of the Cyber Security Industry Alliance, a trade group that represents security technology vendors. Still, Bennett said his group "strongly" supports the latest bill and its peer-to-peer network section. "File-sharing can give users access to a wealth of information but it also has a number of security risks," he said. "You could download viruses or other malicious code without meaning to. Or you could mistakenly allow other people to copy files you don't mean to share." Topics: Media, Politics, From rforno at infowarrior.org Sat Feb 16 14:39:10 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 16 Feb 2008 09:39:10 -0500 Subject: [Infowarrior] - BitTorrent Developers Introduce Comcast Busting Encryption Message-ID: BitTorrent Developers Introduce Comcast Busting Encryption Written by Ernesto on February 15, 2008 http://torrentfreak.com/bittorrent-devs-introduce-comcast-busting-encryption -080215/ Several BitTorrent developers have joined forces to propose a new protocol extension with the ability to bypass the BitTorrent interfering techniques used by Comcast and other ISPs. This new form of encryption will be implemented in BitTorrent clients including uTorrent, so Comcast subscribers are free to share again. BitTorrent throttling is not a new phenomenon, ISPs have been doing it for years. When the first ISPs started to throttle BitTorrent traffic most BitTorrent clients introduced a countermeasure, namely, protocol header encryption. This was the beginning of an ongoing cat and mouse game between ISPs and BitTorrent client developers, which is about to enter new level. Unfortunately, protocol header encryption doesn?t help against more aggressive forms of BitTorrent interference, like the Sandvine application used by Comcast. A new extension to the BitTorrent protocol is needed to stay ahead of the ISPs, and that is exactly what is happening right now. Back in August we were the first to report that Comcast was actively disconnecting BitTorrent seeds. Comcast of course denied our allegations, and ever since there has been a lot of debate about the rights and wrongs of Comcast?s actions. On Wednesday, Comcast explained their BitTorrent interference to the FCC in a 57-page filing. Unfortunately they haven?t stopped lying yet, since they now argue that they only delay BitTorrent traffic, while in fact they disconnect people, making it impossible for them to share files with non-Comcast users. In short, the Comcast interference works like this: A few seconds after you connect to someone in a BitTorrent swarm, a peer reset message (RST flag) is sent by Comcast and the upload immediately stops. Most vulnerable are users in a relatively small swarm where you only have a couple of peers you can upload the file to. For the networking savvy people among us, here?s an example of real RST interference (video) on a regular BitTorrent connection. In this case, the reset happens immediately after the bitfields are exchanged. Evil? Yes - but there is hope. The goal of this new type of encryption (or obfuscation) is to prevent ISPs from blocking or disrupting BitTorrent traffic connections that span between the receiver of a tracker response and any peer IP-port appearing in that tracker response, according to the proposal. ?This extension directly addresses a known attack on the BitTorrent protocol performed by some deployed network hardware. By obscuring the ip-port pairs network hardware can no longer easily identify ip-port pairs that are running BitTorrent by observing peer-to-tracker communications. This deployed hardware under some conditions disrupts BitTorrent connections by injecting forged TCP reset packets. Once a BitTorrent connection has been identified, other attacks could be performed such as severely rate limiting or blocking these connections.? So, the new tracker peer obfuscation technique is especially designed to be a workaround for throttling devices, such as the Sandvine application that Comcast uses. More details on the proposal can be found at BitTorrent.org, which aims to become a coordination platform for BitTorrent developers. TorrentFreak talked to Ashwin Navin, president and co-founder of BitTorrent Inc. who has some of his employees working on the new extension. He told us: ?There are some ISPs who would like people to believe that ?slowing down? BitTorrent or ?metering? bandwidth consumption serves the greater good. Consumers should be very weary of this claim.? ?In recent months, consumers enjoyed unprecedented participation in the political process thanks to the ability to upload opinions and feedback in the YouTube presidential debates. Musicians, filmmakers and artists are finding ways to connect with their audiences across the world thanks to MySpace and BitTorrent. Students are engaging with interactive learning tools in their schools. Which bandwidth intensive application will banned or shaped or metered next by these ISPs? The creative spirit of millions has been ignited, and our need to participate, to communicate will not be silenced.? ?The US government should encourage ISPs to innovate and invest in their networks,? Ashwin said. ?Permitting them to interfere or interrupt in the communications of consumers, to protect ISP profit margins, would be a tremendous set back for our country and economy, when we are already slipping behind the first world (UK, EU, Japan, Korea, Singapore, etc) in its broadband capacity.? We wholeheartedly agree with Ashwin on this one, as we?ve said before. The Internet is only a few years old, if the plan is to keep using it in the future, ISPs need to upgrade their networks. So, invest in more Internet gateway capacity, 10Gbps interconnect ports, and peering agreements. BitTorrent users are not the problem, they only signal that the ISPs need to upgrade their capacity, because customers will only get more demanding in the future. The Internet is not only about sending email, and browsing on text based websites anymore. The new protocol extension is still under development, but the goal is of course, to get it out as soon as possible. From rforno at infowarrior.org Sat Feb 16 20:28:00 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 16 Feb 2008 15:28:00 -0500 Subject: [Infowarrior] - Homeland Security's War on Babies Message-ID: http://www.msnbc.msn.com/id/23185937/ Baby detained, dies in Honolulu airport Child had been flown in for emergency heart surgery, official says updated 1:39 p.m. ET, Fri., Feb. 15, 2008 PAGO PAGO, American Samoa - American Samoa's delegate to the U.S. Congress is calling for an investigation into the death of a baby at Honolulu International Airport. Delegate Eni Faleomavaega has asked the Department of Homeland Security to begin an investigation into death of 14-day-old Michael Tony Futi last Friday. The baby had been flown to Honolulu for emergency heart surgery. He died while detained inside a customs' room at the Honolulu airport with his mother and a nurse. A lawyer for the family announced plans to sue the federal government over the baby's death. Faleomavaega called for the probe in a letter issued to Homeland Security chief Michael Chertoff. From rforno at infowarrior.org Sat Feb 16 20:29:30 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 16 Feb 2008 15:29:30 -0500 Subject: [Infowarrior] - F.B.I. Received Unauthorized E-Mail Access Message-ID: February 17, 2008 F.B.I. Received Unauthorized E-Mail Access By ERIC LICHTBLAU http://www.nytimes.com/2008/02/17/washington/17fisa.html WASHINGTON ? A technical glitch gave the F.B.I. access to the e-mail messages from an entire computer network ? perhaps hundreds of accounts or more ? instead of simply the lone e-mail address that was approved by a secret intelligence court as part of a national security investigation, according to an internal report of the 2006 episode. F.B.I. officials blamed an ?apparent miscommunication? with the unnamed Internet provider, which mistakenly turned over all the e-mail from a small e-mail domain for which it served as host. The records were ultimately destroyed, officials said. Bureau officials noticed a ?surge? in the e-mail activity they were monitoring and realized that the provider had mistakenly set its filtering equipment to trap far more data than a judge had actually authorized. The episode is an unusual example of what has become a regular if little-noticed occurrence, as American officials have expanded their technological tools: government officials, or the private companies they rely on for surveillance operations, sometimes foul up their instructions about what they can and cannot collect. The problem has received no discussion as part of the fierce debate in Congress about whether to expand the government?s wiretapping authorities and give legal immunity to private telecommunications companies that have helped in those operations. But an intelligence official, who spoke on condition of anonymity because surveillance operations are classified, said: ?It?s inevitable that these things will happen. It?s not weekly, but it?s common.? A report in 2006 by the Justice Department inspector general found more than 100 violations of federal wiretap law in the two prior years by the Federal Bureau of Investigation, many of them considered technical and inadvertent. Bureau officials said they did not have updated public figures but were preparing them as part of a wider-ranging review by the inspector general into misuses of the bureau?s authority to use so-called national security letters in gathering phone records and financial documents in intelligence investigations. In the warrantless wiretapping program approved by President Bush after the Sept. 11 terrorist attacks, technical errors led officials at the National Security Agency on some occasions to monitor communications entirely within the United States ? in apparent violation of the program?s protocols ? because communications problems made it difficult to tell initially whether the targets were in the country or not. Past violations by the government have also included continuing a wiretap for days or weeks beyond what was authorized by a court, or seeking records beyond what were authorized. The 2006 case appears to be a particularly egregious example of what intelligence officials refer to as ?overproduction? ? in which a telecommunications provider gives the government more data than it was ordered to provide. The problem of overproduction is particularly common, F.B.I. officials said. In testimony before Congress in March 2007 regarding abuses of national security letters, Valerie E. Caproni, the bureau?s general counsel, said that in one small sample, 10 out of 20 violations were a result of ?third-party error,? in which a private company ?provided the F.B.I. information we did not seek.? The 2006 episode was disclosed as part of a new batch of internal documents that the F.B.I. turned over to the Electronic Frontier Foundation, a nonprofit group in San Francisco that advocates for greater digital privacy protections, as part of a Freedom of Information Act lawsuit the group has brought. The group provided the documents on the 2006 episode to The New York Times. Marcia Hofmann, a lawyer for the privacy foundation, said the episode raised troubling questions about the technical and policy controls that the F.B.I. had in place to guard against civil liberties abuses. ?How do we know what the F.B.I. does with all these documents when a problem like this comes up?? Ms. Hofmann asked. In the cyber era, the incident is the equivalent of law enforcement officials getting a subpoena to search a single apartment, but instead having the landlord give them the keys to every apartment in the building. In February 2006, an F.B.I. technical unit noticed ?a surge in data being collected? as part of a national security investigation, according to an internal bureau report. An Internet provider was supposed to be providing access to the e-mail of a single target of that investigation, but the F.B.I. soon realized that the filtering controls used by the company ?were improperly set and appeared to be collecting data on the entire e-mail domain? used by the individual, according to the report. The bureau had first gotten authorization from the Foreign Intelligence Surveillance Court to monitor the e-mail of the individual target 10 months earlier, in April 2005, according to the internal F.B.I. document. But Michael Kortan, an F.B.I. spokesman, said in an interview that the problem with the unfiltered e-mail went on for just a few days before it was discovered and fixed. ?It was unintentional on their part,? he said. Mr. Kortan would not disclose the name of the Internet provider or the network domain because the national security investigation, which is classified, is continuing. The improperly collected e-mail was first segregated from the court-authorized data and later was destroyed through unspecified means. The individuals whose e-mail was collected apparently were never informed of the problem. Mr. Kortan said he could not say how much e-mail was mistakenly collected as a result of the error, but he said the volume ?was enough to get our attention.? Peter Eckersley, a staff technologist for the Electronic Frontier Foundation who reviewed the documents, said it would most likely have taken hundreds or perhaps thousands of extra messages to produce the type of ?surge? described in the F.B.I.?s internal reports. Mr. Kortan said that once the problem was detected the foreign intelligence court was notified, along with the Intelligence Oversight Board, which receives reports of possible wiretapping violations. ?This was a technical glitch in an area of evolving tools and technology and fast-paced investigations,? Mr. Kortan said. ?We moved quickly to resolve it and stop it. The system worked exactly the way it?s designed.? From rforno at infowarrior.org Sun Feb 17 04:05:10 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 16 Feb 2008 23:05:10 -0500 Subject: [Infowarrior] - Microsoft 'Frees' Office Formats Message-ID: www.internetnews.com/dev-news/article.php/3728596 Back to Article Microsoft 'Frees' Office Formats By Stuart J. Johnston February 15, 2008 Microsoft this week officially gave developers the right to freely use code and specifications for translating between its older proprietary Office file formats and Office 2007's newer XML formats without fear of being sued. At the same time, company officials must be sitting on pins and needles as a key meeting over whether or not its newer formats will become an international standard looms. Microsoft officials announced today that they have placed the older Office binary file format specifications for Word, Excel and PowerPoint (.doc, .xls, .ppt) under the company's Open Specification Promise (OSP). The OSP is a legal program whereby Microsoft promises not to sue developers who use specifications that it puts under the program's aegis. Documentation for the formats has been available by request on a royalty free basis for a while, but putting it under the OSP gives developers cover from lawsuits. "By making these specifications easier to access, others will be able to build products or tools that will be able to convert documents from the binary file formats to Open XML," a Microsoft spokesperson said in a statement e-mailed to InternetNews.com. [cob:Related_Articles]Additionally, the company announced that an open source project to produce free translator code to convert from the older formats to the newer ones is now live on the SourceForge code repository site. That project, which is being sponsored by Microsoft, had also been scheduled to start this week. The code produced under the project will be available under the Berkeley Software Distribution (BSD) open source license, according to company statements. Both moves are part of an effort by Microsoft to preserve its dominance in the Office productivity market even as it evolves its products to reflect its emerging software-plus-services strategy. Billions and Billions With a reputed 500 million copies of Office in use worldwide, a key underlying issue for corporations and governments has become the literally billions of documents that are stored in the original Office binary file formats. For archive purposes, many users have a continuing need to have access to those files, and thus a need to be able to translate them into the newest formats, or into an industry standard interchangeability format. Particularly in the case of governments, documents may be required to be archived for hundreds of years. Indeed, many local, state, national and international governments are actively in the process of establishing policies that every document must be easily retrievable using standardized formats. In fact, as supporters like to point out, there is already an international standard for document interchange. Advocates of that standard, the OpenDocument Format or ODF, are pushing governments virtually everywhere to adopt it as the only standard for document storage and retrieval ? and to reject similar standardization of Microsoft's competing formats. Among ODF supporters' arguments: massive numbers of existing documents are stored in Microsoft's older proprietary formats and could become inaccessible if, for instance, Microsoft went out of business sometime in the future, or simply decided to eliminate support for the formats. Indeed, that is a very real fear that ODF supporters say could easily become a reality. When Microsoft released Office 2003 Service Pack 3 last summer, it blocked access to those older binary formats for what officials said were security reasons. Following an outcry in January, the company backed off and restored access to those blocked formats. Translators already exist to convert Microsoft's current Office formats ? known as Office Open XML (OOXML) ? into ODF and vice versa. In addition, at least one converter is available from Sun Microsystems that can convert Office 2003 and earlier binary formats into ODF. These latest moves are primarily attempts for Microsoft to get a leg up in the standards arena, according to one analyst. "Getting translators out kind of undercuts the point that the older files aren't accessible," Rob Helm, research director at analysis firm Directions on Microsoft, told InternetNews.com. "Making sure there are translators available will help Microsoft's standardization efforts," he added. The existence of translators for the older binary format files may also help Microsoft in its efforts to convince government customers not to mandate a move to ODF which, of course, is what the company hopes to head off. "In the case of governments ? it may make the [legacy] binary file format documents more acceptable," Helm said. The Standards Struggle Continues Microsoft has been struggling to get OOXML adopted by the International Organization for Standardization (ISO). However, a move to give it ISO "fast track" approval fell short in balloting by ISO member countries in September. Since then, European standards organization Ecma International has been shepherding OOXML through what is called the "ballot resolution" process. That is, OOXML could still soon become an ISO standard ? if a raft of technical objections made by the voting countries can be resolved. Ecma, which has already adopted OOXML as a standard on its own, and Microsoft, have been working at a gallop since last summer's balloting to address all of the objections. A weeklong meeting to decide whether all the objections ? more than 3,000 of them ? have been resolved is scheduled to begin in Geneva, Switzerland on February 25. Once the objections are resolved ? if they can be resolved ? there will not be another round of voting. Instead, each nation that voted in September will have 30 days to notify ISO officials that it has changed its vote. If enough countries change their votes against adopting OOXML, then it will become a standard. If not, Microsoft and Ecma can still resubmit OOXML through a longer more formal process at another time ? but it's unclear how long such a process could take. From rforno at infowarrior.org Sun Feb 17 16:53:51 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 17 Feb 2008 11:53:51 -0500 Subject: [Infowarrior] - The Web is Dangerous, Google Warns Message-ID: The Web is Dangerous, Google Warns Robert McMillan, IDG News ServiceSat Feb 16, 8:30 AM ET http://tinyurl.com/3xv3bb The Web is scarier than most people realize, according to research published recently by Google. The search engine giant trained its Web crawling software on billions of Web addresses over the past year looking for malicious pages that tried to attack their visitors. They found more than 3 million of them, meaning that about one in 1,000 Web pages is malicious, according to Neils Provos, a senior staff software engineer with Google. These Web-based attacks, called "drive-by downloads" by security experts, have become much more common in recent years as firewalls and better security practices by Microsoft have made it harder for worms and viruses to directly attack computers. In the past year the Web sites of Al Gore's "An Inconvenient Truth" movie and the Miami Dolphins were hacked, and the MySpace profile of Alicia Keys was used to attack visitors. Criminals are getting better at this kind of work. They have built very successful automated tools that poke and prod Web sites, looking for programming errors and then exploit these flaws to install the drive-by download software. Often this code opens an invisible iFrame page on the victim's browser that redirects it to a malicious Web server. That server then tries to install code on the victim's PC. "The bad guys are getting exceptionally good at automating those attacks," said Roger Thompson, chief research officer with security vendor Grisoft. In response, Google has stepped up its game. One of the reasons it has been scouring the Web for malicious pages is so that it can identify drive-by-download sites and warn Google searchers before they visit them. Nowadays about 1.3 percent of all Google search queries list malicious results somewhere on the first few pages. Some of the data surprised Provos. "When we started going into this I had the firm intuition that if you go to the sleazier parts of the Web, you are in more danger," he said. It turns out the Web's nice neighborhoods aren't necessarily safer than its red-light districts. "We looked into this and indeed we found that if you ended up going to adult-oriented pages, your risk of being exposed [to malicious software] was slightly higher," he said. But "there really wasn't a huge difference." "Staying away from the disreputable part of the Internet really isn't good enough," he noted. Another interesting finding: China was far and away the greatest source of malicious Web sites. According to Google's research, 67 percent of all malware distribution sites are hosted in China. The second-worst offender? The U.S., at 15 percent, followed by Russia, (4 percent) Malaysia (2.2 percent) and Korea (2 percent). It costs next-to-nothing to register a Web domain in China and service providers are often slow to shut down malicious pages, said Thompson. "They're the Kleenex Web sites," he said. Criminals "know they're going to be shut down, and they don't care." Malicious site operators in China fall into two broad categories, Thompson said: fraudsters looking to steal your banking password, and teenagers who want to steal your World of Warcraft character. So how to stop this growing pestilence? Google's Provos has this advice for Web surfers: Turn automatic updates on. "You should always run your software as updated as possible and install some kind of antivirus technology," he said. But he also thinks that Webmasters will have to get smarter about building secure Web sites. "I think it will take concentrated efforts on all parts," for the problem to go away, he said. From rforno at infowarrior.org Sun Feb 17 16:57:31 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 17 Feb 2008 11:57:31 -0500 Subject: [Infowarrior] - US Comptroller (and GAO head) resigns, citing accountability concerns Message-ID: Watchdog resigns over accountability >From correspondents in Washington February 16, 2008 03:57am Article from: Agence France-Presse http://www.news.com.au/story/0,23599,23223292-23109,00.html# THE head of the audit and investigative arm of the US Congress announced his resignation Friday, citing "real limitations" on what he could do. A respected voice on fiscal matters, David Walker said he was making an early departure from the US Government Accountability Office (GAO) to head a new public interest foundation. "As Comptroller General of the United States and head of the GAO, there are real limitations on what I can do and say in connection with key public policy issues, especially issues that directly relate to GAO's client - the Congress," Mr Walker said. He did not elaborate but Walker last year issued an unusually downbeat assessment of his country's future in a report that drew parallels with the end of the Roman empire. He had warned that the US government was on a "burning platform" of unsustainable policies and practices with fiscal deficits, chronic healthcare underfunding, immigration and overseas military commitments threatening a crisis if action was not taken soon. There were striking similarities between America's current situation and the factors that brought down Rome, he had said. These included "declining moral values and political civility at home, an over-confident and over-extended military in foreign lands and fiscal irresponsibility by the central government." "This was a very difficult decision for me," Mr Walker said Friday of his decision to leave the GAO, which he joined in November for what was to be a 15-year term of office. His resignation would be effective March 12. He said he would become president and chief executive officer of the newly established Peter G. Peterson Foundation, which would educate and activate Americans while supporting sensible policy solutions on various issues. "My new position will provide me with the ability and resources to more aggressively address a range of current and emerging challenges facing our country," he said. "This move will enable me to sharpen my messages and bring focus and attention to the fiscal and other key sustainability challenges that I and others have been discussing during the past several years," he said. From rforno at infowarrior.org Mon Feb 18 17:13:28 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Feb 2008 12:13:28 -0500 Subject: [Infowarrior] - USPS Tracking: A New Privacy issue? Message-ID: (wonder what newfangled 'homeland security' applications will be included in this USPS-tracking system.........rf) Postal Service Sees Simplicity in 31 Digits By Stephen Barr Monday, February 18, 2008; D01 http://www.washingtonpost.com/wp-dyn/content/article/2008/02/17/AR2008021701 801_pf.html The U.S. Postal Service is launching a 31-digit bar code that will permit business customers -- advertisers, catalogue and credit card companies -- to track their mail, from the drop-off at a post office to delivery at a home or office. The project is called Intelligent Mail, and it holds the potential to let companies know if customers are telling the truth when they say the check is in the mail. "Intelligent mail is like having a GPS system for mail," Postmaster General John E . Potter said when he announced the project last year. Potter has pushed since the summer of 2002 for a way to track commercial mail as it travels through the postal network. The effort is on the fast track now, and the Postal Service plans to launch the system in January 2009. A federal notice has been published, and the public has until Thursday to file comments and concerns. Big bucks are riding on the bar code. The nation's business mailers qualify for less-expensive mail rates if they bundle their letters, packages and magazines in ways that reduce sorting and delivery time for the post office. Bar codes are the key to getting the discounted postage rates, currently valued at about $18 billion. With the new bar code, companies will be able to track mail delivery and know when their customers got a bill, solicitation or product, and the Postal Service will have another way of checking that mail is being delivered on time. Companies also will be given a chance to buy data collected by the post office that will give them insights into how customers respond to advertising and marketing. A company, for instance, can buy a television or newspaper ad to tout a new product, follow up with an announcement in the mail and get a sense of how well the ad is connecting with customers. The data, postal executive Thomas G. Day said, should help companies answer such questions as: "When I get it to you on this day, what is your response? Do you actually go to my Web site that day? Do you go to my retail store that day or within a day or two?" The Postal Service's primary interest, however, is in using the intelligent mail bar code to bring more efficiency to its operations and increase the value of mail for companies that are tempted to hawk their wares through e-mail and Internet ads. At the start, the bar code project involved officials in the Postal Service's technology, engineering, operations and marketing divisions, who were basically working on their piece of the project without much coordination. Potter quickly saw that such a fragmented approach carried too much risk. "Jack was the visionary here," said Day, senior vice president for intelligent mail and address quality. "He understood he needed a particular focus on this to drive it forward, because it was such a cross-functional activity." Although some commercial mailers sending letters, magazines and catalogues have been using the intelligent mail bar code for the last two years on a voluntary basis, the Postal Service intends to make the 31-digit code mandatory next January. Eleven of the digits will show the destination Zip code. Companies also can use from six to nine digits to identify themselves as the sender and assign a number to each of their customers. The new bar code will consolidate information carried in other bar codes used by the Postal Service for the last two decades. Those codes are used for certified mail, for automated sorting of letters to the exact sequence used by the letter carrier when delivering mail, to identify the sender of a piece of mail and to provide certain services. With all those codes, it "was beginning to be a pretty ugly-looking piece of mail," Day said. "It just had a lot of stuff on it, and it was getting to be complex, in managing the systems. So the vision was, let's get out of this multiple code environment and down to a single code." The mailing industry is looking forward to the new bar code, said John Campo, vice president for postal relations at Pitney Bowes, which specializes in mail technology. "The service that the Postal Service provides is not always consistent across the board, and this will allow them to focus on areas of weak performance as compared to their stellar performance," he said. Under current plans, large volume mailers, such as credit card companies, retailers and magazines, will send the Postal Service an electronic manifest, describing what they will be mailing. They also will make an electronic appointment, so the Postal Service knows which mail center will be getting the mass mailing and at what time. The new bar code will be on trays, sacks and tubs used to hold mail in postal facilities and on large pallets and containers used for shipping mail. Mail handlers, using handheld scanners, will be able to more quickly direct mail to the right truck for the right destination. They will get an electronic alert if the manifest suggests mail did not get put on a truck. As for the general public, Day said he is uncertain as to whether individuals see any need for real-time tracking of first-class letters, noting that the Postal Service already provides delivery confirmation for packages and that most bill payments and birthday cards arrive on time. "The question is, do we need to build an intelligent mail, unique solution for individual customers?" he said. "We can. I don't yet see the reason to do it. But if the demand is there, we'll build it." Stephen Barr's e-mail address isbarrs at washpost.com. From rforno at infowarrior.org Mon Feb 18 17:18:01 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Feb 2008 12:18:01 -0500 Subject: [Infowarrior] - Satellite spotters often learn too much for government's comfort Message-ID: International Herald Tribune Satellite spotters often learn too much for government's comfort By John Schwartz Tuesday, February 5, 2008 http://www.iht.com/bin/printfriendly.php?id=9749953 When the government announced last month that a top-secret spy satellite would, in the next few months, come falling out of the sky, officials said that there was little risk to people because satellites fall out of orbit fairly frequently and much of the planet is covered by oceans. But they said precious little about the satellite itself. Such information came instead from Ted Molczan, a hobbyist who tracks satellites from his apartment balcony in Toronto, and fellow satellite spotters around the world. They have grudgingly become accustomed to being seen as "propeller-headed geeks" who "poke their finger in the eye" of the government's satellite spymasters, Molczan said, taking no offense. "I have a sense of humor," he said. Molczan, a private energy-conservation consultant, is the best known of the satellite spotters who, needing little more than a pair of binoculars, a stopwatch and star charts, uncover some of the deepest of the government's expensive secrets and share them on the Internet. Thousands of people form the spotter community. Many look for historical relics of the early space age, working from publicly available orbital information. Others watch for phenomena like the distinctive flare of sunlight glinting off bright solar panels of some telephone satellites. Still others are drawn to the secretive world of spy satellites, with about a dozen hobbyists who do most of the observing, Molczan said. In the case of the mysterious satellite that is about to plunge back to Earth, Molczan had an early sense of which one it was, identifying it as USA-193, which gave out shortly after reaching space in December 2006. It is said to have been built by Lockheed Martin and operated by the secretive National Reconnaissance Office. Another hobbyist, John Locker of England, posted photos of the satellite on a Web site, galaxypix.com. John Pike, director of GlobalSecurity.org, a private group in Alexandria, Virginia, that tracks military and space activities, said the hobbyists exemplified fundamental principles of openness and of the power of technology to change the game. "It has been an important demystification of these things," Pike said, "because I think there is a tendency on the part of these agencies just to try to pretend that they don't exist, and that nothing can be known about them." But the spotters are also pursuing a thoroughly different pastime, one that calls for long hours outside, freezing in the winter and sweating in the summer, straining to see a moving light in the sky and hoping that a slip of the finger on the stopwatch does not delete an entire night's work. And for the adept, there is math. Lots of math. "It's somewhat time-consuming and tedious," Molczan said, acknowledging that the very precise and methodical activities might seem, to the uninitiated, "a close approximation to work." When a new spy satellite is launched, the hobbyists will collaborate on sightings around the world to determine its orbit, and even guess at its function, sharing their information through the e-mail network SeeSat-L, which can be found via the Web site satobs.org. >From his balcony, or the 32nd-floor roof of his building, Molczan will peer through his binoculars at a point in the sky he expects the satellite to cross, which he locates with star charts. When it appears, he measures the distance it travels across the patch of sky over time, which he can use to calculate factors like speed and direction. Locker said people like him and Molczan were not, as he put it, "nerdy buffs who lie on our backs and look into the sky and try to undermine governments." Spotting, he said, is simply a hobby. "There are people who look at train timetables and go watch trains," he said. People are drawn to what interests them, he said, and "it's what draws people to any hobby." While recent news coverage has focused on the current satellite's threat to people when it falls from above, that threat is, statistically, very small. Even when the space shuttle Columbia broke up over Texas five years ago and rained debris over two states, no one on the ground was injured. Gordon Johndroe, a spokesman for the National Security Council, noted that 328 satellites had come down in the past five years without injury to anyone on the ground. While Johndroe declined to divulge much about the current satellite aside from the fact that it carries no nuclear material, he said that the government would take responsibility in the remote chance of damage or injury. The government's relationship with the hobbyists is not a comfortable one. Spokesmen for the National Reconnaissance Office have stated that they would prefer the hobbyists not publish their information and suggest that foreign countries try to hide their activities when they know an eye in the sky will be passing overhead. The satellite spotters acknowledge that this may be so, though they doubt such tactics are effective. Molczan said he believed that the hobbyists hurt no one but that "you can't say with absolute certainty what effect you're having." Despite the many clever ways the spy agencies try to minimize the likelihood that their satellites will be spotted, Pike said, it will continue to happen. And that, he said, is a valuable warning: a world with so many eyes on the skies renders deep secrets shallow. "If Ted can track all these satellites," Pike said, "so can the Chinese." From rforno at infowarrior.org Mon Feb 18 17:21:43 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Feb 2008 12:21:43 -0500 Subject: [Infowarrior] - California Court shuts down Wikileaks.org Message-ID: Wikileaks Under Attack: California Court Wipes Wikileaks.org Out of Existence by stephen soldz Mon Feb 18, 2008 at 06:20:15 AM PST One of the most important web sites in recent months has been Wikileaks.org. Wikileaks has upset the Chinese government enough that they are attempting to censor it, as is the Thai military junta. Wikileaks is now under attack from a censorship effort by a California court. < - > http://dailykos.com/storyonly/2008/2/18/91556/1784/766/458936 From rforno at infowarrior.org Mon Feb 18 19:07:55 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Feb 2008 14:07:55 -0500 Subject: [Infowarrior] - ConsumerMan: Sleazy auto warranty scam Message-ID: (Something I'm dealing with now after being stalked for a few weeks by Acura, who I used to hold in a high regard. Funny how their letters and calls never quoted price or what the policy covers in any detail, and they refused to email/fax me information before I commit. Sorry, I don't work that way! --rf) ConsumerMan: Sleazy auto warranty scam If you get a call offering extended coverage, hang up and then complain By Herb Weisbaum updated 3:08 p.m. ET, Fri., Feb. 15, 2008 One of the most obnoxious and deceptive marketing campaigns I have ever seen is taking place right now. It uses postcards, letters, and phone calls to sell outrageously priced extended warranties. The mailings look like an important notice from your car dealer or automaker. There is always an eye-catching warning on the front of the card, such as: ?Final Notice: Expiring Auto Warranty.? Marla Wolfe gets a couple postcards a week telling her she needs to renew her car warranty. ?I bought my car without an extra warranty,? she tells me, ?so there?s nothing to renew.? The postcards are annoying enough. Now there are constant phone calls trying to sell her an extended warranty. Wolfe received five calls in one day. ?It?s out of control,? she says. ?It?s constant. It?s non-stop. I don?t know what to do. I don?t want their product. I don?t want to be scammed into whatever they?re trying to sell. If this keeps up I?ll go insane.? Gari Weinraub?s phone number is on the national Do Not Call Registry. And yet, she gets at least one of these warranty calls a day. Weinraub knows the warranty on her 1990 Honda isn?t about to expire. It did that a long time ago. Even worse, these sales calls are on her cell phone, a number she considers so private only family and a few friends have it. Federal regulations prohibit sales calls like these to cell phones. ?I hate it,? Weinraub says. ?It?s an invasion of my privacy.? These sales calls are going out at all hours of the day and night. I have spoken to a number of people who had their phones ring at 4 a.m., a clear violation of federal regulations that prohibit sales calls before 8:00 a.m. local time. Complaints pour in The bulk of the companies doing this are located near St. Louis. The Better Business Bureau of Eastern Missouri and Southern Illinois lists 92 extended warranty companies in that area. They are responsible for a huge number of complaints from across the country. Many of the complaints deal with deceptive advertising and high-pressure sales tactics. Unhappy customers say they could not cancel and get a refund as the salesperson promised on the phone. Some people who buy the warranty find that they have problems using it. According to Chris Thetford with the St. Louis BBB, potential customers are told their extended warranty covers all kinds of repairs. ?In fact,? he says, ?a very, very limited range of things are covered.? Missouri Attorney General Jay Nixon is now investigating many of the companies selling these warranties in his state. We should know in a few weeks if his office decides to take any legal action. ConsumerMan?s undercover call I have received a bunch of these warranty expiration notices, so I decided to respond to one from Vehicle Services in St. Peters, Mo. I gave the salesman, Corey, my real name and valid information about my car. Before he would give me the price, Corey passed me off to Chris, the program director. Chris explained that this was a one-time deal and if I said no, their computer system would ?automatically delete? my files at the end of the phone call. That was clearly designed to put pressure on me to make an on-the-spot decision. Now it was Corey?s turn to close the deal. He had good news. I ?qualified? for full coverage: four years or 48,000 miles. And he was going to waive the vehicle inspection. By activating my coverage today, I would get 20 percent off the retail price. With that discount, the cost of the four-year coverage was $3,110 or $777 a year. Corey offered a variety of payment plans and pointed out several times that this was not a contract. ?You are not obligating yourself to anything,? he kept saying. ?Can you guys send me this policy, so I can see all this in writing and I can get back to you?? I asked. ?We don?t actually send out any paperwork without receiving a down payment,? Corey explained. He said once I paid, the policy would be mailed to me within seven to 10 business days. Needless to say, I did not buy anything. Instead, I called back and identified myself as a reporter, but no one would talk to me. A bad deal all around Like most consumer advocates, Robert Krughoff, president of checkbook.org, advises car owners to skip extended warranties because they are rarely worth the money. He is appalled at the idea of buying one this way. ?You would never want to buy an extended service contract without seeing in writing exactly what?s covered and what you have to do to make a claim,? Krughoff says. What about the great price Vehicle Services offered me? Krughoff calls it ?outrageous.? By comparison, my car dealer would sell me a three-year/36,000 mile extended warranty for $1,795 or $598 a year. As Krughoff pointed out, as with everything at a car dealer, that price was negotiable. My two cents The companies using these deceptive and sleazy sales tactics must be stopped and brought to justice. They are making a mockery of the Do Not Call Registry and the government?s rules regarding telemarketing sales. If you are the recipient of one of these sales calls, file a complaint with the Federal Trade Commission. The government has the power to sue these companies, fine them, and make them stop any misleading sales practices. ? 2008 MSNBC Interactive URL: http://www.msnbc.msn.com/id/23147777/ From rforno at infowarrior.org Tue Feb 19 03:40:44 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Feb 2008 22:40:44 -0500 Subject: [Infowarrior] - OpEd: The invasion of America Message-ID: The invasion of America http://www.latimes.com/news/opinion/la-oe-napolitano18feb18,0,1665050.story Creeping intrusions against our privacy rights are an assault on the Constitution. By Andrew P. Napolitano February 18, 2008 When President Nixon was in his pre-Watergate heyday, he ordered the FBI and the CIA to electronically monitor the private behavior of his domestic political adversaries. Shortly after Nixon resigned, investigators discovered hundreds of reports of break-ins and secret electronic surveillance. None of it was authorized by warrants, and thus all of it was illegal. But it had been conducted pursuant to the president's orders. Nixon's defense was, "When the president does it, that means that it is not illegal." He made that infamous statement in a TV interview years after he left office, but the attitude espoused was obviously one he embraced while in the White House. He, like his present-day successor, rejected the truism that the 4th Amendment of the Constitution, which prohibits the government from conducting electronic surveillance of anyone without a search warrant issued by a judge based on probable cause of a crime, restrains the president. In response to the abuses during the Nixon administration, Congress enacted the Foreign Intelligence Surveillance Act, or FISA, in 1978. The law provides that no electronic surveillance may occur by anyone in the government at any time under any circumstances for any reason other than in accordance with law, and no such surveillance may occur within the U.S. of an American other than in accordance with the 4th Amendment. The 4th Amendment was written in response to the Colonial experience whereby British soldiers wrote their own search warrants, thus literally authorizing themselves to enter the private property of colonists. The amendment has been uniformly interpreted by the courts to require a warrant by a judge; and judges can only issue search warrants after government agents, under oath, have convinced the judges that it is more likely than not that the things to be seized are evidence of crimes. This standard of proof is called probable cause of crime. It is one of only two instances in which the founders wrote a rule of criminal procedure into the Constitution itself, surely so that no Congress, president or court could tamper with it. FISA also created the bizarre, constitutionally questionable procedure in which federal agents could appear in front of a secret court and, instead of presenting probable cause of a crime in order to obtain a search warrant, would only need to present probable cause that the target of the warrant was an agent of a foreign government. The foreign government could be friendly or it could wish us ill, but no illegal or even anti-American behavior need be shown. Subsequent amendments to this statute removed the "agency" requirement and demanded only that the target be a person physically present in the U.S. who was not born here and is not an American citizen, whether working for a foreign government or not. The FISA statute itself significantly -- and, in my opinion, unconstitutionally -- lowered the 4th Amendment bar from probable cause of "crime"to probable cause of "status." However, in order to protect the 4th Amendment rights of the targets of spying, the statute erected a so-called wall between gathering evidence and using evidence. The government cannot constitutionally prosecute someone unless it has evidence against him that was obtained pursuant to probable cause of a crime, a standard not met by a FISA warrant. Congress changed all that. The Patriot Act passed after 9/11 and its later version not only destroyed the wall between investigation and prosecution,they mandated that investigators who obtained evidence of criminal activity pursuant to FISA warrants share that evidence with prosecutors. They also instructed federal judges that the evidence thus shared is admissible under the Constitution against a defendant in a criminal case. Congress forgot that it cannot tell federal judges what evidence is admissible because judges, not politicians, decide what a jury hears. Then the Bush administration and Congress went even further. The administration wanted, and Congress has begrudgingly given it, the authority to conduct electronic surveillance of foreigners and Americans without even a FISA warrant -- without any warrant whatsoever. The so-called Protect America Act of 2007, which expired at the end of last week, gave the government carte blanche to spy on foreign persons outside the U.S., even if Americans in the United States with whom they may be communicating are spied on -- illegally -- in the process. Director of National Intelligence J. Michael McConnell told the House Judiciary Committee last year that hundreds of unsuspecting Americans' conversations and e-mails are spied on annually as a consequence of the warrantless surveillance of foreigners outside the United States. So where does all this leave us? Even though, since 1978, the government has gotten more than 99% of its FISA applications approved, the administration wants to do away with FISA altogether if at least one of the people whose conversations or e-mails it wishes to monitor is not in the U.S. and is not an American. Those who believe the Constitution means what it says should tremble at every effort to weaken any of its protections. The Constitution protects all "persons" and all "people" implicated by government behavior. So the government should be required, as it was until FISA, to obtain a 4th Amendment warrant to conduct surveillance of anyone, American or not, in the U.S. or not. If we lower constitutional protections for foreigners and their American correspondents, for whom will we lower them next? Andrew P. Napolitano, a New Jersey Superior Court judge from 1987 to 1995, is the senior judicial analyst at the Fox News Channel. His latest book is "A Nation of Sheep." From rforno at infowarrior.org Tue Feb 19 03:41:51 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 18 Feb 2008 22:41:51 -0500 Subject: [Infowarrior] - Amtrak unveils new security measures Message-ID: Amtrak to unveil new security measures including random bag screening By SARAH KARUSH | Associated Press Writer 3:49 PM CST, February 18, 2008 http://www.chicagotribune.com/travel/chi-amtrak-security-measures-story,0,30 42844.story WASHINGTON - Amtrak passengers will have to submit to random screening of carry-on bags in a major new security push that will include officers with automatic weapons and bomb-sniffing dogs patrolling platforms and trains, the railroad planned to announce Tuesday. The initiative is a significant shift for Amtrak. Unlike the airlines, it has had relatively little visible increase in security since the 2001 terrorist attacks, a distinction that has enabled it to attract passengers eager to avoid airport hassles. Amtrak officials insist their new procedures won't hold up the flow of passengers. "On-time performance is a key element of Amtrak service. We are fully mindful of that. This is not about train delays," Bill Rooney, the railroad's vice president for security strategy and special operations, told The Associated Press. Nor will the moves require passengers to arrive at stations far in advance, officials said. Passengers who are selected randomly for the screening will be delayed no more than a couple of minutes, Amtrak chief executive Alex Kummant said. "We're very conscious of the fact that you're in an environment where commuters have minutes to go from train to train," he said. Concern about Amtrak security has been mounting since the 2004 bombings of commuter trains in Madrid that killed 191 people. Trains also have been bombed in London, where 52 people were killed in a series of blasts in 2005, most of them on subway trains, and in Mumbai, India, where 200 people were killed in 2006 on commuter trains. Russia also has had several bombings on subway, commuter and long-distance trains. The new procedures draw heavily on measures being used in the New York City subways, Rooney said. That model has been upheld in court challenges, he noted. Amtrak plans to roll out the new "mobile security teams" first on the Northeast Corridor between Washington and Boston, the railroad's most heavily used route, before expanding them to the rest of the country. The teams will show up unannounced at stations and set up baggage screening areas in front of boarding gates. Officers will randomly pull people out of line and wipe their bags with a special swab that is then put through a machine that detects explosives. If the machine detects anything, officers will open the bag for visual inspection. Anybody who is selected for screening and refuses will not be allowed to board and their ticket will be refunded. In addition to the screening, counterterrorism officers with bomb-sniffing dogs will patrol platforms and walk through trains, and sometimes will ride the trains, officials said. Tim Connors, director of the Center for Policing Terrorism at the Manhattan Institute, said rail systems require a completely different approach to security from the one used in aviation. "Rail moves a lot more people than air does," he said. "It's designed to be an open system that can move a lot of people fast." Connors said random screening could be effective. "A random approach is actually more effective than a constant one," he said, adding that when procedures don't change, it's easier for would-be terrorists to find weak spots. Amtrak hopes the new force can serve as a powerful deterrent to would-be terrorists. "What we are trying to do is make sure the bad guys know we're out there but don't know where we'll be, or when," Rooney said. Amtrak did not provide figures for the program's cost, but said its total security budget -- including police, security strategy and emergency preparedness -- is about $60 million. The railroad has about 400 security personnel, including about 300 sworn police officers, Kummant said. Amtrak's previous passenger screening consisted of sporadic identification checks by train conductors, which the railroad says it plans to continue. Passengers also are required to show ID when buying tickets from station agents, though there is no such requirement from passengers buying tickets from self-serve kiosks. The Transportation Security Administration is also expected to continue sporadic deployments to stations around the country. Amtrak has received a number of federal grants aimed at boosting security, but officials said there was no specific mandate to implement the changes. "There is no new or different specific threat," Kummant said. "This is just the correct step to take." ------ On the Net: Amtrak: http://www.amtrak.com/ From rforno at infowarrior.org Tue Feb 19 14:10:40 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Feb 2008 09:10:40 -0500 Subject: [Infowarrior] - Study rejects Internet sex predator stereotype Message-ID: Study rejects Internet sex predator stereotype URL: http://www.msnbc.msn.com/id/23226497/ Social networking sites do not appear to expose teens to greater risks By Julie Steenhuysen Reuters updated 6:46 p.m. ET, Mon., Feb. 18, 2008 CHICAGO - The typical online sexual predator is not someone posing as a teen to lure unsuspecting victims into face-to-face meetings that result in violent rapes, U.S. researchers said on Monday. Rather, they tend to be adults who make their intentions of a sexual encounter quite plain to vulnerable young teens who often believe they are in love with the predator, they said. And contrary to the concerns of parents and state attorneys general, they found social networking sites such as Facebook or MySpace do not appear to expose teens to greater risks. "A lot of the characterizations that you see in Internet safety information suggests that sex offenders are targeting very young children and using violence and deception against their victims," said Janis Wolak of the Crimes Against Children Research Center at the University of New Hampshire in Durham. "Especially since social networking sites became popular, people are suggesting that these offenders are using information to stalk and abduct their victims," said Wolak, whose study appears in the journal American Psychologist. "We are not seeing those types of cases," Wolak said in a telephone interview. Instead, she said most cases arise from risky online interactions such as talking online about sex to strangers. "The great majority of cases we have seen involved young teenagers, mostly 13-, 14-, 15-year-old girls who are targeted by adults on the Internet who are straightforward about being interested in sex," she said. The study was based on telephone interviews with 3,000 Internet users between the ages of 10 and 17 done in 2000 and again in 2005. The researchers also conducted more than 600 interviews with federal, state and local law enforcement officials in the United States. They also combed through data from similar studies. They found Internet offenders pretended to be teenagers in only 5 percent of the crimes studied. They also found nearly 75 percent of victims who met their offenders in person did so on more than one occasion. Wolak said Internet predators use instant messages, e-mail and chat rooms to meet and develop intimate relationships with their victims. "From the perspective of the victim, these are romances," she said. Wolak said teens who engaged in risky online behaviors ? having buddy lists that included strangers, discussing sex online with strangers, being rude online ? were much more likely to be targeted. "One of the big factors we found is that offenders target kids who are willing to talk to them online. Most kids are not," Wolak said. U.S. state attorneys general have been working with privately held Facebook and NewsCorp's MySpace to protect users from registered sex offenders. But Wolak said it is important for parents and children to have a clear picture of who these predators are. "If everybody is looking for violent predators lurking in the bushes, kids who are involved in these relationships aren't going to be seeing what is happening to them as a crime," she said. Copyright 2008 Reuters. Click for restrictions. URL: http://www.msnbc.msn.com/id/23226497/ From rforno at infowarrior.org Tue Feb 19 19:59:30 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Feb 2008 14:59:30 -0500 Subject: [Infowarrior] - Computer software terms 'unfair' Message-ID: Computer software terms 'unfair' Some of the world's biggest computer firms have been accused of imposing unfair contracts on customers who buy their software. The National Consumer Council (NCC) has accused 17 firms, including Microsoft, Adobe and Symantec, of using unfair "end user licence agreements" (EULAs). The NCC has asked the Office of Fair Trading to launch an investigation. The NCC said the firms' EULAs were misleading customers into "signing away legal rights". "Software rights-holders are shifting the legal burden on to consumers who buy computer programmes, leaving them with less protection than when they buy a cheap Biro," said Carl Belgrove of the NCC. "Consumers can't have a clue what they're signing up to when some terms and conditions run to 10 or more pages. "There's a significant imbalance between the rights of the consumer and the rights of the holder," he added. 'Legal responsibility' As one of the firms named by the NCC, Microsoft said it had not seen the details of the report and was unable to comment. But it added that it was committed to dealing "fairly" with consumers and addressing any concerns they might have. The NCC looked at 25 software packages and said that in 17 instances, the packaging did not tell potential buyers they would have to sign an EULA in order to use it. While some contained the EULA inside an instruction manual, or let it be read online, this was only after the software had been bought. "This means that consumers are unable to make informed decisions before they buy a product, yet are being forced to take on an unknown level of legal responsibility," said the NCC. After examining the contents of the EULAs, the NCC also said that some contained potentially unfair clauses. Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/2/hi/business/7252707.stm Published: 2008/02/19 15:20:51 GMT ? BBC MMVIII From rforno at infowarrior.org Tue Feb 19 20:01:09 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Feb 2008 15:01:09 -0500 Subject: [Infowarrior] - Why are MS file formats so complicated? Message-ID: Why are the Microsoft Office file formats so complicated? http://www.joelonsoftware.com/items/2008/02/19.html From rforno at infowarrior.org Tue Feb 19 20:02:26 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Feb 2008 15:02:26 -0500 Subject: [Infowarrior] - Black Hat Descends on Washington Message-ID: Black Hat Descends on Washington Hackers flock to D.C. during this week's conference to talk government, security and going on the defense -- for a change. http://www.internetnews.com/security/article.php/3728856 February 19, 2008 By Sean Michael Kerner: More stories by this author: WASHINGTON, D.C. -- The name "Black Hat" for years has been synonymous with shadowy hacker activities. Many also know that the term refers to the popular annual security conference of the same name, long held in Sin City itself -- Las Vegas. This week, however, the Black Hats aren't flocking to Vegas. Instead, they're meeting in the heart of the federal government: Washington, D.C., a setting that makes for a very different type of security conference. "It's almost the 'white hat' Black Hat, with much more focus on defense than offense," said Brian Chess, founder and chief scientist at enterprise security player Fortify Software. Chess is no stranger to either Black Hat or Washington. His firm is a partner with the government-funded Computer Emergency Response Team (CERT) on automated compliance checking. At the last Black Hat Las Vegas event, Chess also ran the famed Iron Chef Black Hat hacking challenge. This week, he's expected to speak once more on security issues. This time around, Chess will be talking about software testing and using functionally tests to find vulnerabilities. "It's about how you build software right, as opposed to how you break something," Chess told InternetNews.com. "We'll be talking about some of the less-than-ideal ways that people go about finding security vulnerabilities in their code." In Chess' view, developers often fail to do a great job of security testing simply because they don't have to. Since plenty of bugs can be found easily, they typically feel little incentive to undertake a more rigorous and thorough search that might find all bugs, he said. On the flip side, "if you actually want to build something that is secure, there actually is a lot you can do," Chess said. Not surprisingly, the security conference's inside-the-Beltway setting also means it will have a special focus on government. Among the week's sessions are a talk on phishing and the Internal Revenue Service (IRS), and a discussion of potential cyber-threats to the 2008 presidential election. The government focus is also reflected in the background of some of the speakers at the event. The only keynote of the Black Hat D.C. event is being delivered by Jerry Dixon, a former deputy director of US-CERT and the founding director of the IRS's Computer Security Incident Response Capability. A former U.S. spy is also on the speakers list. In a talk about social engineering, Peter Earnest, a 35-year veteran of the Central Intelligence Agency, will discuss his experiences in espionage. While this week's conference will offer a different perspective compared to its larger, more free-for-all Las Vegas counterpart, followers of the goings-on at Black Hat can still expect much of the same. "It's still Black Hat," Chess said. "The reason why people come out for Black Hat is they want to get a taste for what's going on from a technical, vulnerability-researcher point of view. So I expect the presentation style will be about the same." From rforno at infowarrior.org Tue Feb 19 20:07:18 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Feb 2008 15:07:18 -0500 Subject: [Infowarrior] - SCOTUS Rejects ACLU Challenge to Wiretaps Message-ID: Court Rejects ACLU Challenge to Wiretaps The Associated Press Tuesday, February 19, 2008; 12:41 PM http://www.washingtonpost.com/wp-dyn/content/article/2008/02/19/AR2008021901 111_pf.html WASHINGTON -- The Supreme Court rejected a challenge Tuesday to the Bush administration's domestic spying program. The justices' decision, issued without comment, is the latest setback to legal efforts to force disclosure of details of the warrantless wiretapping that began after the Sept. 11 attacks. The American Civil Liberties Union wanted the court to allow a lawsuit by the group and individuals over the wiretapping program. The 6th U.S. Circuit Court of Appeals dismissed the suit, saying the plaintiffs could not prove their communications had been monitored. The government has refused to turn over information about the closely guarded program that could reveal who has been under surveillance. ACLU legal director Steven R. Shapiro has said his group is in a "Catch-22" because the government says the identities of people whose communications have been intercepted is secret. But only people who know they have been wiretapped can sue over the program, Shapiro has said. The 9th U.S. Circuit Court of Appeals last year ruled against an Islamic charity that also challenged the program, concluding that a key piece of evidence is protected as a state secret. In that case, the Oregon-based U.S. arm of the Al-Haramain Islamic Foundation alleged the National Security Agency illegally listened to its calls. The charity had wanted to introduce as evidence a top-secret call log it received mistakenly from the Treasury Department. A separate lawsuit against telecommunications companies that have cooperated with the government is pending in the San Francisco-based appeals court. A U.S. district court also is examining whether the warrantless surveillance of people in the United States violates the law that regulates the wiretapping of suspected terrorists and requires the approval of a secret court. A federal judge in Detroit declared the spying program unconstitutional in 2006, saying it violated the rights to free speech and privacy and the separation of powers. The appeals court decision that the Supreme Court upheld Tuesday resulted from the judge's ruling. Several months after the judge in Detroit ruled against the Terrorist Surveillance Program, the administration announced in January 2007 that it would put intercepts of communications on U.S. soil under the oversight of the secret court, the Foreign Intelligence Surveillance Court. The ACLU, in urging the justices to consider its case, said that because the administration voluntarily ended the warrantless wiretapping, it could easily restart it. "There is a real risk that the president could decide he is not subject to the law," said Jameel Jaffer, director of the ACLU's national security project. The administration acknowledged the existence of the program in late 2005, after the New York Times published an article about it. The White House said the monitoring was necessary because the 1978 Foreign Intelligence Surveillance Act left dangerous gaps in the government's eavesdropping authority. Last August, Congress made temporary changes to FISA that made the warrantless wiretapping legal in some instances and also extended immunity from lawsuits to telecommunications companies that help with the intercepts. Those changes expired over the weekend, amid disagreements between congressional Democrats and President Bush over the immunity issue. Existing wiretaps can continue and any new surveillance the government wants to institute has to follow the FISA rules, which could require court warrants. The case is ACLU v. NSA, 07-468. ___ On the Net: Supreme Court: http://www.supremecourtus.gov From rforno at infowarrior.org Tue Feb 19 20:09:14 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Feb 2008 15:09:14 -0500 Subject: [Infowarrior] - Government Picks Up Speed on Security Clearances Message-ID: Government Picks Up Speed on Security Clearances By Stephen Barr Tuesday, February 19, 2008; D03 http://www.washingtonpost.com/wp-dyn/content/article/2008/02/18/AR2008021802 304_pf.html There's still too much paper to pluck from files. There's not enough sharing of information. Yet despite such problems, the government has been picking up speed in processing security clearances. In a report sent to Congress last week, the Bush administration said most security clearances for federal employees and contractors were completed in an average of 118 days. That turnaround time beats the 130-day goal set by Congress in the 2004 Intelligence Reform and Terrorism Act. Before the law was passed, it took more than a year on average to conduct an investigation for a top-secret clearance, and investigations for secret and confidential clearances averaged five to six months, according to the report. The law requires the administration to move even faster on security clearances by the end of 2009. To achieve the 2009 goal, the government will have to complete security clearances in 74 days, or 44 days faster than it did in the first quarter of fiscal 2008. "We have to identify opportunities to reform or transform this system, because the way we do it now is basically the same way it has been done for decades," Clay Johnson III, deputy director for management at the Office of Management and Budget, said in an interview. He added, "There are better ways, more computer-aided ways, to do a lot of this." President Bush, in a memo this month, directed key officials to submit a plan by the end of April for improving background checks and security clearances. Johnson is helping lead that effort, joined by James R. Clapper Jr., undersecretary of defense for intelligence; Mike McConnell, director of national intelligence; and Linda M. Springer, director of the Office of Personnel Management. The report to Congress provides a snapshot of some of the issues they face. Defense contractors remain concerned that their clearances are taking too long and that time spent evaluating a background check and approving a clearance is lengthening. On average, defense contractors are waiting 151 days to receive a clearance. Reinvestigations of defense contractors to update top-secret clearances are taking 267 days, on average. In part, the longer wait time for defense contractors is because the approval process involves extra steps, and the Pentagon is moving to streamline procedures, Johnson said. When federal employees and contractors transfer to another part of the government, too many agencies still balk at accepting the security clearances and employment suitability determinations made by another agency. Johnson said agencies should be encouraging reciprocity. Technology also is a major problem when it comes to checking records for police arrests, criminal convictions, divorces, bankruptcies and debts. While the FBI delivers 83 percent of the records requested within 30 days, on average, it still has a backlog of 53,000 requests that are more than 30 days old. Only 20 percent of state law-enforcement records can be obtained electronically. While the State Department, Air Force and Army can provide electronic records to investigators, the Navy and Marines have only recently put their records into databases. Because of problems in obtaining third-party information, the government has about 42,000 investigations in the pipeline that are more than 180 days old. The delay is down from 137,000 cases in October 2006. "We've got a lot of work to do, still," Johnson said. From rforno at infowarrior.org Tue Feb 19 20:12:33 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Feb 2008 15:12:33 -0500 Subject: [Infowarrior] - Web Site That Posts Leaked Material Ordered Shut Message-ID: February 19, 2008 Web Site That Posts Leaked Material Ordered Shut By ADAM LIPTAK http://www.nytimes.com/2008/02/19/us/19cnd-wiki.html In a move that legal experts said could present a major test of First Amendment rights in the Internet era, a federal judge in San Francisco on Friday ordered the disabling of a Web site devoted to disclosing confidential information. The site, Wikileaks.org, invites people to post leaked materials with the goal of discouraging ?unethical behavior? by corporations and governments. It has posted documents concerning the rules of engagement for American troops in Iraq, a military manual concerning the operation of prison at Guant?namo Bay, Cuba, and other evidence of what it has called corporate waste and wrongdoing. The case in San Francisco was brought by a Cayman Islands bank, Julius Baer Bank and Trust. In court papers, the bank claimed that ?a disgruntled ex-employee who has engaged in a harassment and terror campaign? provided stolen documents to Wikileaks in violation of a confidentiality agreement and banking laws. According to Wikileaks, ?the documents allegedly reveal secret Julius Baer trust structures used for asset hiding, money laundering and tax evasion.? On Friday, Judge Jeffrey S. White of the Federal District Court in San Francisco granted a permanent injunction ordering Dynadot, the site?s domain name registrar and Web host, to disable the Wikileaks.org domain name. That has the effect of making the site invisible to people looking for it by name. But the site itself remains available through its internet protocol address, as do ancillary sites run by Wikileaks in other countries, along with mirror sites run by third parties. In a separate order, also issued on Friday, Judge White ordered Dynadot and Wikileaks to stop distributing the bank documents. The second order, which the judge called an amended temporary restraining order, did not refer to the permanent injunction but may have been an attempt to narrow it. Lawyers for the bank and Dynadot did not respond to requests for comment. Judge White has scheduled a hearing in the case for Feb. 29. In a statement on its site, Wikileaks compared Judge White?s orders to ones eventually overturned by the Unites States Supreme Court in the Pentagon Papers case in 1971. In that case, the federal government sought to enjoin publication of a secret history of the Vietnam War by The New York Times and The Washington Post. ?The Wikileaks injunction is the equivalent of forcing The Times?s printers to print blank pages and its power company to turn off press power,? the site said, referring to the order that sought to disable the entire site. The site said it was founded by dissidents in China and journalists, mathematicians and computer specialists in the United States, Taiwan, Europe, Australia and South Africa. Its goal, it said, is to develop ?an uncensorable Wikipedia for untraceable mass document leaking and analysis.? Judge White?s order disabling the entire site ?is clearly not constitutional,? said David Ardia, the director of the Citizen Media Law Project at Harvard Law School. ?There is no justification under the First Amendment for shutting down an entire Web site.? The narrower order, forbidding the dissemination of the disputed documents, is a more classic prior restraint on publication. Such orders are disfavored under the First Amendment and almost never survive appellate scrutiny. From rforno at infowarrior.org Wed Feb 20 04:25:10 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 19 Feb 2008 23:25:10 -0500 Subject: [Infowarrior] - Social Media in the 1990's In-Reply-To: Message-ID: Yep, I feel all nostalgiac now..... --rf ------ Forwarded Message From: security curmudgeon http://www.copybrighter.com/blog/social-media-in-the-1990s From rforno at infowarrior.org Wed Feb 20 13:12:35 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Feb 2008 08:12:35 -0500 Subject: [Infowarrior] - CDC Releases "Goolag" scanner In-Reply-To: <9F42F814-3ED4-485D-B75F-DF2EF7E2E62C@hacktivismo.com> Message-ID: ------ Forwarded Message From: Oxblood Ruffin Date: Wed, 20 Feb 2008 06:43:05 +0100 To: Subject: Goolag: Exporting censorship, importing exploits FOR IMMEDIATE RELEASE SECURITY ADVISORY: The following program may screw a large Internet search engine and make the Web a safer place. LUBBOCK, TX, February 20th ? Today CULT OF THE DEAD COW (cDc), the world?s most attractive hacker group, announced the release of Goolag Scanner, a Web auditing tool. Goolag Scanner enables everyone to audit his or her own Web site via Google. The scanner technology is based on ?Google hacking?, a form of vulnerability research developed by Johnny I Hack Stuff. He?s a lovely fellow. Go buy him a drink. ?It?s no big secret that the Web is the platform?, said cDc spokesmodel, Oxblood Ruffin. ?And this platform pretty much sucks from a security perspective. Goolag Scanner provides one more tool for Web site owners to patch up their online properties. We?ve seen some pretty scary holes through random tests with the scanner in North America, Europe, and the Middle East. If I were a government, a large corporation, or anyone with a big Web site, I?d be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious.? Goolag Scanner will be released open source under the GNU Affero General Public license. It is dedicated to the memory of Wau Holland, founder of the Chaos Computer Club, and a true champion of privacy rights and social justice. GOOLAG SCANNER FUNCTIONS AND FEATURES GoolagScan is a standalone windows GUI based application. * Configuration. gS uses one xml-based configuration file for its settings. * Data-House-holding. All dorks coming with the distribution of gS are kept inside one file. -- DOWNLOAD AND MORE INFORMATION: http://www.goolag.org -- Press Contact Oxblood Ruffin oxblood at hacktivismo.com About the CULT OF THE DEAD COW Based in Lubbock, Texas, the CULT OF THE DEAD COW (cDc) is the most influential hacking group in the world. The cDc alumni reads like a Who's Who of hacking and includes a former Presidential advisor on Internet security, among others. The group is further distinguished by publishing the longest running e-zine on the Internet [est. 1984], stretching the limits of the First Amendment, and fighting anyone or any government that aspires to limit free speech. For more information, please visit www.cultdeadcdow.com About Johnny I Hack Stuff http://johnny.ihackstuff.com/ and here http://en.wikipedia.org/wiki/Johnny_Long About Wau Holland http://en.wikipedia.org/wiki/Wau_Holland and here http://www.ccc.de/?language=en From rforno at infowarrior.org Wed Feb 20 13:16:25 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Feb 2008 08:16:25 -0500 Subject: [Infowarrior] - Self destructing laptop technology Message-ID: Virtuity offers self destructing laptop technology Data wiped if machine moves from safe zone http://www.pocket-lint.co.uk/news/news.phtml/12926/13950/virtuity-backstopp- self-destructing-technology.phtml NEWS: 19 February 2008 16:35 GMT by Amy-Mae Elliott A British company has developed an intelligent security technology that can block access and destroy data if a laptop is moved from its designated space. Backstopp, from technology company, Virtuity, constantly monitors the electronic "heartbeat" of a laptop to determine its location. If the laptop is moved from its allowed zone the software steps in to remove sensitive data. Backstopp can use any wireless communication, such as Wi-Fi, to locate laptops. The PCs can also be tagged with RFID chips to monitor movement when switched off to make the safe zone even smaller. If a laptop is reported missing, or if the "control centre" concludes that the machine is "at risk", the system seeks out the digital heartbeat and sends a "self destruct" message. Meanwhile the software on the laptop can use any in-built webcam to start taking a series of photographs to help with identification of the culprit, uploading the images as soon as any network becomes available. The system is completely invisible to the thief. Prices start at ?10 a laptop per month. From rforno at infowarrior.org Wed Feb 20 13:17:47 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Feb 2008 08:17:47 -0500 Subject: [Infowarrior] - Oz National Web Censoring Officially Declared A Dud Message-ID: Web porn software filter a dud http://www.smh.com.au/news/web/web-porn-software-filter-a-dud/2008/02/16/120 3190635858.html?sssdmh=dm16.303144 Heath Gilmore February 17, 2008 Advertisement THE Rudd Government has branded as a failure the $85 million software filter scheme to protect young Australians from online pornography and will review its future. Federal Communications Minister Stephen Conroy is assessing the NetAlert program, which will come under scrutiny at the Senate estimates hearings tomorrow. The filter scheme was a central feature of the Howard Government's $189 million NetAlert program launched last August to address the perceived threat of online sexual predators and unsavoury content to young internet users. A multimillion dollar advertising blitz followed, including a booklet delivered to every household across the nation. It was expected 2.5 million households would take up the free porn-blocking filters within 12 months but only 144,088 filter products have been downloaded or ordered on CD-ROM since August last year. The Department of Broadband, Communications and the Digital Economy has estimated about 29,000 of these accessed filter products were still being used - less than 2 per cent of the set target. "The program has clearly failed, despite over $15 million being spent in advertising to support it," Mr Conroy said. "Labor has always said that PC filtering is not a stand-alone solution to protecting children from online dangers. The Government has a comprehensive cyber-safety plan that includes the implementation of mandatory ISP-based filtering to deliver a filtered feed to all homes, schools and public internet points. "Education for parents and teachers as well as children is a priority." Mr Conroy said the Australian Communications and Media Authority (ACMA) would examine all aspects of ISP-level filtering, with a laboratory trial completed by the end of June 2008, followed by a pilot test in a real world environment. Sixteen-year-old Tom Wood, aka "The Porn Cracker", who shot to national prominence when he showed the new NetAlert filters could be bypassed by any savvy teenager in a matter of minutes, said the scheme had been a waste of time and money. "Although these are amongst the best PC-based filters available, it didn't take long for teens to work out how to bypass them," said the schoolboy with a passion for cyber-safety. Opposition communications spokesman Bruce Billson said the Rudd Government was rushing to criticise the NetAlert program to set the scene for a "harebrained, half-baked policy dreamt up in the lead-up to an election". "NetAlert is a program which is relatively new, as is the minister in his role, and I'm sure he would like a little more than six months or so before the public decide if he has been a failure or not," he said. "Proper supervision should be front and centre of any efforts to protect children from inappropriate material on the internet; supported by additional tools such as content filters, not some mandatory and ill-conceived 'clean feed' measure by a government that believes only it has the authority to decide what's appropriate or inappropriate content for computer users." hgilmore at sunherald.com.au From rforno at infowarrior.org Wed Feb 20 13:18:27 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Feb 2008 08:18:27 -0500 Subject: [Infowarrior] - Lessig may run for Congress Message-ID: Two announcements February 20, 2008 12:16 AM - comments (27) At lessig08.org, you can watch a 10 minute video explaining the launching of a Change Congress movement, and the decision I am trying to make about whether to run for Congress. That decision will be made soon. I've been spurred to consider it seriously by the enormous support of many at draftlessig.org and facebook (and by the cool swag at zazzle). Those three I had nothing to do with. But this I do. This is a very difficult decision. In the coming days, I'll reflect a bit about it here. Thank you to everyone who has tried to help -- both through very strong words of encouragement and very very strong words to dissuade. http://lessig.org/blog/2008/02/two_announcements.html From rforno at infowarrior.org Wed Feb 20 13:33:56 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Feb 2008 08:33:56 -0500 Subject: [Infowarrior] - Bush orders clampdown on flights to US Message-ID: Bush orders clampdown on flights to US EU officials furious as Washington says it wants extra data on all air passengers * Ian Traynor in Brussels * The Guardian, * Monday February 11 2008 http://www.guardian.co.uk/world/2008/feb/11/usa.theairlineindustry This article appeared in the Guardian on Monday February 11 2008 on p1 of the Top stories section. It was last updated at 13:53 on February 11 2008. Jet aeroplane taking off at night Bush administration is calling for armed air marshals on transatlantic flights. Photograph: Eric Meola/Getty Images The US administration is pressing the 27 governments of the European Union to sign up for a range of new security measures for transatlantic travel, including allowing armed guards on all flights from Europe to America by US airlines. The demand to put armed air marshals on to the flights is part of a travel clampdown by the Bush administration that officials in Brussels described as "blackmail" and "troublesome", and could see west Europeans and Britons required to have US visas if their governments balk at Washington's requirements. According to a US document being circulated for signature in European capitals, EU states would also need to supply personal data on all air passengers overflying but not landing in the US in order to gain or retain visa-free travel to America, senior EU officials said. And within months the US department of homeland security is to impose a new permit system for Europeans flying to the US, compelling all travellers to apply online for permission to enter the country before booking or buying a ticket, a procedure that will take several days. The data from the US's new electronic transport authorisation system is to be combined with extensive personal passenger details already being provided by EU countries to the US for the "profiling" of potential terrorists and assessment of other security risks. Washington is also asking European airlines to provide personal data on non-travellers - for example family members - who are allowed beyond departure barriers to help elderly, young or ill passengers to board aircraft flying to America, a demand the airlines reject as "absurd". Seven demands tabled by Washington are contained in a 10-page "memorandum of understanding" (MOU) that the US authorities are negotiating or planning to negotiate with all EU governments, according to ministers and diplomats from EU member states and senior officials in Brussels. The Americans have launched their security drive with some of the 12 mainly east European EU countries whose citizens still need visas to enter the US. "The Americans are trying to get a beefing up of their visa-waiver programmes. It's all contained in the MOU they want to put to all EU member states," said a diplomat from a west European country. "It's a very delicate problem." As part of a controversial passenger data exchange programme allegedly aimed at combating terrorism, the EU has for the past few months been supplying the American authorities with 19 items of information on every traveller flying from the EU to the US. The new American demands go well beyond what was agreed under that passenger name record (PNR) system and look certain to cause disputes within Europe and between Europe and the US. Brussels is pressing European governments not to sign the bilateral deals with the Americans to avoid weakening the EU bargaining position. But Washington appears close to striking accords on the new travel regime with Greece and the Czech Republic. Both countries have sizeable diaspora communities in America, while their citizens need visas to enter the US. Visa-free travel would be popular in both countries. A senior EU official said the Americans could get "a gung-ho frontrunner" to sign up to the new regime and then use that agreement "as a rod to beat the other member states with". The frontrunner appears to be the Czech Republic. On Wednesday, Richard Barth of the department of homeland security was in Prague to negotiate with the Czech deputy prime minister, Alexandr Vondra, Prague hoped to sign the US memorandum "in the spring", Vondra said. "The EU has done nothing for us on visas," he said. "There was no help, no solidarity in the past. It's in our interest to move ahead. We can't just wait and do nothing. We have to act in the interest of our citizens." While the Czechs are in a hurry to sign up, Brussels is urging delay in order to try to reach a common European position. "There is a process of consultation and coordination under way," said Jonathan Faull, a senior European commission official involved in the negotiations with the Americans. To European ears, the US demands sound draconian. "This would oblige the European countries to allow US air marshals on US flights. It's controversial and difficult," an EU official said. At the moment the use of air marshals is discretionary for European states and airlines. While armed American guards would be entitled to sit on the European flights to the US, the Americans also want the PNR data transfers extended from travellers from Europe to the US to include the details of those whose flights are not to America, but which overfly US territory, say to central America or the Caribbean. Brussels has told Washington that its demands raise legal problems in Europe over data protection, over guarantees on how the information is handled, over which US agencies have access to it or with whom it might be shared, and over issues of redress if the data is misused. The Association of European Airlines, representing 31 airlines, including all the big west European national carriers, has told the US authorities that there is "no international legal foundation" for supplying them with data about passengers on flights overflying US territory. The US Transport Security Administration has also asked the European airlines to supply personal data on "certain non-travelling members of the public requesting access to areas beyond the screening checkpoint". The AEA said this was "absurd" because the airlines neither obtain nor can obtain such information. The request was "fully unjustified". If the Americans persevere in the proposed security crackdown, Brussels is likely to respond with tit-for-tat action, such as calling for visas for some Americans. European governments, however, would probably veto such action, one official said, not least for fear of the "massive disruption given the huge volume of transatlantic traffic". From rforno at infowarrior.org Wed Feb 20 15:26:15 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Feb 2008 10:26:15 -0500 Subject: [Infowarrior] - Warning given over techno addicts Message-ID: Warning given over techno addicts A growing number of people are becoming addicted to their mobile phones, Blackberries and other digital devices, researchers are warning. Techno addiction can become so bad that people wake up several times a night to check their e-mails and text messages. It can even interfere with an addict's job as he feels he has to be linked up all the time, says Professor Nada Kakabadse of Northampton University. She is conducting research into how widespread the addiction may be. Evidence emerging from a small-scale study of 360 people carried out by Prof Kakabadse and her colleagues suggested up to a third were addicted. People could become addicted to just about anything, she said. "We are creatures of habit and we can get addicted to quite unusual things. "Technology has become much more interesting over the past 10 years with the internet and everything. "It is much simpler and much more portable which makes it more accessible. "You would be surprised how many people had their PDA or Blackberry next to their bed heads." She added: "Those who are addicted will get up in the middle of the night and pick up messages on their PDAs two or three times a night." 'Too late' The addiction could also lead to problems with relationships as the addict became more and more withdrawn from their family. And there were other social consequences as the addict suffered from anxieties and sicknesses, she said. Prof Kakabadse said in the early stages of addiction, workers were often very productive, replying to e-mails and messages, but as time went on there were more serious consequences. "Some people are very anxious when they don't have their technological gadgets next to them. "They might get into trouble with their employers as they spend more and more time checking messages." She said it was often difficult to detect when someone had become an addict, "And when it is detectable it is often too late". She stopped short of calling for warnings to be put on all gadgets, but said employers should provide training on the safe use of technological devices they provided to their staff. Prof Kakabadse has looked in detail at case studies but now intends to see how widespread the problem is. Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/2/hi/uk_news/education/7253493.stm Published: 2008/02/19 17:17:35 GMT ? BBC MMVIII From rforno at infowarrior.org Wed Feb 20 20:20:04 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Feb 2008 15:20:04 -0500 Subject: [Infowarrior] - RFI: OSX Sync Solutions Message-ID: Is there an easy way to share some or all of a home folder between two different machines? I'm looking to get an iMac for the office but also have a laptop "sync'd up" and ready to go on a minute's notice if I have to go somewhere. I'm not necessarily looking for instant realtime sync'ing but to have a method of sync'ing at least daily between the two with the laptop sleeping on the shelf. Is there a particular software anyone can reco for this besides a complete backup solutions? And no, I don't use .Mac services. Thanks! -rick From rforno at infowarrior.org Thu Feb 21 03:11:26 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 20 Feb 2008 22:11:26 -0500 Subject: [Infowarrior] - Adobe Pushes DRM for Flash Message-ID: http://www.eff.org/deeplinks/2008/02/adobe-pushes-drm-flash February 20th, 2008 Adobe Pushes DRM for Flash Related Issues Digital Video issue overview, blog postsDRM issue overview, blog posts Posted by Seth Schoen The immense popularity of sites like YouTube has unexpectedly turned Flash Video (FLV) into one of the de facto standards for Internet video. The proliferation of sites using FLV has been a boon for remix culture, as creators made their own versions of posted videos. And thus far there has been no widespread DRM standard for Flash or Flash Video formats; indeed, most sites that use these formats simply serve standalone, unencrypted files via ordinary web servers. Now Adobe, which controls Flash and Flash Video, is trying to change that with the introduction of DRM restrictions in version 9 of its Flash Player and version 3 of its Flash Media Server software. Instead of an ordinary web download, these programs can use a proprietary, secret Adobe protocol to talk to each other, encrypting the communication and locking out non-Adobe software players and video tools. We imagine that Adobe has no illusions that this will stop copyright infringement -- any more than dozens of other DRM systems have done so -- but the introduction of encryption does give Adobe and its customers a powerful new legal weapon against competitors and ordinary users through the Digital Millennium Copyright Act (DMCA). Recall that the DMCA sets out a blanket ban on tools that help "circumvent" any DRM system (as well as the act of circumvention itself). When Flash Video files are simply hosted on a web site with no encryption, it's unlikely that tools to download, edit, or remix them are illegal. But when encryption enters the picture, entertainment companies argue that fair use is no excuse; Adobe, or customers using Flash Media Server 3, can try to shut down users who break the encryption without having to prove that the users are doing anything copyright-infringing. Even if users aren't targeted directly, technology developers may be threatened and the technologies the users need driven underground. Users may also have to upgrade their Flash Player software (and open source alternatives like Gnash, which has been making rapid progress, may be unable to play the encrypted streams at all). Third-party software that can download Flash Video, like the most recent RealPlayer, will also break. But Adobe now has an incentive to push the use of DRM: it's only available to sites that use Flash Media Server 3 software, which starts at over $4,000 (with extra fees depending on the number of simultaneous streams). Furthermore, the prospect of widespread adoption of DRM restrictions on Flash threatens to squash a growing tradition of expressive fair use of online video -- a practice effectively in its infancy that, left unfettered, would be a dynamic solution to our failing effort to teach media literacy. Before we understand how to read media messages, we must first learn how to speak their language -- and we learn that language by playing with and remixing the efforts of others. DRM, by restricting the remixing of Flash videos, stands to bankrupt a rich store of educational value by foreclosing the ability of students and teachers to "echo others" by remixing videos posted online. Take the example of "A Vision of Students Today" vs. "(Re)Visions of Students Today". The first "Vision" YouTube video is an artful critique of higher education's failure to come up with new models of instruction that engage the modern student; the second "(Re)Vision" YouTube video is an incisive observation of higher education's crisis in diversity (summarily expressed by the lack of diversity in the original "Vision" video). The original and the remix support each other to instruct with an influence above and beyond the power of either video alone. Outside the halls of academia, we can see that the ability to openly download and remix video is part of a new ecosystem of amateur entertainment -- watch Drama Prairie Dog and its countless responses: * "Dramatic Prairie Dog vs. Kung Fu Baby (Best Remix Ever)" * "Hollywood Zombies Dramatic Prarire Dog" * "Dramatic Look Bond Remix" * Drama Prairie Dog - Zoolander * "Drama Prairie Dog -- Kill Bill" * (an obligatory Star Wars-related remix) "Darthmatic Chipmunk" As we noted above, remixers who find and use tools that break the Flash Video encryption could be sued, even if their transformative creations would otherwise have been fair use. Finally, there's a classic suite of arguments against DRM that will be as true for online video as they were for music. DRM doesn't move additional product. DRM is grief for honest end-users. And there's no reason to imagine that new DRM systems will stop copyright infringement any more effectively than previous systems. From rforno at infowarrior.org Thu Feb 21 12:57:44 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Feb 2008 07:57:44 -0500 Subject: [Infowarrior] - Telecom War on Net Neutrality Message-ID: Telecom War on Net Neutrality Topics: corporations | internet | lobbying | U.S. Congress Source: Enterprise Networking Planet, February 15, 2008 "Telecommunications industry groups have attacked a new bill calling for government regulators to take a closer look at how broadband providers manage their networks," reports Kenneth Corin. "The Internet Freedom Preservation Act, introduced earlier this week by Rep. Ed Markey, the Democratic chairman of the House subcommittee on telecommunication and the Internet, could make it illegal for service providers to block or degrade traffic on their networks. Its introduction revisits the contentious debate over Net neutrality, which has industry groups championing the free market and warning that government intervention threatens to choke off growth and innovation in the Internet economy." (As an example of the kind of "innovation" they have in mind, PC World magazine warned recently that consumers should "get ready for a crackdown on broadband use" in which "Internet users may soon be charged extra for using 'too much' bandwidth or cut off from using some bandwidth-hungry software applications.") http://www.prwatch.org/node/7023 From rforno at infowarrior.org Thu Feb 21 13:02:39 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Feb 2008 08:02:39 -0500 Subject: [Infowarrior] - Google ventures into health records biz Message-ID: Google ventures into health records biz Find this article at: http://www.cnn.com/2008/TECH/02/21/google.records.ap/index.html SAN FRANCISCO, California (AP) -- Google Inc. will begin storing the medical records of a few thousand people as it tests a long-awaited health service that's likely to raise more concerns about the volume of sensitive information entrusted to the Internet search leader. The pilot project to be announced Thursday will involve 1,500 to 10,000 patients at the Cleveland Clinic who volunteered to an electronic transfer of their personal health records so they can be retrieved through Google's new service, which won't be open to the general public. Each health profile, including information about prescriptions, allergies and medical histories, will be protected by a password that's also required to use other Google services such as e-mail and personalized search tools. Google views its expansion into health records management as a logical extension because its search engine already processes millions of requests from people trying to find more information about an injury, illness or recommended treatment. But the health venture also will provide more fodder for privacy watchdogs who believe Google already knows too much about the interests and habits of its users as its computers log their search requests and store their e-mail discussions. Prodded by the criticism, Google last year introduced a new system that purges people's search records after 18 months. In a show of its privacy commitment, Google also successfully rebuffed the U.S. Justice Department's demand to examine millions of its users' search requests in a court battle two years ago. The Mountain View, California-based company hasn't specified a timetable for unveiling the health service, which has been the source of much speculation for the past two years. Marissa Mayer, the Google executive overseeing the health project, has previously said the service would debut in 2008. Contacted Wednesday, a Google spokesman declined to elaborate on its plans. The Associated Press learned about the pilot project from the Cleveland Clinic, a not-for-profit medical center founded 87 years ago. The clinic already keeps the personal health records of more than 120,000 patients on its own online service called MyChart. Patients who transfer the information to Google would still be able to get the data quickly even if they were no longer being treated by the Cleveland Clinic. "We believe patients should be able to easily access and manage their own health information," Mayer said in a statement supplied by the Cleveland Clinic. The Cleveland Clinic decided to work with Google "to create a more efficient and effective national health care system," said C. Martin Harris, the medical center's chief information officer. Google isn't the first high-tech heavyweight to set up an online filing cabinet in an effort make it easier for people to get their medical records after they change doctors or health insurance plans. Rival Microsoft Corp. last year introduced a similar service called HealthVault, and AOL co-founder Steve Case is backing Revolution Health, which also offers online tools for managing personal health histories. The third-party services are troublesome because they aren't covered by the Health Insurance Portability and Accountability Act, or HIPAA, said Pam Dixon, executive director of the World Privacy Forum, which just issued a cautionary report on the topic. Passed in 1996, HIPAA established strict standards that classify medical information as a privileged communication between a doctor and patient. Among other things, the law requires a doctor to notify a patient when subpoenaed for a medical record. That means a patient who agrees to transfer medical records to an external health service run by Google or Microsoft could be unwittingly making it easier for the government or some other legal adversary to obtain the information, Dixon said. If the medical records aren't protected by HIPAA, the information conceivably also could be used for marketing purposes. Google, which runs the Internet's most lucrative ad network, typically bases its marketing messages on search requests and the content on Web pages and e-mail contained in its computers. It's not clear how Google intends to make money from its health service. The company sometimes introduces new products without ads just to give people more reason to visit its Web site, betting the increased traffic will boost its profits in the long run. All AboutGoogle Inc. Find this article at: http://www.cnn.com/2008/TECH/02/21/google.records.ap/index.html From rforno at infowarrior.org Thu Feb 21 13:06:02 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Feb 2008 08:06:02 -0500 Subject: [Infowarrior] - Judge dismisses malicious prosecution lawsuit against RIAA Message-ID: Judge dismisses malicious prosecution lawsuit against RIAA By Eric Bangeman | Published: February 20, 2008 - 03:46PM CT http://arstechnica.com/news.ars/post/20080220-judge-dismisses-malicious-pros ecution-lawsuit-against-riaa.html Exonerated RIAA defendant Tanya Andersen ran into a bit of a roadblock yesterday in an attempt to pursue her malicious prosecution lawsuit against the RIAA and MediaSentry. After a hearing, a federal judge dismissed Andersen's complaint, giving her 30 days to refile it with more specifics as to which laws the RIAA and MediaSentry are alleged to have violated. Andersen filed her lawsuit this past August after the RIAA voluntarily dismissed its own file-sharing lawsuit. Andersen, a disabled single mother, was sued in February 2005, and the resulting case became one of the most closely-watched battles between the RIAA and suspected copyright infringers. After the case was dismissed, Andersen won an attorneys' fees award, which was reaffirmed last month. Andersen's complaint recounts a litany of misdeeds allegedly perpetrated by the record labels in the course of their lawsuit. Those include trying to contact her young daughter at school and her apartment building without Andersen's knowledge or permission. The RIAA was also accused of libel, negligence, and fraud. The RIAA hailed the judge's ruling. "The court's decision to dismiss all of the claims in their entirety merely serves to confirm our view that the claims were meritless when they were filed," an RIAA spokesperson told Ars. Tanya Andersen In her ruling, Judge Anna J. Brown said that Andersen had "not adequately stated claims for relief," but gave her until March 14, 2008, to file an amended complaint. Lory Lybeck, Andersen's attorney, told Ars that he plans to refile and move ahead with the lawsuit. "The judge spent about 45 minutes to an hour discussing exactly what she was looking for in an amended complaint," Lybeck said. In particular, Judge Brown is looking for more specificity around the slander claims, according to Lybeck, who also noted that the judge was "very knowledgeable" about the RIAA's legal campaign. He still believes that Andersen has a very strong case against both the record labels and MediaSentry. "The real case is that they blundered by misidentifying Andersen," he told Ars. From rforno at infowarrior.org Thu Feb 21 13:26:50 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Feb 2008 08:26:50 -0500 Subject: [Infowarrior] - NFL Reverses Call On Church Parties Message-ID: ...in related news, as pastor and Grand Plenipotentary of the First Church of Rick, I will host a viewing public viewing party next year in an abandoned warehouse. Bigscreens all around, and BYOB! :) --rf NFL Reverses Call On Church Parties Thursday, February 21, 2008; E02 http://www.washingtonpost.com/wp-dyn/content/article/2008/02/20/AR2008022002 772_pf.html The NFL, which found itself on the receiving end of protests and controversy after it objected to churches showing the Super Bowl on big-screen televisions, has reversed course and will now permit the viewings. In a letter to Sen. Orrin G. Hatch (R-Utah), NFL Commissioner Roger Goodell said the league would not object to "live showings -- regardless of screen size -- of the Super Bowl" by religious organizations. In response to questions from Hatch, Goodell said in the letter, dated Feb. 19, the NFL will implement the policy starting with next year's Super Bowl. A story in The Washington Post about churches -- most of them evangelical -- canceling their Super Bowl parties because they were afraid of lawsuits from the NFL if they showed the game on their jumbo screens kicked up a storm of protest on Capitol Hill and among some conservative leaders. The league has said that organizations that host public viewings of its games on television screens larger than 55 inches violate its copyright. Sports bars are exempted. Last year, the league sent letters to two churches advising them of the policy. In response, Sen. Arlen Specter (R-Pa.) proposed legislation that would allow houses of worship to show football games on big-screen televisions and raised the issue with Goodell at a meeting last week. Other congressional representatives threatened similar bills. In its letter, the NFL said it would not object to big-screen viewings in the churches as long as the showings are free and are on premises that the church uses on a "routine and customary" basis. Yesterday, public officials and church leaders praised the NFL's action. In a statement, Hatch said he was grateful that the NFL was making the accommodation. "Many families want to enjoy the Super Bowl in a group atmosphere -- but obviously aren't going to take their kids to a sports bar." Steve Holley, executive pastor of Immanuel Bible Church in Springfield, which canceled its big-screen Super Bowl party this year because it feared a lawsuit, said he is thrilled at the new policy. "It's decided to set aside profit for community spirit," Holley said. "I'm encouraged by that." -- Jacqueline L. Salmon From rforno at infowarrior.org Thu Feb 21 17:17:45 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Feb 2008 12:17:45 -0500 Subject: [Infowarrior] - Cold Boot Attacks on Encryption Keys Message-ID: Cold Boot Attacks on Encryption Keys J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten Abstract Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems ? BitLocker, FileVault, dm-crypt, and TrueCrypt ? using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them. < - > http://citp.princeton.edu/memory/ From rforno at infowarrior.org Thu Feb 21 17:24:32 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Feb 2008 12:24:32 -0500 Subject: [Infowarrior] - Microsoft opens APIs and protocols to all Message-ID: Original URL: http://www.theregister.co.uk/2008/02/21/microsoft_goes_open/ Microsoft opens APIs and protocols to all By Ashlee Vance in Mountain View (ashlee.vance at theregister.co.uk) Published Thursday 21st February 2008 16:27 GMT In an apparent bid to calm still feisty regulators, Microsoft has agreed to publish application programming interfaces (APIs) for its major software products and provide free access to those interfaces. In addition, Microsoft will free up protocols around its client and server software and has vowed not to sue open source companies that create non-commercial versions of these protocols. This shift, first revealed (http://www.theregister.co.uk/2008/02/21/microsoft_api_open/) by The Register, represents a major change in Microsoft's conduct. The company's tight control over the key APIs that help others interact with Microsoft's software have been a subject of controversy for both US and European regulators. Now it would seem that Microsoft wants to assuage critics by embracing a more open software development model. Specifically, Microsoft revealed that it will publish the APIs for Windows Vista, Server 2008, SQL Server 2008, Office 2007, Exchange Server 2007 and Office SharePoint Server 2007 on its website. "Developers do not need to take a license or pay a royalty or other fee to access this information," the company said. "Open access to this documentation will ensure that third-party developers can connect to Microsoft?s high-volume products just as Microsoft?s other products do." In addition, Microsoft will release some 30,000 pages of documentation surrounding Windows client and server protocols. In the past, partners and customers needed to acquire a trade secret license to this information through the Microsoft Work Group Server Protocol Program (WSPP) and the Microsoft Communication Protocol Program (MCPP). Similar protocol reveals will occur for Office 2007 and other "high-volume products" in the coming months. Microsoft also plans to highlight which protocols are covered by its patents and will "license all of these patents on reasonable and non-discriminatory terms, at low royalty rates." Looking longer-term, Microsoft has pledged not to sue developers who craft open source versions of its protocols. This would seem to cover projects such as Samba. Had enough yet? Well, Microsoft hasn't. On the we're so open it hurts front, Microsoft now plans to provide detailed documentation on how it supports industry standards and extensions. " To increase transparency and promote interoperability, when Microsoft supports a standard in a high-volume product, it will work with other major implementers of the standard toward achieving robust, consistent and interoperable implementations across a broad range of widely deployed products." The company has also pledged - wait for it - to support other document formats in Office 2007. It's going to craft fresh APIs for Word, Excel and PowerPoint applications that will let developers plug in their own document formats and even set those formats as the default setting for saving files. And with Redmond turning into Hippie Town, Microsoft has launched an Open Source Interoperability Initiative. The OSII will work to ensure interoperability between Microsoft and open source code through testing and cooperative development. Microsoft's top executives will provide more details on these programs during a morning conference call. We'll bring you the hot and heavy action. There's more information on today's moves here (http://www.microsoft.com/interop/).? From rforno at infowarrior.org Fri Feb 22 01:10:58 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Feb 2008 20:10:58 -0500 Subject: [Infowarrior] - More on.....RFI: OSX Sync Solutions In-Reply-To: Message-ID: Thanks to all who sent in info and suggestions on that RFI earlier this week. Very helpful stuff! Thanks again, -rick From rforno at infowarrior.org Fri Feb 22 01:16:19 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Feb 2008 20:16:19 -0500 Subject: [Infowarrior] - Pew Internet Report: A Portrait of Early Adopters Message-ID: A Portrait of Early Adopters: Why People First Went Online --and Why They Stayed 2/21/2008 | MemoMemo | Amy Tracy Wells Our canvassing of longtime internet users shows that the things that first brought them online are still going strong on the internet today. Then, it was bulletin boards; now, it's social networking sites. Then, it was the adventure of exploring the new cyberworld; now, it's upgrading to broadband and wireless connections to explore even more aggressively. Yet there are changes in their activities and motives. In the early days, most internet users consumed material from websites. These days they are just as likely to produce material. One common refrain is that they think more change lies ahead and they are eager to watch and participate. View PDF of Report http://www.pewinternet.org/PPF/r/240/source/rss/report_display.asp From rforno at infowarrior.org Fri Feb 22 01:19:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Feb 2008 20:19:46 -0500 Subject: [Infowarrior] - More on... Disk encryption may not be secure enough Message-ID: Disk encryption may not be secure enough, new research finds Posted by Declan McCullagh | 18 comments http://www.news.com/8301-13578_3-9876060-38.html?tag=nefd.lede Computer scientists have discovered a novel way to bypass the encryption used in programs like Microsoft's BitLocker and Apple's FileVault and then view the contents of supposedly secure files. In a paper (PDF) published Thursday that could prompt a rethinking of how to protect sensitive data, the researchers describe how they can extract the contents of a computer's memory and discover the secret encryption key used to scramble files. (I tested these claims by giving them a MacBook with FileVault; here's a slideshow.) "There seems to be no easy remedy for these vulnerabilities," the researchers say. "Simple software changes are likely to be ineffective; hardware changes are possible but will require time and expense; and today's Trusted Computing technologies appear to be of little help because they cannot protect keys that are already in memory. The risk seems highest for laptops, which are often taken out in public in states that are vulnerable to our attacks. These risks imply that disk encryption on laptops may do less good than widely believed." The nine researchers listed on the paper include San Francisco-area programmers Jacob Appelbaum and Seth Schoen and a team of Princeton University computer scientists such as graduate students J. Alex Halderman and Nadia Heninger and professor Ed Felten. The paper is titled "Lest We Remember: Cold Boot Attacks on Encryption Keys." Click for gallery Their technique doesn't attack the encryption directly. Rather, it relies on gaining access to the contents of a computer's RAM--through a mechanism as simple as booting a laptop over a network or from a USB drive--and then scanning for encryption keys. How the scan is done is one of the most clever portions of the paper. The reason I say this research could prompt a rethinking of how to protect data is that many of us who use encrypted file-systems believe that if our computers are lost or stolen, our data will be secure. But if a thief (or nosy border guard, or FBI agent) nabs my laptop locked with a screen saver or in sleep mode with the RAM intact, the paper shows that encryption provides no protection. "You can't rely on the screen saver," said Peter Gutmann, a computer science professor at the University of Auckland in New Zealand who has done related work but is not affiliated with Thursday's paper. "If you really are that worried, you have to turn off your PC." The researchers say their technique works against Apple's FileVault, the BitLocker Drive Encryption feature included in the Enterprise and Ultimate versions of Windows Vista, the open-source product TrueCrypt, and the dm-crypt subsystem built into Linux kernels starting with 2.6. The other researchers include William Clarkson, William Paul, and Ariel J. Feldman. In its marketing literature, Apple promises that, with FileVault turned on, "the data in your home folder is encoded and your information is secure if your computer is lost or stolen." When I contacted the company for comment, Apple would say only this: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac." Microsoft was more forthcoming, saying: The claims detailed in the Princeton paper are not vulnerabilities, per se, but simply detail the fact that contents that remain in a computer's memory can be accessed by a determined third party if the system is running. BitLocker is an effective solution to help safe guard personal and private data on mobile PCs and provides a number of protection options that meet different end-user needs. Like all full volume encryption products BitLocker has a key-in memory when the system is running in order to encrypt/decrypt data, on the fly, for the drive/s in use. If a system is in 'Sleep mode' it is, in effect, still running. We recognize users want advice with regards to BitLocker and have published best practice guidance in the Data Encryption Toolkit (available here). In it we discuss the balance of security and usability and detail that the most secure method to use BitLocker is hibernate mode and with multi-factor authentication. At this point, clever readers might be thinking: If the attack involves executing a specific memory-dump utility while rebooting, then Apple, HP, Toshiba, and so on can simply lock down the hardware to prevent any such utility from being run until the RAM can be safely wiped. Problem solved? Well, not so fast. Another interesting technique that Thursday's paper describes is how to supercool the RAM chips with a can of compressed air held upside-down. Then the cooled memory can be physically extracted and inserted in another computer owned by the attacker. (If the memory is permanently affixed to the motherboard, there are still other methods [PDF] that can be used.) The paper states: Contrary to the expectation that DRAM loses its state quickly if it is not regularly refreshed, we found that most DRAM modules retained much of their state without refresh, and even without power, for periods lasting thousands of refresh intervals. At normal operating temperatures, we generally saw a low rate of bit corruption for several seconds, followed by a period of rapid decay. We obtained surface temperatures of approximately ?50 degrees C with a simple cooling technique: discharging inverted cans of "canned air" duster spray directly onto the chips. At these temperatures, we typically found that fewer than 1% of bits decayed even after 10 minutes without power. To test the limits of this effect, we submerged DRAM modules in liquid nitrogen (ca. ?196 degrees C) and saw decay of only 0.17% after 60 minutes out of the computer. Gutmann, the New Zealand computer scientist, previewed this kind of attack in a 1996 paper that said: "To extend the life of stored bits with the power removed, the temperature should be dropped below -60 degrees C. Such cooling should lead to weeks, instead of hours or days, of data retention." But in reality, such extreme methods probably won't be necessary. If thieves, FBI agents, or border guards have physical access to a computer that's turned on, they have other options. In 2004, Maximillian Dornseif showed how to extract the contents of a computer's memory merely by plugging in an iPod to the Firewire port. A subsequent presentation by "Metlstorm" in 2006 expanded the Firewire attack to Windows-based systems. Translation: If you use an encrypted file-system and want privacy and security when you're not using your computer, you need to shut down your computer and wait a few minutes for the RAM contents to vanish. Another option for sensitive files is to use an encrypted volume like a PGP disk and unmount it as soon as you're done. That assumes PGP erases the encryption keys from memory once the volume is unmounted, which the company swears it does. "We go well beyond that," said John Dasher, PGP Corporation's director of product management, adding that PGP products take "very elaborate measures to make sure that things are properly and completely disposed of." He downplayed the potential threat to users of PGP, which provides both whole disk encryption and volume encryption and the researchers speculate will be vulnerable as well. "We never say buy whole disk and you're done," Dasher said. "You want to protect the device. You want to protect the data itself. And of course you're not going to get rid of your network protection. Security's not about buying whole disk encryption (and calling it a day)." In response to the overall claim about the vulnerability of encrypted file-systems, Dasher said, "Even if it's true, I don't know if it changes my behavior." It's been known for a long time--at least since Gutmann's 1996 paper--that encryption keys are vulnerable when stored in memory. And additional research (PDF) by Adi Shamir and Nicko van Someren two years later talks about identifying encryption keys by scanning hard drives. By demonstrating the limits of off-the-shelf encryption products, what the research published on Thursday may do is shift the debate from academic arguments to how to protect users in real-world situations. It also advances previous research by calculating how long dynamic RAM chips hold their contents at different temperatures (little decay until a few seconds elapse) and offering algorithms to reconstruct encryption keys even when the contents of memory have begun to decay. The reconstruction technique works by taking into account what's known as a "key schedule" for algorithms such as DES and AES, the U.S. government's Advanced Encryption Standard. A key schedule is used in certain kinds of ciphers that do multiple rounds of encryption. The computer scientists said that it takes them "a few seconds" to reconstruct AES keys with 10 percent of the bits decayed; the more decay, the longer it takes. So what are the countermeasures? As I noted above, shutting down the system, zeroing memory on boot, and unmounting encrypted volumes are some options. The paper suggests others, including limiting booting from network or removable drives, better methods of putting a computer to sleep (perhaps involving encrypting the portions of memory with the keys to the file system), recomputing keys when they're needed to avoid keeping copies in memory, and hardware changes such as tamperproof or encrypting RAM. There is one irony here. One Princeton Ph.D. student, Joseph Calandrino, is listed as having "performed this research while under appointment to the Department of Homeland Security." Because this research lets them bypass file-system encryption in some cases, police agencies are the most obvious and immediate beneficiaries of this research. As early as 1984, the FBI Laboratory began developing computer forensics hardware. And we know from the Scarfo, Forrester-Alba, and Boucher cases how intent federal police agencies are in trying to find ways to circumvent the privacy that encryption provides. If the feds didn't know about these techniques already--remember, they were years ahead of everyone else in inventing public key cryptography--today will be a very good day for Homeland Security. Update 12:30pm: I've been asked whether encrypted swap was turned on in our test to see if they could bypass FileVault. It was. But it actually doesn't matter; remember, they're analyzing the contents of RAM, not the contents of the hard drive. From rforno at infowarrior.org Fri Feb 22 01:44:18 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Feb 2008 20:44:18 -0500 Subject: [Infowarrior] - EconomicIndicators.Gov to stay online In-Reply-To: Message-ID: ------ Forwarded Message From: William Knowles http://blogs.wsj.com/economics/2008/02/21/after-complaints-econ-data-portal- to-stay-open/ February 21, 2008, 2:34 pm The U.S. Department of Commerce appears to have turned away from its plans to yank the plug on Economicindicators.gov, a Web portal describing its mission as providing "timely access to the daily releases of key economic indicators from the Bureau of Economic Analysis and the U.S. Census Bureau." News of the impending closure of the site had been making the rounds since last week. Sen. Charles Schumer (D., N.Y.) complained publicly about it. And earlier today, a note at the top of the site said "due to budgetary constraints, the Economic Indicators service will be discontinued effective March 1, 2008." But after 1 p.m. EST a different, rather lengthy, announcement graced the top of the Web page. It begins: "The U.S. Department of Commerce's Economics and Statistics Administration (ESA) has decided to continue the economicindicators.gov website - ESA initially planned to discontinue the service due to cost concerns but given the feedback ESA received, the decision has been made to continue the site and improve its functionality." A commerce department spokesperson was not immediately available for comment. [...] From rforno at infowarrior.org Fri Feb 22 03:38:22 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Feb 2008 22:38:22 -0500 Subject: [Infowarrior] - The Pharmaceutical Industry's Hidden Marketing Tactics Message-ID: Beyond Advertising: The Pharmaceutical Industry's Hidden Marketing Tactics Submitted by Mary Ebeling on Thu, 02/21/2008 - 12:00. Topics: corporations | health | marketing | pharmaceuticals | science | U.S. government | women DTC ad for Lipitor, featuring Dr. Jarvik In early January, the U.S. House Committee on Energy and Commerce began investigating celebrity endorsements in television ads for brand-name drugs. The investigation was sparked by Pfizer's commercials for its best-selling cholesterol drug Lipitor. These direct-to-consumer (DTC) ads feature Dr. Robert Jarvik, a pioneer in the development of the artificial heart. Viewers are not told that Jarvik is not a cardiologist, nor is he licensed to practice medicine. His presentation as a trusted expert, Pfizer presumably hopes, is enough to persuade viewers to ask their doctors for Lipitor by name. And that would help erode the increasing competition from generic alternatives.... < - > http://www.prwatch.org/node/7026 From rforno at infowarrior.org Fri Feb 22 03:41:59 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Feb 2008 22:41:59 -0500 Subject: [Infowarrior] - Army to restore public access to Reimer Library website Message-ID: ARMY SAYS IT WILL RESTORE PUBLIC ACCESS TO ONLINE LIBRARY http://www.fas.org/sgp/news/secrecy/2008/02/022108.html#1 The U.S. Army said today that it would restore public access to the online Reimer Digital Library of Army publications, after having blocked the site on February 6. Last week, the Federation of American Scientists filed a Freedom of Information Act request asking for a copy of the entire Reimer collection for publication on the FAS website or, alternatively, for renewed public access to the site (Secrecy News, Feb. 13). The Army chose the latter option. "TRADOC [U.S. Army Training and Doctrine Command] is currently in the process of making it available to the public again," said Mrs. Alverita Mack, a Freedom of Information Act officer at Fort Eustis, Virginia. "The Army has seen the error of its ways," said another Defense Department FOIA officer. "Also, they want you to withdraw your FOIA request." The dispute over the shuttered website was reported today in the Washington Post. See "Army Blocks Public's Access to Documents in Web-Based Library" by Christopher Lee, February 21: http://www.washingtonpost.com/wp-dyn/content/article/2008/02/20/AR2008022002 830.html By moving the Reimer site behind the password-protected Army Knowledge Online (AKO) firewall, the Army placed the public at a disadvantage, but not only the public. "The Army has not only restricted access to the public but to everyone else in DoD as well," one Navy correspondent explained to Secrecy News. "So... those working for the AF, Navy, Marines, etc will not be able to access these documents -- unless they are able to get an AKO account -- which isn't a given." "I happen to have an AKO account but only because I know someone who was willing to sponsor me," the Navy official wrote. "It is getting harder and harder to access information within DoD let alone from outside it!" The Freedom of Information Act is not often an effective mechanism for changing government policy, nor was it intended to be. But in this case, where the Army had moved to block public access to thousands of releasable documents, the FOIA proved to be the optimal tool for compelling a change in policy. Mrs. Mack, the Army FOIA officer, said today that she did not know exactly when the Reimer Digital Library would again be accessible. And, she said, it might end up at a different URL than before. We indicated that we would withdraw our FOIA request after public access is fully restored. From rforno at infowarrior.org Fri Feb 22 03:55:17 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 21 Feb 2008 22:55:17 -0500 Subject: [Infowarrior] - FCC to hold open hearing on traffic shaping Message-ID: FCC to hold open hearing on traffic shaping The FCC will on Monday hold a public hearing to discuss the ramifications of traffic shaping, it has announced. The focus will specifically be on the concept of net neutrality, an FCC policy which traffic shaping is said to violate, by dictating which services and/or websites an ISP customer can use. Panels at the hearing will be staffed by academics, engineers, lobbyists and politicians, in contrast to a workshop held last year which was mostly helmed by industry representatives and supporters. The hearing is scheduled for 10AM to 4PM at the Harvard Law School in Cambridge, Massachusetts. The issue of net neutrality has come to the fore mainly as a result of Comcast, which is under investigation by the FCC for sabotaging peer-to-peer traffic such as BitTorrent downloads. The company has also been threatened with potential federal legislation, as well as two separate lawsuits, alleging unfair practices and false advertising. [via Broadband Reports] http://www.electronista.com/articles/08/02/21/fcc.neutrality.hearing/ From rforno at infowarrior.org Fri Feb 22 13:56:47 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Feb 2008 08:56:47 -0500 Subject: [Infowarrior] - OT: Friday Humor - "MS Vista" Message-ID: I understand this was the first attempt at Vista's publicity campaign but Microsoft thought it was a bit too honest..... :) http://www.blimptv.net/mostpopularV1.html From rforno at infowarrior.org Fri Feb 22 14:19:22 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Feb 2008 09:19:22 -0500 Subject: [Infowarrior] - OSX Sync Followups Message-ID: Here's a sampling of comments received. Most suggested a CLI-based solution of psync or rsync. In addition I learned of some shiny commercial/shareware solutions such as Synk or ChronoSync that will allow home folder synchronization as well. -rick On Wed, Feb 20, 2008 at 03:20:04PM -0500, Richard Forno wrote: > Is there an easy way to share some or all of a home folder between two > different machines? I'm looking to get an iMac for the office but also have > a laptop "sync'd up" and ready to go on a minute's notice if I have to go > somewhere. I use rsync (with an appropriate set of alphabet-soup flags, shown below) to keep various directories on my (Unix) laptop sync'd with my (Unix) desktop. For one-way use, it's fine. But I keep reading very good things about Unison: http://www.cis.upenn.edu/~bcpierce/unison/ when it come sto multi-way and bidirectional sync'ing. I haven't had the chance to try it yet, but the comments have come from a sufficiently diverse and clueful set of people that I suspect it's worth looking into. The rsync incancation: rsync -vrlogptHDxz --progress --stats --delete-after Most of the flags have to do with preserving file attributes. The --progress lets me keep an eye on it, and --stats is just for curiosity. --delete-after tells it to not delete files on the remote side until the end, that is, it queues up deletions and does them after transfering all the new stuff. < -- > Best options I have found are rsync, which is free and requires minimal comfort with the command line, and for a paid option, I love synchronize pro (www.qdea.com) The rsync command is use is (make sure these commands are on one line each): sudo /usr/bin/rsync -aREx --delete /Path/To/SourceDirectory/ /Volumes/BackupVolumeName/Path/To/TargetDirectory/ It will ask you for your password. You can also put these in your .login file as an alias so you can just type rickbackupdir and it will work. This one will backup your root directory (ie everything) to a target volume. alias rickbackupwhole="sudo /usr/bin/rsync -aREx --delete --exclude='.Spotlight-*' --exclude '/private/var/vm/*' / /Volumes/BackupVolumeName/" This one will backup a directory to a target directory on another volume. alias rickbackupdir="sudo /usr/bin/rsync -aREx --delete /Path/To/SourceDirectory/ /Volumes/BackupVolumeName/Path/To/TargetDirectory/" Good luck and feel free to ping me with questions if you wish. < - > SuperDuper, and SyncTwoFolders From rforno at infowarrior.org Fri Feb 22 18:32:04 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Feb 2008 13:32:04 -0500 Subject: [Infowarrior] - =?iso-8859-1?q?GOP_=B9_s_FISA_Thriller=3A_3=2C_?= =?iso-8859-1?q?=2E=2E_2=2C_=2E=2E_1_=2E=2E_We_=B9_re_All_Going_to_Die?= Message-ID: GOP?s FISA Thriller: 3, .. 2, .. 1 .. We?re All Going to Die By: Bill W. on Friday, February 22nd, 2008 at 6:15 AM - PST And it will be all the House Democrats? fault, or so this video attempting to scare the crap out of you posted over at GOP.gov portends. (h/t Wonkette) < - > http://www.crooksandliars.com/2008/02/22/gops-fisa-thriller-3-2-1-were-all-g oing-to-die/ From rforno at infowarrior.org Fri Feb 22 18:34:34 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Feb 2008 13:34:34 -0500 Subject: [Infowarrior] - ODNI Report to Congress on Data Mining Message-ID: (c/o Secrecy News) The ODNI Report to Congress is unclassified, but was accompanied by a classified annex. See "Data Mining Report," ODNI Report to Congress, February 15, 2008: http://www.fas.org/irp/dni/datamining.pdf From rforno at infowarrior.org Fri Feb 22 19:14:30 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Feb 2008 14:14:30 -0500 Subject: [Infowarrior] - LexisNexis Parent Set to Buy ChoicePoint Message-ID: LexisNexis Parent Set to Buy ChoicePoint By Ellen Nakashima and Robert O'Harrow Jr. Washington Post Staff Writers Friday, February 22, 2008; D01 http://www.washingtonpost.com/wp-dyn/content/article/2008/02/21/AR2008022100 809_pf.html Publishing company Reed Elsevier, owner of the LexisNexis Group, is seeking to acquire commercial data broker ChoicePoint in a $4.1 billion cash deal that would create a global information-gathering powerhouse that would collect and analyze billions of records about who people are, where they live and with whom, and what they own. With customers including government agencies, insurance companies, banks, rental apartments, corporate personnel offices and private investigators, the combined company's reach would extend from national security offices to the living rooms of ordinary Americans. Both companies have played key roles in law enforcement, homeland security and intelligence. Both have also had identity-theft and security problems. The deal, announced yesterday by Reed Elsevier, which is based in London, is a bid to increase the company's risk-management business. It comes at a time of exploding demand for ways to establish identity, discern fraud, and detect criminal and other threats by sorting through electronic records. Companies like ChoicePoint and Reed Elsevier seek to amass vast amounts of data and to analyze the information relevant to companies and government agencies. "We just think it's a logical next step in the use of our capabilities," said James Peck, chief executive of LexisNexis Risk and Information Analytics Group, the division that would acquire ChoicePoint. The proposed acquisition could have important, if difficult to discern, implications for Americans, whose personal information has become more scrutinized than ever before by information companies and corporations for marketing and security. LexisNexis and ChoicePoint flourished over the past decade, a time when computing power soared and methods of gathering data became more sophisticated. But they have different strengths, and a combined company would give them a deeper look into American homes and a combined influence on processes as varied as national-security probes, insurance claims and job applications. "Increasingly, this is less about what big business knows and more about how business uses information to make decisions about consumers," said Marc Rotenberg, executive director of the Electronic Privacy Information Center. "Both of these companies are having an increasing say over the opportunities that are available to consumers as well as to decisions that restrict individuals." Since it began in 1997 as a reseller of credit data, ChoicePoint, headquartered in Alpharetta, Ga., has bought dozens of companies to become an all-purpose data broker. In recent years, the company has focused on refining data with analytical software. With a few clicks of a mouse, ChoicePoint's law enforcement, government and corporate customers can access information about personal holdings and activities. "In a single report, ChoicePoint provides not only comprehensive data on the target of an inquiry, but also on associates, relatives, assets, affiliated companies, and neighbors, information which no other vendor offers in the same concise format," according to documents describing a 2007 contract with the Department of Energy. ChoicePoint maintains the most extensive repository of insurance information obtained from claims applications, and it has developed systems that analyze that data to judge whether companies should offer a customer coverage or pay claims. The system, called the Comprehensive Loss Underwriting Exchange, receives data from almost every insurer about automobile and homeowners coverage. LexisNexis, known for its legal and media services, also manages records about U.S. adults. The Risk and Information Analytics Group focuses on helping government, police and corporate customers peer into individuals' details to judge them for risk. One of the group's more important assets is a computer system that came with the purchase in 2004 of Seisint, an information service. Seisint created a controversial tool called the Matrix, which gave state and federal authorities new power to analyze records about Americans after the Sept. 11, 2001, terrorist attacks. At the time, officials at LexisNexis said the technology would help government investigators who were scrambling to improve the collection, analysis and sharing of information in the war on terrorism. Now, the Risk and Information Analytics Group works with collections firms and health-care, financial services and insurance companies, along with local, state and federal agencies. ChoicePoint disclosed in 2005 that it had mistakenly sold personal information on 145,000 Americans to identity thieves. In 2006, it was fined $10 million by the Federal Trade Commission over its failure to protect consumers' personal data. In 2005, a security breach at LexisNexis exposed as many as 310,000 consumers' Social Security numbers, driver's license numbers, names and addresses. ChoicePoint has since reformed its data-security practices, and some civil libertarians say it has become a leader in privacy. Still, the proposed acquisition raises significant issues that regulators must weigh, Rotenberg said. "These are companies that will be able to sell very detailed profiles of individuals to businesses, insurers, government agencies and others, but individuals do not currently have a right to see what information about them is being sold to third parties," he said. "That is a very big privacy issue." Peck said the two companies' services are aimed at protecting people's identities. "When you put two organizations like ours together, we're going to be able to provide our customers -- financial institutions, health-care providers, law enforcement -- a better tool to fight identity fraud. They're actually helping to protect people rather than creating some privacy issue." The deal, which requires approval from either the Justice Department or the FTC, is expected to close this summer. Staff researcher Richard Drezen contributed to this report. From rforno at infowarrior.org Fri Feb 22 21:13:16 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Feb 2008 16:13:16 -0500 Subject: [Infowarrior] - Wiretapping Made Easy Message-ID: Security Wiretapping Made Easy Andy Greenberg, 02.21.08, 12:53 AM ET http://www.forbes.com/2008/02/21/cellular-spying-decryption-tech-security-cx _ag_0221cellular.html?feed=rss_popstories Washington - Silently tapping into a private cellphone conversation is no longer a high-tech trick reserved for spies and the FBI. Thanks to the work of two young cyber-security researchers, cellular snooping may soon be affordable enough for your next-door neighbor. In a presentation Wednesday at the Black Hat security conference in Washington, D.C., David Hulton and Steve Muller demonstrated a new technique for cracking the encryption used to prevent eavesdropping on global system for mobile communications (GSM) cellular signals, the type of radio frequency coding used by major cellular service providers including AT&T (nyse: T - news - people ), Cingular and T-Mobile. Combined with a radio receiver, the pair say their technique allows an eavesdropper to record a conversation on these networks from miles away and decode it in about half an hour with just $1,000 in computer storage and processing equipment. Hulton, director of applications for the high-performance computing company Pico, and Muller, a researcher for mobile security firm CellCrypt, plan to make their decryption method free and public. In March, however, they say they'll start selling a faster version that can crack GSM encryption in just 30 seconds, charging between $200,000 and $500,000 for the premium version. Who will be the customers for their innovative espionage technique? Hulton and Muller say they aren't sure yet. But they plan to offer the method to companies that will integrate it with radio technology, not sell it directly to the law enforcement and criminal customers who will undoubtedly be interested in putting it to use. "We're not creating the technology that does the interception," Muller says. "All this does is crunch data." Hulton and Muller will likely make a tidy profit from the fruits of their research work, which they've personally patented. The companies they work for may profit less directly; Pico makes the high-performance processors necessary to do heavy-duty encryption work. CellCrypt makes software for encrypting mobile phone conversations, patching the security flaw that Hulton and Muller's research has uncovered. As for the moral question of chipping away at the privacy of cellphone users around the world, Muller gives an answer common to security researchers: He and Hulton didn't invent the hackable technology; they just brought attention to its vulnerabilities. In fact, Muller argues, GSM encryption was cracked--theoretically--in academic papers as early as 1998. "Active" radio interceptors, which impersonate cell towers and can eavesdrop on GSM phone conversations, have also been sold by companies like Comstrac and PGIS for years. (Active techniques, however, only allow eavesdropping from within about 600 feet and are easily detectable, Muller notes.) Undetectable, "passive" systems like the one that Muller and Hulton have created aren't new either, though previous technologies required about a million dollars worth of hardware and used a "brute force" tactic that tried 33 million times as many passwords to decrypt a cell signal. All of that means, Hulton and Muller argue, that their cheaper technique is simply drawing needed attention to a problem that mobile carriers have long ignored--one that well-financed eavesdroppers may have been exploiting for years. "If governments or other people with millions of dollars can listen to your conversations right now, why shouldn't your next-door neighbor?" Muller says. The new technique may serve as a wake-up call for mobile carriers, which have long been in denial about the vulnerabilities of GSM security, says Bruce Schneier, encryption guru and chief technology officer of BT Counterpane. "This is a nice piece of work, but it isn't a surprise," he says. " We've been saying that this algorithm is weak for years. The mobile industry kept arguing that the attack was just theoretical. Well, now it's practical." David Pringle, a spokesman for the GSMA trade association, which represents 700 GSM carriers around the world, said in a statement that ?the mobile industry is committed to maintaining the integrity of GSM services, and the protection and privacy of customer communications is at the forefront of operators? concerns.? He also pointed out that decrypting GSM still requires special equipment and is more secure than a typical landline. The GSMA, he noted, has developed and is working on implementing a higher level of encryption; Newer 3G cell carriers are also immune from the attack. Although their exploit doesn't target the competing CDMA cellular technology used by carriers like Verizon (nyse: VZ - news - people ) and Sprint Nextel (nyse: S - news - people ), Muller argues it's not necessarily less secure. GSM was only decrypted first because it's more popular worldwide: Few cellphone subscribers outside North America use CDMA carriers. So how do Hulton and Muller ensure that their own phone conversations aren't intercepted? Muller responds to that question, posed by an audience member at Black Hat's gathering of hackers and security professionals, with a smile. "We don't use phones," he says. From rforno at infowarrior.org Sat Feb 23 02:57:51 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Feb 2008 21:57:51 -0500 Subject: [Infowarrior] - =?iso-8859-1?q?Google_Says_I=2EP=2E_Addresses_Are?= =?iso-8859-1?q?n_=B9_t_Personal?= Message-ID: February 22, 2008, 5:16 pm Google Says I.P. Addresses Aren?t Personal http://bits.blogs.nytimes.com/2008/02/22/google-says-ip-addresses-arent-pers onal/index.html By Saul Hansell Google has responded to European regulators who have suggested that Internet Protocol addresses of users be considered personally identifiable information. Not surprisingly, it disagrees. The issue matters because the standards for what companies do with data that can be traced back to an individual are subject to tighter rules than other information they use ? as they should be. Google records the I.P. address associated with every search it handles. In a post on the Google Public Policy Blog, Alma Whitten, a software engineer, points out that often the I.P. address assigned to any one computer is changed on a regular basis by the Internet provider that services that computer. Google, she writes, strongly supports ?the idea that data protection laws should apply to any data that could identify you. The reality is though that in most cases, an I.P. address without additional information cannot.? True enough. But it?s also true that if someone has your I.P. address, it makes it much easier to gather the additional information needed to identify you. Think of an I.P. address as one of two keys needed to unlock a door. Just because the second key is needed too, doesn?t mean the first key shouldn?t also be protected. In the case of dynamic I.P. addresses ? those that are periodically changed ? the other key is held by the Internet providers themselves. And they are routinely forced to provide information about which customer was assigned what I.P. address at a given time in response to legal proceedings. Technically, fixed I.P. addresses ? those that are permanently assigned to a given computer ? are also not personal information, because a Web site doesn?t know who is using that computer. But once the site, or a partner, convinces a user at that site to reveal his or her identity ? to register for a service, make a purchase, or even enter a sweepstakes ? that information can be associated with everything else the users of that computer do. Yes, there may be more than one person who uses a computer, just as there is often more than one person who uses a home telephone. Few people would say that this means phone numbers aren?t personal Google is right to say that an I.P. address isn?t exactly the same thing as your Social Security number. But its blog post also skips over all the ways that having your I.P address can help someone unlock information about what you do online. And doing so doesn?t help the debate over what the right protections for personal information should be. From rforno at infowarrior.org Sat Feb 23 03:02:12 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 22 Feb 2008 22:02:12 -0500 Subject: [Infowarrior] - UK ISPs could face piracy sanctions Message-ID: ISPs could face piracy sanctions Internet service providers must take concrete steps to curb illegal downloads or face legal sanctions, the government has said. The proposal is aimed at tackling the estimated 6m UK broadband users who download files illegally every year. The culture secretary said consultation would begin in spring and legislation could be implemented "by April 2009". Representatives of the recording industry, who blame piracy for a slump in sales, welcomed the proposals. "ISPs are in a unique position to make a difference and in doing so to reverse a culture of creation-without-reward that has proved so damaging to the whole music community over the last few years," said John Kennedy, head of the International Federation of the Phonographic Industry (IFPI). A spokesperson for the Internet Service Provider's Association (ISPA) said that creating appropriate legislation would be very difficult. "Any scheme has got to be legal, workable and economically sustainable," the spokesperson told BBC News. He also said that ISPs were already pursuing self-regulation, which was the government's preferred route. Privacy issue "The government has no burning desire to legislate," Andy Burnham, culture secretary, told the Financial Times. However, he said that the proposals signalled "a change of tone from the government". Its intentions are outlined in a creative industries strategy paper called Creative Britain: New Talents for the New Economy. The document is a broad ranging paper that sets out government support for the creative industries. The document commits the government to consulting on anti-piracy legislation this spring "with a view to implementing it by April 2009", according to the FT. "We're saying we'll consult on legislation, recognising there are practical questions and legitimate issues," Mr Burnham told the paper. In particular, any legislation would have to take account of the 2002 E-Commerce Regulations that define net firms as "conduits" which are not responsible for the contents of the traffic flowing across their networks. European laws on online privacy could also create problems for any new legislation. Earlier this year it was reported that the government was considering a "three strikes" approach to tackling persistent offenders in the report. But Mr Burnham denied this was the case and told the FT that the strategy had "never been in the paper". If the government goes ahead, the UK would be one of the first countries to impose sanctions. "This is a sea-change in attitude and I believe it is now up to governments elsewhere in Europe and further afield to follow their example," said Mr Kennedy. Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/7258437.stm Published: 2008/02/22 10:41:56 GMT ? BBC MMVIII From rforno at infowarrior.org Sat Feb 23 17:17:17 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 23 Feb 2008 12:17:17 -0500 Subject: [Infowarrior] - Whistle while you work Message-ID: Whistle while you work >From government to big business, if you have a dirty secret, Wikileaks is your nightmare. David Leigh and Jonathan Franklin on the site a US court has tried to muzzle This article appeared in the Guardian on Saturday February 23 2008 on p31 of the Saturday section. It was last updated at 15:32 on February 23 2008. http://www.guardian.co.uk/theguardian/2008/feb/23/internet.usa A secretive Swiss bank landed an apparently novel censorship blow against the internet this week. Anyone who tried to call up wikileaks.org, a global website devoted to publicising leaked documents, found themselves frustrated. The site simply wasn't there any more. The Julius Baer bank in Zurich succeeded in hamstringing the shadowy individuals behind the website by the simple trick of moving not against them, but against a US company that hosted their domain name. Dynadot, the California resellers who collect a few dollars by this internet trade, submitted to a legal injunction ordering the name to be deleted. Yet however wise this scheme may have appeared at the time to the Swiss bank's Los Angeles lawyers, Lavely & Singer, it has now backfired in a big way. The injunction blew up a gale of debate about internet freedom, and sprayed the bank's secret documents all over the net. It has also thrust into prominence an obscure group of dreamers and programmers who want to provide what they call an "untraceable and uncensorable" leaking machine, to be used by dissidents worldwide. Those behind Wikileaks include Tibetan, Chinese and Thai political campaigners, an Australian hacking author, and Ben Laurie, a mathematician living in west London who is on the advisory board. Wikileaks is not the first site of its kind. John Young, a New York architect, has been posting leaked intelligence documents on his Cryptome site for some years. But since its launch in late 2006, Wikileaks has had an impressive record. When Northern Rock collapsed last autumn, print media in London were gagged by a judge's order from re-publishing its leaked sales prospectus. It was Wikileaks that kept the prospectus before the public, along with the text of some threatening "not for publication" letters from the British lawyers, Schillings. In the US, Wikileaks also made headlines last November with the publication of secret documents, including the 238-page manual Standard Operating Procedures for Camp Delta, a document that even the US military grudgingly admitted was genuine. The Guant?namo document, including descriptions of everything from transferring prisoners to evading protocols of the Geneva convention, was a comprehensive guide to day-to-day operations at the controversial prison. Wikileaks landed an even bigger coup last August with a previously secret 110-page draft report by the international investigators Kroll, which revealed allegations of massive corruption in Kenya. The family of former Kenyan leader Daniel Arap Moi were reported to have siphoned off more than ?1bn. The reason Wikileaks has now enraged the Zurich bank is that pages have been posted detailing the bankers' most intimate trade secret: the way they hide the funds of their ultra-rich international clients in offshore trusts. This sort of material is very hot stuff. In Germany, the federal intelligence service recently paid an informer almost ?4m for a disc containing similar details from a Liechtenstein bank. That led to raids on hundreds of suspected tax evaders, the disgrace of prominent businessmen, and a diplomatic collision with the tiny tax haven. The person Baer describes as a disgruntled former employee at their own Cayman Islands office has similarly made off with a large quantity of internal records. A handful of these have made their way on to the Wikileaks site, which advertises that individuals can leak with the confidence they won't be discovered, thanks to the site's cryptographic protection. The files tell some interesting stories. One of Margaret Thatcher's life peers allegedly salted away more than $100m (?50m) in a secret trust, for example. The late Lawrence Kadoorie, a Hong Kong millionaire, was ennobled in 1981 by the former British prime minister. He had built up the family's fortunes through China Light and Power, which provides Hong Kong with its electricity, and through a chain of hotels. According to the files, the Baer bank ran an anonymous company, registered in the British Virgin Islands and called Seneford Investments. A nominee director was based in a second tax haven, the Cayman Islands. But the real owner of Seneford Investments, it is claimed, was Kadoorie's family trust. In 1998, the documents listed six bank accounts for the company, in Switzerland and elsewhere. They held a total of $113m. There is no suggestion that this was illegal. Kadoorie's son, Sir Michael, who still has major interests in the Hong Kong companies, did not respond yesterday to invitations from the Guardian to comment. The other bank records posted by Wikileaks describe equally elaborate structures husbanding millions of pounds for Spanish financiers, Greek ship-owners, Chinese expatriates and wealthy New Yorkers. Although the leaker hints that tax frauds and bribery may lie behind some of these other accounts, he does not give enough detail to provide proof. Wikileaks itself admits that some of the documents might be fabricated, and the whole affair might have only been seen as a curiosity, had the Baer bank not called in their lawyers. The federal judge Jeffrey White in San Francisco not only ordered removal of the domain name, but banned further circulation of the documents. As a result, they reappeared on Wikileaks "mirror" sites, hosted in the UK, Belgium and the Christmas Islands. It even transpired that the deleted main Wikileaks site could be accessed, slightly less conveniently, by using its IP number (88.80.13.160) instead of the domain name. Bloggers, online columnists and websites decried the bank's move as they launched a counterattack and lobbied in favour of Wikileaks' right to anonymously publish secrets. Less than a week after the court decision, a Google search for the court case turned up 69,000 hits. Four hours later, the tally was 78,000. A further hearing on February 29 may well overturn the original decision. The Zurich bank says: "It was the sole objective of Julius Baer to have legally protected documents removed from Wikileaks. We brought legal action against the website only after our initial efforts proved unsuccessful. In the course of taking such action, the bank has been made the subject of serious defamatory allegations. Such allegations are based on forged and stolen documents and are unequivocally denied. We have always sought to act in the best interests of our clients and shall continue to do so." Who are Wikileaks? Although the project makes a feature of the anonymity of its volunteers, the minds behind it are not hard to find. One prominent driving force is Julian Assange, a much-travelled Australian programmer and author who has a flamboyant mane of silver hair. Before riding his motorcycle across Vietnam, he co-wrote a book about computer hackers. "He's a pretty standard modern geek with a thing about dissidents," says the British encryption expert Ben Laurie, who advised the group on encryption. "He's quite techie and he can write code." One of Assange's early schemes was to develop what he called "deniable cryptography". The idea was to help dissidents resist giving away secrets under torture. Texts would be encrypted in layers, so that even if a victim were forced to reveal a password, the torturer would not realise there was a second layer of information, hidden by a second password. Assange then turned up in London and proposed the Wikileaks scheme for "an open-source, democratic intelligence agency". Laurie said: "I thought it was all hot air at first." But he became enthusiastic. He advised on an encryption system, first developed by the US Navy, which uses a chain of three separate servers, and ensures leakers can post documents anonymously. Laurie is an international consultant on internet security. Earlier he set up a business that bought two military bunkers, at the abandoned US base at Greenham Common, and at an old RAF radar station in Kent. His company rents them out to firms and banks who want to protect their servers from attack. The Kent bunker is deep underground: "The radar operators were supposed to survive 30 days after a nuclear strike." Some of his subversiveness may have rubbed off from his father, Peter Laurie, who wrote a cult book in the 1970s called Beneath the City Streets, which traced networks of secret government bunkers and tunnels. Fresh off a flight from Washington, he answers the door to his rambling house in Acton in bare feet, and willingly explains why he approves of Wikileaks, while pointing out he is not personally responsible for any of their legally controversial deeds: "I have a long-term interest in privacy on the internet. It provides enormous opportunities for surveillance and this is not a good thing. Also, this is an interesting technical problem: how do you reveal things about powerful people without getting your arse kicked? Whistleblowing is a practice which should be encouraged. "I'm really quite surprised at Wikileaks' success. They've done a lot of interesting stuff. It seems people are prepared to take the risk." Another member of the advisory board is an American former draft resister, CJ Hinke. Speaking from his home in Thailand, he said: "Wikileaks is a decentralised phenomenon, and that means there are volunteers in dozens of countries. These volunteers form a very loose network so that, in fact, government can't home in on anybody and take drastic action against them." In Thailand, Wikileaks has focused on efforts to block access to websites critical of the government. "The minute Wikileaks was announced, we sent them a huge trove of secret documents," said Hinke, founder of Freedom Against Censorship Thailand. The documents included detailed lists of blocked sites, including all references to The King Never Smiles, a book published by Yale University Press. "Ordinary people come across things that governments or companies or individuals would prefer to keep secret. I think it is possible for almost everybody to expose these kind of events." The wikileakers share the same belief in the "wisdom of crowds" that lies behind Wikipedia, the online encyclopaedia. Their theory is that their leaked documents will be self-verifying, thanks to the scrutiny of thousands of pairs of eyes. Some may wonder whether it's quite as easy as that. Laurie cautions that Wikileaks' vaunted encryption is not completely unbreakable. Codebreakers such as the US National Security Agency could probably crack it, he says. "If my life was on the line, I would not be submitting [documents] to Wikileaks. From rforno at infowarrior.org Sun Feb 24 04:36:58 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 23 Feb 2008 23:36:58 -0500 Subject: [Infowarrior] - TSA Lab Seeks Radical Change at Airport Checkpoints Message-ID: http://www.nationaldefensemagazine.org/issues/2008/March/SecurityBeat.htm#Sc ience March 2008 Transportation Lab Seeks Radical Change at Airport Checkpoints Reported by Stew Magnuson LOS ANGELES ? Transportation Security Laboratory Director Susan Hallowell would like to see the day when airline passengers no longer have to take their shoes off after standing in a long line at airport security checkpoints. To that end, she would like to combine the line and an array of sensors into what she calls a ?tunnel of truth.? The concept ? with the somewhat Orwellian name ? would have passengers stand on a conveyor belt moving under an archway as various sensors scan them for weapons, bombs or other prohibited items. By the time they step out of the tunnel, they have been thoroughly checked out, she said at a homeland security science and technology conference sponsored by the National Defense Industrial Association. ?You?re in line anyway ? why not enclose that in a little glass thing and do your analysis there?? she asked. The lab has given a grant to Penn State University to study the concept, she added. The lab, located in Atlantic City, N.J., is responsible for testing current screening devices and developing new technologies for both airports and for other public transportation. Among the new technologies that could be placed in the tunnels are backscatter X-ray machines, which peer underneath clothes, and passive and active millimeter wave sensors that can see the outlines of concealed metal objects. These technologies are already being used in pilot programs. Puffer machines are also in use and dislodge molecules from the residue gathered during the manufacture of explosives. The human body also gives off a heat signature, and sensors could follow the thermal plume coming off the body as the passenger moves through the tunnel, she noted. Actual bombs, if they are hidden on the body, give off their own heat signatures, and could be detected as well. Before the concept can move forward, the laboratory will have to perfect all the sub-systems that would go into the so-called tunnel, she said. Meanwhile, the lab continues to test machines designed to check shoes for explosives without passengers having to take them off. So far, it has not found an acceptable solution. ?We?re still working on shoes. We?re not there yet,? she said. From rforno at infowarrior.org Sun Feb 24 04:49:53 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 23 Feb 2008 23:49:53 -0500 Subject: [Infowarrior] - Canada, U.S. agree to use each other's troops in civil emergencies Message-ID: http://www.canada.com/topics/news/story.html?id=403d90d6-7a61-41ac-8cef-902a 1d14879d&k=14984 Canada, U.S. agree to use each other's troops in civil emergencies David Pugliese , Canwest News Service Published: Friday, February 22, 2008 Canada and the U.S. have signed an agreement that paves the way for the militaries from either nation to send troops across each other's borders during an emergency, but some are questioning why the Harper government has kept silent on the deal. Neither the Canadian government nor the Canadian Forces announced the new agreement, which was signed Feb. 14 in Texas. The U.S. military's Northern Command, however, publicized the agreement with a statement outlining how its top officer, Gen. Gene Renuart, and Canadian Lt.-Gen. Marc Dumais, head of Canada Command, signed the plan, which allows the military from one nation to support the armed forces of the other nation during a civil emergency. American soldiers arrive on board the HMCS TORONTO as part of a training exercise in carrying out a NATO presence patrol in the Indian Ocean near Somalia. A new agreement between the U.S. and Canadian militaries has been greeted with suspicion by the left wing in Canada and the right wing in the The new agreement has been greeted with suspicion by the left wing in Canada and the right wing in the U.S. The left-leaning Council of Canadians, which is campaigning against what it calls the increasing integration of the U.S. and Canadian militaries, is raising concerns about the deal. "It's kind of a trend when it comes to issues of Canada-U.S. relations and contentious issues like military integration. We see that this government is reluctant to disclose information to Canadians that is readily available on American and Mexican websites," said Stuart Trew, a researcher with the Council of Canadians. Trew said there is potential for the agreement to militarize civilian responses to emergency incidents. He noted that work is also underway for the two nations to put in place a joint plan to protect common infrastructure such as roadways and oil pipelines. "Are we going to see (U.S.) troops on our soil for minor potential threats to a pipeline or a road?" he asked. Trew also noted the U.S. military does not allow its soldiers to operate under foreign command so there are questions about who controls American forces if they are requested for service in Canada. "We don't know the answers because the government doesn't want to even announce the plan," he said. But Canada Command spokesman Commander David Scanlon said it will be up to civilian authorities in both countries on whether military assistance is requested or even used. He said the agreement is "benign" and simply sets the stage for military-to-military co-operation if the governments approve. "But there's no agreement to allow troops to come in," he said. "It facilitates planning and co-ordination between the two militaries. The 'allow' piece is entirely up to the two governments." If U.S. forces were to come into Canada they would be under tactical control of the Canadian Forces but still under the command of the U.S. military, Scanlon added. News of the deal, and the allegation it was kept secret in Canada, is already making the rounds on left-wing blogs and Internet sites as an example of the dangers of the growing integration between the two militaries. On right-wing blogs in the U.S. it is being used as evidence of a plan for a "North American union" where foreign troops, not bound by U.S. laws, could be used by the American federal government to override local authorities. "Co-operative militaries on Home Soil!" notes one website. "The next time your town has a 'national emergency,' don't be surprised if Canadian soldiers respond. And remember - Canadian military aren't bound by posse comitatus." Posse comitatus is a U.S. law that prohibits the use of federal troops from conducting law enforcement duties on domestic soil unless approved by Congress. Scanlon said there was no intent to keep the agreement secret on the Canadian side of the border. He noted it will be reported on in the Canadian Forces newspaper next week and that publication will be put on the Internet. Scanlon said the actual agreement hasn't been released to the public as that requires approval from both nations. That decision has not yet been taken, he added. ? Ottawa Citizen 2008 From rforno at infowarrior.org Sun Feb 24 04:53:30 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 23 Feb 2008 23:53:30 -0500 Subject: [Infowarrior] - White House says phone wiretaps back on "for now" Message-ID: White House says phone wiretaps back on "for now" Sat Feb 23, 2008 7:35pm EST http://www.reuters.com/article/newsOne/idUSN2229053420080224 WASHINGTON (Reuters) - The Bush administration said on Saturday U.S. telecommunications companies have agreed to cooperate "for the time being" with spy agencies' wiretaps, despite an ongoing battle between the White House and Congress over new terrorism surveillance legislation. The Justice Department and the Office of the Director of National Intelligence issued a joint statement saying wiretaps will resume under the current law "at least for now." "Although our private partners are cooperating for the time being, they have expressed understandable misgivings about doing so in light of the ongoing uncertainty and have indicated they may well discontinue cooperation if the uncertainty persists," the statement said. On Friday U.S. Attorney General Michael Mukasey and Director of National Intelligence Michael McConnell said telecommunications firms have been reluctant to cooperate with new wiretaps since six-month temporary legislation expired last weekend. As a result, they told Congress, spy agencies have missed intelligence. Democrats accused the Bush administration of fear-mongering and blamed it for any gaps. President George W. Bush has said he would not compromise with the Democratic-led Congress on his demand that phone companies be shielded from lawsuits for taking part in his warrantless domestic spying program. The measure passed by the Senate would provide retroactive lawsuit immunity to firms which cooperated with warrantless wiretaps that Bush authorized after the September 11 attacks. But the House of Representatives has opposed it, and Democratic leaders of both chambers said they would try to find a compromise. Democratic leaders of congressional intelligence and judiciary committees issued a statement on Friday saying they were committed to passing new legislation and urged Bush to support an extension of the temporary law. Bush has said he would hold out for a permanent overhaul of the 1978 surveillance law. (Editing by Stuart Grudgings) From rforno at infowarrior.org Mon Feb 25 02:13:38 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 24 Feb 2008 21:13:38 -0500 Subject: [Infowarrior] - I.P. Address: Partially Personal Information Message-ID: February 24, 2008, 2:12 pm I.P. Address: Partially Personal Information By Saul Hansell http://bits.blogs.nytimes.com/2008/02/24/ip-address-partially-personal-infor mation/index.html My post about whether Google?s records of the Internet Protocol address should be considered personal information under privacy law, brought two comments from Googlers: Matt Cutts, an engineer, and from Peter Fleischer, Google?s global privacy counsel. Both go over the many technical and legal reasons that the I.P. addresses in Google?s records can?t, in isolation, be tracked back to an individual. Very true. But the converse is also true: The I.P. addresses Google collects, when combined with other information, can sometimes identify an individual, or a household. This raises all sorts of implications that need to be considered as we move into a world where so many more actions we take will be logged digitally in some way. The opposite of identification is anonymity. When I.P. addresses of Internet actions are all recorded, anonymity is harder to preserve. Logging I.P. addresses is similar to a security camera recording everyone entering your store. Without any more information, you don?t know the names or identities of any of the people on the recording. But that recording makes it much easier to gather that information and find out who is shopping. Some people you can identify because they go on to buy something providing their names. Other people you can?t identify, but the government with its database of drivers licenses photographs or other investigative techniques can. Mr. Fleischer acknowledges that Google?s records, combined with those from an Internet service provider, can indeed link a particular computer to a particular pattern of searches. He says I.S.P.?s, by law, can?t give that information to Google. But he admits that government investigators or even private litigators can: In order for someone to tie the IP to an account holder, there have to be at least two subpoenas issued: one to Google and a separate one to the ISP. This is important because people have lots of reasons to keep information private. They may not want Google to use for advertising. But they may also want to keep secrets from people who may have the right to sue them. Mr. Fleischer discusses at some length the technicalities of European law over what defines personal information. I.P. addresses, he argues don?t qualify. And more broadly, he suggests that some of the general principles that apply to personal information?standards of notice and choice, for example? aren?t always appropriate for I.P. addresses. Perhaps we should start considering another category: partially personal information?bits of data that can be personal under certain circumstances. There are real questions about who should collect this information, under what circumstances, and what they should do with it. The statements by Google and others that simply argue that I.P. addresses aren?t personal distract people from the thoughtful understanding of what they are and how they can be used. From rforno at infowarrior.org Mon Feb 25 02:18:13 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 24 Feb 2008 21:18:13 -0500 Subject: [Infowarrior] - Vista SP1 kills and maims security apps, utilities Message-ID: Original URL: http://www.theregister.co.uk/2008/02/22/vista_sp1_security_products/ Vista SP1 kills and maims security apps, utilities By Kelly Fiveash Published Friday 22nd February 2008 14:51 GMT Microsoft has admitted that Windows Vista service pack one (SP1) renders useless a number of well-known third party security products. Redmond said in a knowledge base article (http://support.microsoft.com/kb/935796) yesterday that due to "reliability" issues with Vista SP1, it has been forced to prevent some security products from running after the service pack is installed. So, customers who currently have versions of Jiangmin KV Antivirus or Trend Micro's Internet Security on their Vista computers will no longer be able to use the software, which are suppose to safeguard their machines against hackers and malware, after SP1 is installed. The two other security products deemed by Microsoft to make Vista SP1 "unreliable" are versions of BitDefender AV and Zone Alarm Security Suite. It added that it has put a block on Fujitsu's Shock Sensor utility, which protects laptop hard-drives against sudden shocks. Microsoft also pinpointed a number of products that simply won't work after the service pack, which is expected to be available for download to everyone by the middle of next month, has been installed. Versions of Iron Speed Designer, Xheo Licensing, and Free Allegiance software are on that particular blacklist. Meanwhile, Novell's ZCM Agent and the New York Times reader software are among the products listed as having severely reduced functionality post Vista-SP1. Microsoft said in the article: "A program may experience a loss of functionality after you install Windows Vista SP1. However, most programs will continue to work as expected after you install Windows Vista SP1." This latest embarrassing cock-up comes just days after Microsoft snatched back (http://www.theregister.co.uk/2008/02/20/vista_sp1_prerequisite_update/) a key pre-requisite update for Vista SP1 from its Windows Update website. It was forced to suspend distribution of its servicing stack KB937287 update after customers complained that their PCs wouldn't boot up properly once it had been applied. ? From rforno at infowarrior.org Mon Feb 25 02:20:02 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 24 Feb 2008 21:20:02 -0500 Subject: [Infowarrior] - Heavy demand for multilingual hackers in global spam market Message-ID: Heavy demand for multilingual hackers in global spam market By Joel Hruska | Published: February 23, 2008 - 10:50AM CT http://arstechnica.com/news.ars/post/20080223-heavy-demand-for-multilingual- hackers-in-global-spam-market.html Being multilingual in the computer industry used to mean a person could program in C, Cobol, and Fortran, but demand for programmers hackers who can speak additional real-world languages is apparently on the rise. Crafting malware has become big business on the global market. As a recent report from McAfee details, sophisticated malware authors are increasingly being hired to craft country-, language-, company-, and software-specific attacks. Lingual skills are a crucial part of pulling off such focused attacks, and companies are looking to hire people who can speak the language of their targets. Obvious misspellings or grammatical errors are one of the biggest clues that an e-mail or web site isn't legitimate, and it's a flaw that those in the industry would like to repair. Advertisements for virus authors fluent in languages from Japanese to Portuguese are increasingly showing up online. Such recruiting efforts are finding traction thanks partly to the economic conditions in nations like China and Russia. Both countries have a surplus of skilled coders who lack regular work, or possibly any work at all. Laws against cybercrime are also more lax in these and other developing nations. The demise of the Russian Business Network (once a hotbed of illegal activity) may have also brought an increasingly global focus to the Russian spyware market. Russia has surpassed China to become the largest generator of spam and other malware, but the death of the RBN has forced smaller operators to seek hosting in a number of Asian countries. If you're going to host malicious servers in another country, it only makes sense to offer its citizens the gifts of herbal enhancements and Nigerian banking deals that make the rest of us so happy?but if you're going to bring such presents to another nation, you have to know the local language. The Russian Mafia's interest in cybercrime is also reportedly growing?a fact that could have significant repercussions for the future of malware business on a global scale. The rise of multilingualism and the growth of country-specific attacks could have other ramifications in additional simply exposing new users to a host of spam in their own language. Earlier this year we discussed the case of an Estonian student who launched a series of DDoS attacks against his country's web sites as a method of protest. The incident contributed to tensions between Estonia and Russia when the former blamed the latter for the attacks. It's not too much of a stretch to imagine politicians or other powerful individuals within a nation taking similar measures in order to influence national policy. From rforno at infowarrior.org Mon Feb 25 13:15:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Feb 2008 08:15:46 -0500 Subject: [Infowarrior] - OpEd - InfraGard: An Unhealthy Government Alliance Message-ID: InfraGard: An Unhealthy Government Alliance by Gary D. Barnett, February 22, 2008 http://www.fff.org/comment/com0802g.asp There is an organization that is quietly and secretly becoming very large and powerful. The FBI started this partnership or alliance between the federal government and the private sector in 1996 in Cleveland with a few select people. After September 11, 2001, when the general population replaced their rationality with fear, this organization, called InfraGard, continued growing, and with little notice. By 2005 more than 11,000 members were involved, but as of today, according to the InfraGard website, there are 23,682 members, including FBI personnel. At first glance, many would think this alliance healthy and useful in the fight against ?terrorism,? but upon further examination, one has to wonder. InfraGard began as an alliance between the FBI and local businesses with the objective of investigating cyber threats. Since that time, little resemblance to that design exists. According to InfraGard?s own website, InfraGard is an information sharing and analysis effort serving the interests and combining the knowledge base of a wide range of members. At its most basic level, InfraGard is a partnership between the Federal Bureau of Investigation and the private sector. InfraGard is an association of businesses, academic institutions, state and local law enforcement agencies, and participants dedicated to sharing information and intelligence [emphasis added] to prevent hostile acts against the United States. Every InfraGard chapter has an FBI special agent coordinator attached to it, and this FBI coordinator works closely with FBI headquarters in Washington, D.C. Initially, while under the direction of the National Infrastructure Protection Center (NIPC), the focus of InfraGard was cyberinfrastructure protection, but things have gotten much more interesting since September 11, 2001. NIPC then expanded its efforts to include physical as well as cyberthreats to critical infrastructures. A progression is occurring, but it gets even more interesting as time passes. In March 2003, NIPC was transferred to the Department of Homeland Security which now has total responsibility for critical infrastructure protection (CIP) matters. Part of the Department of Homeland Security?s mission is to facilitate InfraGard?s continuing role in CIP activities and to further develop InfraGard?s ability to support the FBI?s investigative mission, especially as it pertains to counterterrorism and cyber crimes. InfraGard?s stated goal ?is to promote ongoing dialogue and timely communications between members and the FBI.? Pay attention to this next part: Infragard members gain access to information that enables them to protect their assets and in turn give information to government that facilitates its responsibilities to prevent and address terrorism and other crimes. I take from this statement that there is a distinct tradeoff, a tradeoff not available to the rest of us, whereby InfraGard members are privy to inside information from government to protect themselves and their assets; in return they give the government information it desires. This is done under the auspices of preventing terrorism and other crimes. Of course, as usual, ?other crimes? is not defined, leaving us to guess just what information is being transferred. Since these members of InfraGard are people in positions of power in the ?private? sector, people who have access to a massive amount of private information about the rest of us, just what information are they divulging to government? Remember, they are getting valuable consideration in the form of advance warnings and protection for their lives and assets from government. This does not an honest partnership make; quite the contrary. In my article ?The New Crime of Thinking,? I criticized H.R.1955 and Senate 1959, which, if passed, will literally criminalize thought against government. As usual, the exact type of thought is left undefined. This vagueness in the thought-crime legislation together with the secrecy of InfraGard makes for a dangerous combination. S.1959, if passed, will be attached to the Homeland Security Act and InfraGard is already a part of the Department of Homeland Security. This is not a coincidence. Under section 899b of S.1959 it is stated: Preventing the potential rise of self radicalized, unaffiliated terrorists domestically cannot be easily accomplished solely through traditional Federal intelligence or law enforcement efforts, and can benefit from the incorporation of State and local efforts. This appears to be a direct reference to the InfraGard program. Moreover, in section 899c of S.1959 the new commission created after passage is to build upon and bring together the work of other entities, and will establish, as designated under 899d, a ?Center of Excellence.? This center will be university-based, and is to study ?violent radicalization and homegrown terrorism? in the United States. According to InfraGard?s mission statement, it is a group of businesses, academic institutions, state and local law enforcement, and other participants dedicated to sharing information and intelligence. Keep in mind that this new center will be, and InfraGard already is, a part of the Department of Homeland Security. I?m just speculating, of course, but is it possible that InfraGard will be a domestic police and spying arm for the government concerning ?thought crime?? There is a definite and natural link here, and it should give us pause. The definitions concerning thought crime are vague and unclear, left to the interpretation of government only. InfraGard, on the other hand, is an organization cloaked in secrecy. It holds secret meetings with the FBI. It also, according to FBI Director Robert Mueller, shares information (what information, we don?t know) with the Secret Service and all government agencies involved with security in the United States. One question on InfraGard?s application for membership is, Which critical infrastructures does your organization belong to? Some choices listed are defense, government, banking and finance, information and telecommunications, postal and shipping, transportation, public health, and energy. At least 350 of the Fortune 500 companies have representation in InfraGard, this according to their website. These representatives have access to most of our private records, including phone and Internet use, health records, and banking and finance records. Considering the recent attempts by President Bush and his administration to protect many telecommunications companies and executives from prosecution for releasing private information, how many of the top telecom executives are members of InfraGard? I, for one, would be very interested in this information, but alas, it is not public information; it is secret. According to InfraGard?s own policies and procedures, The interests of InfraGard must be protected whenever presented to non-InfraGard members. Independent of the type of presentation, (interview, brief, or published documentation) the InfraGard leadership and the local FBI representative should be made aware of the upcoming presentation. The InfraGard member and the FBI representative should agree on the theme of the presentation. The identity of InfraGard members should be protected at all times. This means that no one outside InfraGard is to know who is a member unless previous approval has been given. In addition, when interviews with members of the press are forthcoming, all questions should be submitted in writing prior to the interview. The InfraGard leadership and the local FBI representative should review the submitted questions, agree on the character of the answers, and identify the appropriate person to be interviewed prior to the interview. Even demeanor is addressed in this directive, and strict guidelines for behavior are listed. You see, when I said secret, I wasn?t kidding. The bottom line is this: This is an organization created by the FBI, sanctioning individuals from the private business sector to provide information, sensitive and private information, to government agencies for special concessions. These concessions, or favors, according to an article titled ?The FBI Deputizes Business,?in The Progressive magazine, include advance warning on a secure portal about any threatening information related to infrastructure disruption or terrorism. InfraGard notes as much on their website by advertising for members ?access to an FBI secure communication network complete with VPN encrypted website, webmail, listservs, message boards and much more.? Also advertised: ?Learn time-sensitive, infrastructure related security information from government sources such as DHS [Department of Homeland Security] and the FBI.? Is this elitist group of InfraGard members a group of Americans superior to the rest of us? Are they truly privileged or just selling their souls for protection and favors? And how involved will they be in watchdog activities, activities sanctioned by the U.S. government? Is this a new kind of conscription by government meant to increase its surveillance capabilities so that it can monitor our lives even more than it does now? Legislation, bureaucracies, and government/business partnerships created since 9/11 have severely infringed our freedom. Almost all of the so-called terror-protection legislation has been linked ? and in many cases it is linked ? to increased government oversight of the rest of us. This is evident concerning InfraGard and the Department of Homeland Security. If this program is for the benefit of this country, why are the members? names and their activities kept so secret? Why do some gain protection and early warning while the rest of us do not? And what information and ?intelligence? is being shared? Since these business members are fully protected by government, how far will they go, and when will it be too late to stop this secret assault by this behemoth we call government? Gary D. Barnett is president of Barnett Financial Services, Inc., in Lewistown, Montana. Send him email. From rforno at infowarrior.org Mon Feb 25 13:17:22 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Feb 2008 08:17:22 -0500 Subject: [Infowarrior] - OpEd: InfraGard FUD and misinformation Message-ID: (counterpoint to previous post........rf) More InfraGard FUD and misinformation http://lippard.blogspot.com/2008/02/more-infragard-fud-and-misinformation.ht ml Gary D. Barnett, president of a financial services firm in Montana, has written an article about InfraGard for The Future of Freedom Foundation, apparently inspired by the Progressive article. Thankfully, he avoids the bogus "shoot to kill" claims, but he introduces some erroneous statements of his own. It's apparent that he didn't bother speaking to anyone in InfraGard or doing much research before writing his article, which is another attempt to spread fear, uncertainty, and doubt about the program. Barnett first goes wrong when he writes: InfraGard?s stated goal ?is to promote ongoing dialogue and timely communications between members and the FBI.? Pay attention to this next part: Infragard members gain access to information that enables them to protect their assets and in turn give information to government that facilitates its responsibilities to prevent and address terrorism and other crimes. I take from this statement that there is a distinct tradeoff, a tradeoff not available to the rest of us, whereby InfraGard members are privy to inside information from government to protect themselves and their assets; in return they give the government information it desires. This is done under the auspices of preventing terrorism and other crimes. Of course, as usual, ?other crimes? is not defined, leaving us to guess just what information is being transferred. First, there isn't a "distinct tradeoff." There is no "quid pro quo" required of InfraGard members. All InfraGard members get the same access to bulletins as the others, regardless of whether they share information back. There are some specific sector-oriented subgroups that share information only with each other (and such private groups also exist independently of InfraGard, such as the sector Information Sharing and Analysis Centers, or ISACs). The FBI may come to a company from time to time with specific threat information relevant to them (I've seen this happen once with respect to my own company), but that happens whether a company is a member of InfraGard or not. (Where InfraGard membership might give added benefit is that the FBI knows that the InfraGard member has undergone some rudimentary screening. There are companies that are set up and run by con artists, as well as by foreign intelligence agents, believe it or not, and where there is apparent risk of such a setup, the FBI is obviously going to be less forthcoming than with somebody they already know.) Second, "not available to the rest of us" suggests that InfraGard membership is difficult to come by. It's not. I suspect Mr. Barnett himself could be approved, as could whoever does IT security for his company. Third, there's no need to guess about the "other crimes." The FBI's own priority list tells you: 1. Protect the United States from terrorist attack. (Counterterrorism) 2. Protest the United States against foreign intelligence operations and espionage. (Counterintelligence) 3. Protect the United States against cyber-based attacks and high-technology crimes. (Cyber crime) 4. Combat public corruption at all levels. 5. Protect civil rights. 6. Combat transnational/national criminal enterprises. 7. Combat major white collar crime. 8. Combat significant violent crime. 9. Support federal, state, local, and international partners. 10. Upgrade technology to successfully perform the FBI's mission. Some might question this list, in particular #5, on the basis of the FBI's past record, but my interactions with law enforcement lead me to believe that there are many who do take #5 quite seriously and would challenge and speak out against actions contrary to it. I was at an InfraGard conference in New Mexico yesterday at which an exchange occurred that went something like this: Me: I work for a global telecommunications company. He: You're not one of those companies that's been eavesdropping on us, are you? Me: No. He: Good. "He" was a member of New Mexico's InfraGard--and a member of law enforcement. I'll have more to say about warrantless wiretapping in a moment. The real issue with this list is that the top two are probably misplaced, and 6-8 (and #10!) have been suffering, as I've previously written about. Barnett goes on: Since these members of InfraGard are people in positions of power in the ?private? sector, people who have access to a massive amount of private information about the rest of us, just what information are they divulging to government? Remember, they are getting valuable consideration in the form of advance warnings and protection for their lives and assets from government. This does not an honest partnership make; quite the contrary. There are several key ways in which private industry helps the FBI through InfraGard. One is securing their own infrastructure against attacks so that it doesn't create a problem that the FBI needs to devote resources to. Two is by bringing criminal issues that are identified by private companies to the attention of the FBI so that it can investigate and bring prosecutions. Three is by assisting the FBI in its investigations by explaining what evidence that requires technical skills to understand means, and giving them guidance in how to successfully track down criminals. Barnett goes on to talk about Rep. Jane Harman's bill in Congress, HR1955/S.1959, which I've also briefly commented on at this blog, and makes some significant errors of fact. He writes this this bill "if passed, will literally criminalize thought against government." That's false--the bill doesn't criminalize anything, it just creates a commission that will write a report and make recommendations. That commission has no law enforcement powers of any kind, not even the power of subpoena. Barnett also mistakenly thinks that this bill contains a reference to InfraGard. He writes: S.1959, if passed, will be attached to the Homeland Security Act and InfraGard is already a part of the Department of Homeland Security. This is not a coincidence. Under section 899b of S.1959 it is stated: Preventing the potential rise of self radicalized, unaffiliated terrorists domestically cannot be easily accomplished solely through traditional Federal intelligence or law enforcement efforts, and can benefit from the incorporation of State and local efforts. This appears to be a direct reference to the InfraGard program. The reference to "the incorporation of State and local efforts" into "traditional Federal intelligence or law enforcement efforts" in counterterrorism contains no reference to private partnerships, only to combining law enforcement efforts at federal, state, and local levels. This is a reference to what are called "fusion centers," like the Arizona Counter-Terrorism Information Center (ACTIC). The people who work in those centers are people from government agencies (at the federal, state, and local levels) with government security clearances. InfraGard in Phoenix does partner with ACTIC, which in practice means that ACTIC representatives give presentations to InfraGard (all of which I believe have also been open to the general public), ACTIC shares threat information with InfraGard much like the FBI does, and that InfraGard members are encouraged to report potential terrorist tip information to ACTIC. (ACTIC also encourages the general public to do this, which I think is far more likely to waste resources than identify any actual terrorists.) Note that Barnett is mistaken when he writes that InfraGard is part of the Department of Homeland Security. InfraGard is not a government agency or part of a government agency--it is a non-governmental organization, or actually a collection of non-governmental organizations, which are 501(c)(3) nonprofits, with leadership provided by board members who are InfraGard members. Each chapter has a coordinator from the FBI who is not on the board. The FBI provides guidance and suggestions, but the organizations are run by the boards. Now Barnett goes into Matt Rothschild territory when he writes: "I?m just speculating, of course, but is it possible that InfraGard will be a domestic police and spying arm for the government concerning ?thought crime??" It's not just speculation, it's uninformed speculation. InfraGard is not part of government and has no police powers of any kind. I've previously addressed the degree to which I think the "spying" is a risk--I think it's relatively low, but worth talking about. Barnett continues in a Rothschild vein when he says "InfraGard, on the other hand, is an organization cloaked in secrecy. It holds secret meetings with the FBI." This talk of InfraGard being "cloaked in secrecy" is grossly exaggerated. The group has fairly open membership and most meetings are open to the public. When there are meetings restricted to membership, those typically wouldn't be accurately described as "secret meetings with the FBI." I and other members of InfraGard have had private meetings with FBI agents with respect to particular investigations, but it would be inaccurate to describe those as "InfraGard meetings." Law enforcement by its very nature requires a high degree of confidentiality for ongoing investigations, but it is a mistake to infer that this means conspiratorial plotting or spying. Towards the end of his article, Barnett talks about warrantless wiretapping, telecom immunity, and the secrecy of InfraGard membership: Considering the recent attempts by President Bush and his administration to protect many telecommunications companies and executives from prosecution for releasing private information, how many of the top telecom executives are members of InfraGard? I, for one, would be very interested in this information, but alas, it is not public information; it is secret. What's the sense in which InfraGard membership is secret? Only in that it's not made available to the general public. Barnett writes that "no one outside InfraGard is to know who is a member unless previous approval has been given," but this is his misinterpretation of a guideline he quotes, not what it says. There's nothing prohibiting an InfraGard member from identifying themselves as such, only from identifying others as such without their consent. And if you're going to speak on behalf of InfraGard, you need to get approval from the organization first. (And note that I'm not speaking on behalf of InfraGard here, and have had no approval from InfraGard for what I've written on my blog.) If you're an InfraGard member, you have access to the online directory of InfraGard members. If Barnett is really interested in knowing who is a member, all he has to do is join. As for "how many of the top telecom executives are members of InfraGard," I haven't looked, but I would be willing to wager that the answer is none. I know that none of the members of the "Senior Leadership Team" of my company are members of InfraGard, though my boss, our VP of Global Security, heads the Rochester, NY chapter of InfraGard. Senior executives of large corporations don't have time or interest to belong to InfraGard, and it's not really geared to them, as opposed to members of their physical and IT security organizations. And as for warrantless wiretapping (I said I'd get back to it), InfraGard has nothing to do with that and it's foolish to think that it would. That activity has involved direct relationships between incumbent telecom providers (AT&T certainly, and probably Verizon as well) and the National Security Agency, with information restricted to employees holding government security clearances on a "need to know" basis, as the ACLU and EFF lawsuits have revealed. These relationships also probably include commercial relationships, and have included movement of personnel from one to the other--for example, AT&T has a Director of Government Solutions who came from the NSA. InfraGard members, many if not most of which hold no government security clearances, are not in the loop on that activity. (For that matter, I suspect few FBI personnel are in the loop on that, either.) I find it discouraging that articles like Barnett's are written and published. Such inaccurate information serves to distract from real issues and real government abuses and to discredit those who repeat it, when they have other things to say that are worth hearing, paying attention to, and acting upon. I hope that Barnett and FFF will strive for greater accuracy in the future. From rforno at infowarrior.org Mon Feb 25 13:19:14 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Feb 2008 08:19:14 -0500 Subject: [Infowarrior] - Scare Tactics and Our Surveillance Bill Message-ID: Scare Tactics and Our Surveillance Bill By Jay Rockefeller, Patrick Leahy, Silvestre Reyes and John Conyers (Jay Rockefeller, Patrick Leahy, Silvestre Reyes and John Conyers are chairmen, respectively, of the Senate Select Committee on Intelligence, the Senate Judiciary Committee, the House Permanent Select Committee on Intelligence and the House Judiciary Committee.) Monday, February 25, 2008; A15 http://www.washingtonpost.com/wp-dyn/content/article/2008/02/24/AR2008022401 668_pf.html Nothing is more important to the American people than our safety and our freedom. As the chairmen of the House and Senate intelligence and judiciary committees, we have an enormous responsibility to protect both. Unfortunately, instead of working with Congress to achieve the best policies to keep our country safe, once again President Bush has resorted to scare tactics and political games. In November, the House passed legislation to give U.S. intelligence agencies strong tools to intercept terrorist communications that transit the United States, while ensuring that Americans' private communications are not swept up by the government in violation of the Fourth Amendment. Almost two weeks ago, the Senate passed similar legislation. The Senate bill also contains a provision to grant retroactive legal immunity to telecommunications companies that assisted the executive branch in conducting surveillance programs after the Sept. 11, 2001, attacks. While the four of us may have our differences on what language a final bill should contain, we agree on several points. First, our country did not "go dark" on Feb. 16 when the Protect America Act (PAA) expired. Despite President Bush's overheated rhetoric on this issue, the government's orders under that act will last until at least August. These orders could cover every known terrorist group and foreign target. No surveillance stopped. If a new member of a known group, a new phone number or a new e-mail address is identified, U.S. intelligence can add it to the existing orders, and surveillance can begin immediately. As Assistant Attorney General Kenneth Wainstein acknowledged while speaking to reporters on Feb. 14, "the directives are in force for a year, and with the expiration of the PAA, the directives that are in force remain in force until the end of that year. . . . [W]e'll be able to continue doing surveillance based on those directives." If President Bush truly believed that the expiration of the Protect America Act caused a danger, he would not have refused our offer of an extension. In the remote possibility that a terrorist organization that we have never previously identified emerges, the National Security Agency could use existing authority under the Foreign Intelligence Surveillance Act (FISA) to track its communications. Since Congress passed FISA in 1978, the court governing the law's use has approved nearly 23,000 warrant applications and rejected only five. In an emergency, the NSA or FBI can begin surveillance immediately and a FISA court order does not have to be obtained for three days. When U.S. agencies provided critical intelligence to our German allies to disrupt a terrorist plot last summer, we relied on FISA authorities. Those who say that FISA is outdated do not appreciate the strength of this powerful tool. So what's behind the president's "sky is falling" rhetoric? It is clear that he and his Republican allies, desperate to distract attention from the economy and other policy failures, are trying to use this issue to scare the American people into believing that congressional Democrats have left America vulnerable to terrorist attack. But if our nation were to suddenly become vulnerable, it would not be because we don't have sufficient domestic surveillance powers. It would be because the Bush administration has done too little to defeat al-Qaeda, which has reconstituted itself in Pakistan and gained strength throughout the world. Many of our intelligence assets are being used to fight in Iraq instead of taking on Osama bin Laden and the al-Qaeda organization that attacked us on Sept. 11 and that wants to attack us again. The president may try to change the topic by talking about surveillance laws, but we aren't buying it. We are motivated to pass legislation governing surveillance because we believe this activity must be carefully regulated to protect Americans' constitutional rights. Companies that provide lawful assistance to the government in surveillance activities should be legally protected for doing so. We are already working to reconcile the House and Senate bills and hope that our Republican colleagues will join us in the coming weeks to craft final, bipartisan legislation. A key objective of our effort is to build support for a law that gives our intelligence professionals not only the tools they need but also confidence that the legislation they will be implementing has the broad support of Congress and the American public. If the president thinks he can use this as a wedge issue to divide Democrats, he is wrong. We are united in our determination to produce responsible legislation that will protect America and protect our Constitution. Jay Rockefeller, Patrick Leahy, Silvestre Reyes and John Conyers are chairmen, respectively, of the Senate Select Committee on Intelligence, the Senate Judiciary Committee, the House Permanent Select Committee on Intelligence and the House Judiciary Committee. From rforno at infowarrior.org Mon Feb 25 14:15:15 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Feb 2008 09:15:15 -0500 Subject: [Infowarrior] - Worker Snooping on Customer Data Common Message-ID: Worker Snooping on Customer Data Common By RYAN J. FOLEY ? 2 days ago http://ap.google.com/article/ALeqM5ghPenZUJTE7BfSfgQbj6RX597DEAD8V019TG0 MADISON, Wis. (AP) ? A landlord snooped on tenants to find out information about their finances. A woman repeatedly accessed her ex-boyfriend's account after a difficult breakup. Another obtained her child's father's address so she could serve him court papers. All worked for Wisconsin's largest utility, where employees routinely accessed confidential information about acquaintances, local celebrities and others from its massive customer database. Documents obtained by The Associated Press in an employment case involving Milwaukee-based WE Energies shine a light on a common practice in the utilities, telecommunications and accounting industries, privacy experts say. Vast computer databases give curious employees the ability to look up sensitive information on people with the click of a mouse. The WE Energies database includes credit and banking information, payment histories, Social Security numbers, addresses, phone numbers, and energy usage. In some cases, it even includes income and medical information. Experts say some companies do little to stop such abuses even though they could lead to identity theft, stalking and other privacy invasions. And companies that uncover violations can keep them quiet because in many cases it is not illegal to snoop, only to use the data for crimes. "The vast majority of companies are doing very little to stop this widespread practice of snooping," said Larry Ponemon, a privacy expert who founded The Ponemon Institute, a Traverse City, Mich.-based think tank. Jim Owen, spokesman for the Edison Electric Institute, a lobbying association that represents utilities, disputed suggestions the problem was common in the industry. "I am not aware of any other situation that has arisen in the utility sector," he said. Companies generally avoid talking about snooping or any measures they've taken to prevent it. Scott Reigstad, a spokesman for Madison, Wis.-based Alliant Energy, which has one million electric and 420,000 natural gas customers in Iowa, Wisconsin and Minnesota, said his company has safeguards in place to stop misuse but does not discuss them publicly. "We haven't had any issues that we're aware of," he said. Jay Foley, executive director of the Identity Theft Resources Center, said state regulators and lawmakers must step in if companies are not guarding their customer information responsibly. "Something needs to be done at the state level to make sure this is illegal," he said. He said more companies have to start using software that can track each customer account that employees access. WE Energies says it has taken numerous steps to stop the problem but even so detecting misuse can be difficult. That's because it is hard to discern the legitimate access of customer information from employees looking for curiosity. "People were looking at an incredible number of accounts," Joan Shafer, WE Energies' vice president of customer service, said during a sworn deposition last year. "Politicians, community leaders, board members, officers, family, friends. All over the place." Her testimony came in a legal case involving an employee who was fired in 2006 for repeatedly accessing information about her ex-boyfriend and another friend. An arbitrator in November upheld the woman's firing. The AP reviewed testimony and documents made public as part of the case. The misuse came to light in 2004 when an employee helped leak information to the media during a heated race for Milwaukee mayor that a candidate, acting Mayor Marvin Pratt, was often behind in paying his heating bills. Pratt lost to the current mayor, Tom Barrett. Pratt said he's convinced the disclosure cost him votes and unfairly damaged his reputation. Pratt said he recently met with top company executives and was satisfied it has stopped the problem as much as possible. He said he has dropped earlier plans to explore a lawsuit. "They caught this and they are making corrections to it, which they should. But it never should have happened in the first place. Not just to me, but to anyone. They gave their employees too much latitude to access files." After the incident involving Pratt, the company fired the employee who leaked the information and vowed to crack down after finding others engaged in similar practices. But problems continued. In all, the utility fired or disciplined at least 17 employees for breaking the policy between 2005 and 2007, according to testimony and company records. Another employee gained access to Pratt's account for no business purpose and was suspended in 2005 but kept her job. Others looked up information on their bosses at WE Energies and local conservative radio host Mark Belling, who said he had never been told of the breach. Ponemon said employees with access to vast amounts of customer information often see nothing wrong with looking up an individual out of curiosity, or in some cases, more sinister motives. Governmental agencies have also struggled with the problem. The IRS took 219 disciplinary actions, including firings and suspensions, against employees who browsed through confidential taxpayer information last year, according to the U.S. Treasury Inspector General for Tax Information. That was more than double the number the previous year. Last month, the Minnesota Department of Public Safety said it disciplined two employees who accessed information on 400 residents from its driver's license database. The agency did not say what the discipline was because it continues to investigate. It said the employees were looking for their own entertainment, not any criminal motives. WE Energies serves 1.1 million electric customers in Wisconsin and Michigan's Upper Peninsula and 1 million natural gas customers in Wisconsin. Shafer said in an interview that the utility took steps to eliminate the practice and only one employee has been disciplined for violations in the last year. After the 2004 incident, the company started checking who accessed high-profile customer accounts and requiring annual training on its policies. Still, Shafer acknowledged in her deposition last year that it would be "difficult, if not impossible" to discover many instances of misuse. Utility regulators in Michigan and Wisconsin said they had not been notified of the company's problems. They say they do not have any rules covering such misuse. The head of the Wisconsin Citizens' Utility Board, which lobbies on behalf of utility customers, said he was "shocked and dismayed" to learn about the practice. "The testimony is incredibly candid. I'm very surprised that utility employees were misusing this information," said executive director Charlie Higley. "We hope WE Energies has taken steps to ensure that information is treated privately." Hosted by Google Copyright ? 2008 The Associated Press. All rights reserved. From rforno at infowarrior.org Mon Feb 25 15:12:52 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Feb 2008 10:12:52 -0500 Subject: [Infowarrior] - Good article on the Great Firewall of China (The Atlantic) In-Reply-To: Message-ID: James Fallows in the Atlantic Magazine has a great in-depth article on the Great Firewall of China from last month's issue: http://www.theatlantic.com/doc/200803/chinese-firewall From rforno at infowarrior.org Mon Feb 25 20:40:32 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Feb 2008 15:40:32 -0500 Subject: [Infowarrior] - FCC says will act on Web neutrality if needed Message-ID: FCC says will act on Web neutrality if needed 1 hour, 54 minutes ago http://news.yahoo.com/s/nm/20080225/wr_nm/internet_fcc_dc&printer=1;_ylt=Apq lC5k4D.H.TKY9l2319sUh2.cA The head of the U.S. Federal Communications Commission said on Monday he is "ready, willing and able" to stop broadband providers that unreasonably interfere with subscribers' access to Internet content. The comment by FCC Chairman Kevin Martin came at the start of a day-long FCC hearing centering on allegations that some broadband providers such as telecommunications and cable companies have been improperly blocking or hindering some content. "I think it's important to understand that the commission is ready, willing and able to step in if necessary to correct any (unreasonable) practices that are ongoing today," Martin said. The dispute over so-called "network neutrality" pits open-Internet advocates against some service providers such as Comcast Corp, who say they need to take reasonable steps to manage traffic on their networks. Martin acknowledged that broadband network operators have a legitimate need to manage the data flowing over their networks. But he said that "does not mean that they can arbitrarily block access to particular applications or services." The hearing, which included testimony from officials with Comcast and Verizon, is aimed at determining what network management techniques are reasonable. Martin called for "transparency" in the way the companies manage their networks, and in the prices and services they provide. The network neutrality dispute has been spotlighted by a series of incidents in which operators were accused of hindering certain online data moving over their networks, such as file-sharing or text-messaging. The issue also has attracted the attention of lawmakers in Congress, who are weighing a net-neutrality bill introduced last week. In the most recent example, the FCC has been looking into complaints by consumer groups that Comcast has blocked some file-sharing services which are used to distribute large digital media files such as TV shows and movies. In comments filed with the FCC, Comcast told regulators that it uses reasonable measures to manage traffic moving over its network, as some of its customers overwhelm the network by using file-sharing applications like BitTorrent. Comcast, which is the second-largest U.S. Internet service provider with more than 13 million subscribers, said the use of network management was essential to avoid congestion and impairment of some applications. The company denied that it blocks content, applications or discriminates among providers. Internet service providers are looking at different ways of managing the increasing amount of traffic moving across their networks both for cost management and for quality of service reasons. Critics have argued that imposing network neutrality regulations on the Internet would hinder development of the Internet by creating uncertainty for investors and Internet service providers. (Reporting by Svea Herbst-Bayliss in Cambridge and Peter Kaplan in Washington; editing by Tim Dobbyn) From rforno at infowarrior.org Mon Feb 25 21:35:54 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Feb 2008 16:35:54 -0500 Subject: [Infowarrior] - Lessig *not* running for Congress Message-ID: http://lessig08.org/ After lots of thinking and advice, I have decided it does not make sense for the Change Congress movement for me to a run for Congress in CA12. We would have just over 30 days to introduce a district to me and to an idea. That would not be enough time to convince them to turn away from an extremely popular politician with 30 years of public service. And while anyone within the district would understand that, outside the district, the lesson would be that a "Change Congress" message has no salience or support. That would, in my view, harm the movement more than it would help. So thank you to everyone who helped here. All the remaining funds in the campaign will be given to Change Congress (as soon as the paper work for that organization gets settled). And I would urge everyone who signed up here to signup there. ? Larry Lessig, February 25, 2008 http://lessig08.org/ From rforno at infowarrior.org Tue Feb 26 03:47:54 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Feb 2008 22:47:54 -0500 Subject: [Infowarrior] - Judge rejects RIAA's "making available" claim Message-ID: http://www.p2pnet.net/story/15049 Judge nails RIAA ?making available? claim p2pnet news | RIAA News:- The mainstream media have already completely missed one of the most important events so far in the ongoing, and always vicious, fight between Warner Music, EMI, Vivendi Universal and Sony BMG and their own customers, whom they?ve ignominiously labelled ?criminals? and ?thieves?. Last week Dutch P2P expert Johan Pouwelse deconstructed RIAA ?expert? Doug Jacobson?s ?expert? testimony, calling it ?borderline incompetent? and saying allegations of copyright infringement levelled at a 57-year-old New York home health aide were ?unproven?. It went virtually unmentioned. Will they similarly also miss what?s quite possibly the most important development so far? Connecticut district judge Janet Bond Arterton has thrown out the RIAA?s infamous ?making available? claim which comprises the bottom line for all the Big 4 P2P file sharing cases. ?Prove it!? - she says in effect. Under the claim, the RIAA tries to assert merely having a shared files folder that can be accessed is copyright infringement, a specious argument already explicitly dismissed by judge Marilyn Hall Patel in her Napster decision. In Canada, justice Konrad von Finckenstein ruled, ?No evidence was presented that the alleged infringers either distributed or authorised the reproduction of sound recordings. They merely placed personal copies into their shared directories which were accessible by other computer user(s) via a P2P service.? Then a year later almost to the day, New York social worker Tenise Barker came under attack with the RIAA arguing that simply making a file available in and of itself constitutes a copyright infringement. ?Were the courts to accept this misguided view of copyright law, it could mean that anyone who has had a shared files folder, even for a moment, that contained copyrighted files in it, would be guilty of copyright infringement, even though the copies in the folder were legally obtained, and even though no illegal copies had ever been made of them,? Ray Beckerman, one of the attorneys representing Barker, told p2pnet. Matt Foster, a lawyer with Indiana Legal Services, unearthed this latest case, says Beckerman in Recording Industry vs The People. In Atlantic v Brennan, in a 9-page opinion (pdf), district judge Janet Bond Arterton ruled the RIAA has to to prove ?actual distribution of copies? and can?t rely on the mere fact there are song files on the defendant?s computer, and that they were ?available?. ?This is the same issue that?s been the subject of extensive briefing in two contested cases in Elektra v. Barker and Warner v. Cassin,? says Beckerman. Arterton also held the defendant ?- who wasn?t even present at the decision ?- had other possible defenses, such as whether or not the RIAA?s efforts to claim $750 for each allegedly infringed song is unconstitutional, and possible copyright misuse flowing from the record companies? anticompetitive behavior. Definitely stay tuned for this one. From rforno at infowarrior.org Tue Feb 26 03:49:28 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Feb 2008 22:49:28 -0500 Subject: [Infowarrior] - Google Buys A Piece Of TransPacific Cable Message-ID: Google Buys A Piece Of TransPacific Cable Om Malik, Monday, February 25, 2008 at 6:06 PM PT Comments (0) Google is buying a piece of a new transpacific fiber optic cable, according to research firm, Telegeography. This will be yet another piece of what can be loosely described as GoogleNet, a fiber network built & leased by the search engine & advertising giant to meet its ever growing bandwidth requirements. Google is one of the six investors in the ?Unity? undersea cable that will connect US and Japan. The new cable is going to be built by Tyco Telecommunications & NEC for about $300 million. Telegeography says that Google has been trying to buy a piece of a trans-pacific cable for a while now. Google CEO Eric Schmidt had admitted to as much a few months back. I have written about how Google is using its infrastructure (including network) as a strategic advantage, and this latest move is an extension of that philosophy. It has been buying dark fiber to grow its network, as I had first reported back in 2005. According to Telegeography estimates that trans-pacific bandwidth is eight times higher than trans-Atlantic routes. Google can now get capacity at cost, and it can also squeeze more out of its infrastructure. Our good friend TeleGeography Research Director Alan Mauldin doesn?t think this is going to start a trend. < - > http://gigaom.com/2008/02/25/googlenet-update-google-buys-a-piece-of-transpa cific-cable/ From rforno at infowarrior.org Tue Feb 26 03:52:15 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Feb 2008 22:52:15 -0500 Subject: [Infowarrior] - Network Solutions, ICANN Sued Over Domain Front Running Message-ID: Network Solutions, ICANN Sued Over Domain Front Running Duncan Riley networksolutions.jpgNetwork Solutions and ICANN are being sued over the ?front running? domain registration practices that we covered last month. ?Network Solutions has forced millions of people to buy Internet domain names from them instead of cheaper competitors through a scheme that?s netted the firm millions of dollars,? according to the federal class action lawsuit filed by Kabateck Brown Kellner. The suit also alleges ICANN is guilty by association as its policies allow Network Solutions to front run. For those not familiar with the practice, Network Solutions (and some other registrars) lock up domain names as soon as a user searches for them, taking them off the market and forcing users to use their service to register the name they want. < - > http://www.techcrunch.com/2008/02/25/network-solutions-icann-sued-over-domai n-front-running/ From rforno at infowarrior.org Tue Feb 26 16:01:41 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 26 Feb 2008 11:01:41 -0500 Subject: [Infowarrior] - Buried Seed Vault Opens in Arctic Message-ID: February 26, 2008, 7:18 am Buried Seed Vault Opens in Arctic By Andrew C. Revkin http://dotearth.blogs.nytimes.com/2008/02/26/buried-seed-vault-opens-in-arct ic/index.html?hp [UPDATED, 8:30 a.m.] After several years of planning and digging, the world has its first secure, deep-frozen repository for backup supplies of seeds from hundreds of thousands of plant varieties that underpin agriculture. The Svalbard Global Seed Vault was built into a frigid mountainside in Norway?s northernmost archipelago, deep in the Arctic. It had its ceremonial opening Tuesday morning in the frigid gloom of the Arctic winter. There are something like 1,400 seed banks around the world, guarding samples of crop plants ranging from alfalfa to yams. But, as I wrote last year, this agricultural archive is eroding under forces including war, storms, scant money or bad management, particularly in the world?s poorest or most turbulent places. A Fort Knox has been needed, many experts said. Now they have it. Some advocates for strengthening the capacity of local communities to sustain their agricultural traditions and crop diversity on their own aren?t happy about this kind of centralized approach, though (more on this below). No one questions the vulnerability of many of the world?s seed stores. Iraq?s bank of ancient wheat, barley and other crop strains in the town of Abu Ghraib ? made infamous for other reasons ? was looted during the war (mainly for the containers holding grain samples, not for the grain itself). An international rice repository in the Philippines was shredded by a typhoon. crop In Mexico, seeds are placed in foil bags before they are shipped to the Arctic vault. (CIMMYT) The new repository is intended to be an insurance policy for individual countries and also for humanity more generally, should larger-scale disaster strike (anything from pestilence to an asteroid impact). The Norwegian government put up more than $7 million for construction. The Bill and Melinda Gates Foundation is providing money to help developing countries package and ship seed samples, as part of a broader $30-million project to protect the genetic diversity of the world?s main food crops. The ongoing operation of the seed vault will be paid for through the Global Crop Diversity Trust, which is maintained by contributions from countries, international agencies, and foundations. A secure supply of thousands of varieties of keystone crops like rice and wheat will be ever more important, experts say, as populations grow, climate changes, and people keep moving species around the global, both intentionally and accidentally. Grain.org, a group based in Spain focused on strengthening regional agriculture, was one of the few entities criticizing the focus on the seed vault. The group worries that such moves take away intellectual property rights to crop varieties from the farming communities that developed them and provide a false sense of confidence that safe storage, on its own, can sustain agricultural diversity. As the group noted in a news release today (hat tip to Danny Bloom): Thousands of accessions have died in storage, as many have been rendered useless for lack of basic information about the seeds, and countless others have lost their unique characteristics or have been genetically contaminated during periodic grow-outs. This has happened throughout the ex situ system, not just in gene banks of developing countries. So the issue is not about being for or against gene banks, it is about the sole reliance on one conservation strategy that, in itself, has a lot of inherent problems. The deeper problem with the single focus on ex situ seed storage, that the Svalbard Vault reinforces, is that it is fundamentally unjust. It takes seeds of unique plant varieties away from the farmers and communities who originally created, selected, protected and shared those seeds and makes them inaccessible to them. The logic is that as people?s traditional varieties get replaced by newer ones from research labs -? seeds that are supposed to provide higher yields to feed a growing population ? the old ones have to be put away as ?raw material? for future plant breeding. This system forgets that farmers are the world?s original, and ongoing, plant breeders. It?s a noteworthy point. The groups funding the seed vault, including the Gates Foundation, say they are also pouring money into creating databases and other mechanisms for maintaining poor countries? access to the full array of crop strains. But what about the farmers in the field? In a world tending toward monoculture, how much of this intergovernmental work help sustain farming diversity, as opposed to museum-style genetic diversity? Do farmers matter? From rforno at infowarrior.org Tue Feb 26 18:34:40 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 26 Feb 2008 13:34:40 -0500 Subject: [Infowarrior] - Taliban wants cell phone networks shut down at night Message-ID: Taliban wants cell phone networks shut down at night By Jacqui Cheng | Published: February 25, 2008 - 11:53AM CT http://arstechnica.com/news.ars/post/20080225-taliban-wants-cell-phone-netwo rks-shut-down-at-night.html The towers and offices of mobile phone operators in Afghanistan are being pressured to shut down operations at night by the Taliban. The former rulers of Afghanistan and current insurgent group held "talks" with the four major mobile companies in Afghanistan today, and gave them three days to go dark for 14 hours per day?or else. The reason for the threat is the Taliban's belief that American soldiers and rebels within Afghanistan are using mobile phones to track down remaining Taliban members. "Since the occupying forces stationed in Afghanistan usually at night use mobile phones for espionage to track down the mujahideen, the Islamic Emirate gave a three-day ultimatum to all mobile phone firms to switch off their phones from five in the afternoon until seven in the morning," Taliban spokesperson Qari Mohammad Yousuf told Reuters, ironically via mobile phone (and presumably during daylight). Three of the four companies receiving the ultimatum?Roshan, Areeba, and Etisalat?are not based in Afghanistan, with the fourth being the Afghan Wireless Communication Company. They are considered major investors in the country's economy, as there are still almost no other means of outside communication since the Taliban's fall in 2001. If they give in to the Taliban's threat, communications within the country would be severely disrupted due to the lack of landlines. This isn't the first time the Taliban has challenged mobile operators in Afghanistan. In the past, the group has accused the phone companies of actively working with US troops as well as NATO, although not much has happened as a result of those threats. Still, it's no doubt unsettling to the mobile operators to know that they may be targeted for continuing with business as usual?especially since the US is reportedly using satellites and not mobile phone operators for tracking. From rforno at infowarrior.org Tue Feb 26 20:13:52 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 26 Feb 2008 15:13:52 -0500 Subject: [Infowarrior] - Comcast blocks public from FCC hearing?? Message-ID: Comcast Blocking: First the Internet ? Now the Public http://www.savetheinternet.com/blog/2008/02/25/comcast-blocking-first-the-in ternet-now-the-public/ There was huge turnout at today?s public hearing in Boston on the future of the Internet. Hundreds of concerned citizens arrived to speak out on the importance of an open Internet. Many took the day off from work ? standing outside in the Boston cold ? to see the FCC Commissioners. But when they reach the door, they?re told they couldn?t come in. The size of the crowd is evidence that many Americans don?t want giant corporations like Comcast and Verzion to decide what we can do and where we can go on the Internet. But will the FCC hear these voices? For many people who showed up on time for the hearing, apparently not. Comcast ? or someone who really, really likes Comcast ? evidently bused in its own crowd. These seat-warmers, were paid to fill the room, a move that kept others from taking part. They arrived en masse some 90 minutes before the hearing began and occupied almost every available seat, upon which many promptly fell asleep (picture above). One told us that he was ?just getting paid to hold someone?s seat.? He added that he had no idea what the meeting was about. If he was holding someone else?s seat, he never gave it up. Many of this early crowd had mysteriously matching yellow highlighters stuck in their lapels. We also photographed them outside the venue being handed papers by an organizer who had been seen earlier talking with several of the Comcast people at the hearing. Here?s why this is a problem. Comcast clearly paid disinterested people to fill seats. This barred interested citizens from entering. More than 100 people who arrived at the appointed time for the hearing were turned away by campus police because the room was already full. ComcastBarred: The interested public The Cambridge hearing is part of the FCC?s ongoing investigation into Comcast?s blocking of Internet traffic. But there?s much more at stake. We are at a critical juncture, where it will be decided whether we have a closed Internet controlled by a small handful of giant corporations, or an open Internet controlled by the people who use it. Comcast wants the former ? to dictate which Web sites and services go fast, slow or don?t load at all. And they?re backed by the other would-be gatekeepers at AT&T, Verizon and Time Warner. Tell the FCC to stop Comcast from blocking Internet traffic and to permanently protect Net Neutrality: http://www.savetheinternet.com/comcast.php The official deadline for comments in Feb. 28. From rforno at infowarrior.org Wed Feb 27 03:16:55 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 26 Feb 2008 22:16:55 -0500 Subject: [Infowarrior] - The Laws of Full Disclosure Message-ID: The Laws of Full Disclosure Federico Biancuzzi, http://www.securityfocus.com/columnists/466?ref=rss Full disclosure has a long tradition in the security community worldwide, yet different European countries have different views on the legality of vulnerability research. SecurityFocus contributor Federico Biancuzzi investigates the subject of full disclosure and the law by interviewing lawyers from twelve EU countries: Belgium, Denmark, Finland, France, Germany,Greece, Hungary, Ireland, Italy, Poland, Romania, and the UK. SecurityFocus: What does the current law of your country say about disclosure of security vulnerabilities in software? (Belgium) Jos Dumortier: There is no specific legal provision in Belgium about disclosure of security vulnerabilities in software. In some cases however, such a disclosure can be considered a criminal act. I am mainly referring to two cases. The first is the crime of "illegal intrusion in information systems" (sometimes called "hacking"). The qualification of this criminal act not only includes the intrusion itself but also "intentionally distributing instruments or data which are mainly conceived to carry out an intrusion". The second is the crime of "illegal circumvention". This is a rule which has its origin in the European Copyright Directive. Besides the act of circumventing digital rights management software itself, the provision also prohibits the act of intentionally distributing information which enables someone (else) to circumvent DRM systems. On the other hand, someone who discloses vulnerabilities in software can also be held liable -- if this disclosure causes harm, for instance, to the software vendor. But such liability presumes that the disclosing person has (caused harm) by disclosing the weakness. (Such harm) has to be proven by the other party. Of course, an employee can be held contractually liable for a disclosure if this disclosure has been prohibited by his employment contract. Same with someone who signed an NDA, etc. (Denmark) Martin von Haller Groenbaek: First off; if you have inside-knowledge regarding such vulnerabilities, e.g. because you work at the software-company making the flawed software, you are not to tell anyone of the vulnerabilities since such vulnerabilities would be considered trade secrets -- and disclosure of trade secrets is punishable with up to one and half years of imprisonment -- and in severe cases with up to 6 years of imprisonment. However, if the vulnerability is not considered a trade secret, e.g. where a user of the software has found the vulnerability, the situation is somewhat different. If the vulnerability is revealed in a very concrete situation, e.g. if you tell exactly how to use a vulnerability in Internet-banking software -- the person revealing the vulnerability runs the risk of being punished for assisting in a crime -- if the vulnerability is used to commit a crime afterwards. If the disclosure of the vulnerability is less concrete -- disclosure would usually not be punishable by law. If the disclosure is made by a competitor this would however likely be in conflict with the Danish marketing practices act, and the company disclosing the vulnerability could be fined. To my knowledge, we only have a single case in Danish law regarding disclosure of vulnerabilities. In the so-called Valus case, a person disclosed in the Computerworld.dk forums that by entering a specific link in your browser you could make the Valus Internet service crash. Valus is an online payment service. He also posted the link itself, but also noted that the link should not be clicked. The person disclosing the vulnerability was acquitted, because it was clear that his disclosure was part of a debate, and he had not intended to crash the Web service. However the persons who actually clicked the link where fined. (Finland) Ville Oksanen: Finland has currently an extensive set of different crimes pertaining to information technology. The latest additions were made because of the CoE (Council of Europe) cybercrime treaty. However, regarding to full disclosure, there is no explicit provisions on the matter on the law. Finnish Criminal law 34:9a? "Causing danger to computing" may be applicable due to its very widely scope -- the chapter covers both offering code and offering advices, which could be used to disrupt networks or software. However, there is one additional element -- intent. The act is only criminal if the goal of act is to cause harm or damage. However, the preparation material, which is not binding for courts (but a strong recommendation), of that chapter actually takes a position that publishing a bug is normally OK, even for pressuring a vendor, but that creating code that demonstrates how to use it is not, unless it is produced to be sent to organization like CERT. This seems to imply that full disclosure could be criminal. So far there has not been any court cases relating the matter. (France) Eric Barbry: Actually, in my opinion, there is no specific text on this question in French law. However, this question could be solved in regard of other regulations, especially criminal law. The French penal code punishes fraudulent access or remain within all or part of an automated data processing system. Moreover, the article 323-3-1 of the criminal code stipulates: "Person who, without lawful authority, imports, possesses, offers, transfers or makes available any equipment, instrument, computer program or information created or specially adapted to commit one or more of the offenses prohibited by articles 323-1 to 323-3, is punished by the penalties prescribed for the offense itself, or the one that carries the heaviest penalty". Therefore, It seems possible to punish the disclosure of security vulnerabilities in software, on the basis of theses articles if unlawful access has been committed or if the disclosure has been realized in the condition of the article 323-3-1. The risk of prosecution depends on the particulars of the security of the information system which is accessed. Thus, in a decision of October 2002 [Cour d'Appel de Paris, Tati / Kitetoa, 30 octobre 2002], the Court of appeal of Paris (charged) a journalist who had accessed the information system of Tati. The objective of this journalist was to reveal security vulnerabilities on his website, Kitetoa. The Court did not consider the objective of (gathering) the information to (trump) the offense of intrusion on the information system. However, the Court did consider that the information system was "insufficiently secured" and that the offense of intrusion couldn't be committed on an "insufficiently secured" system. The other criminal basis to punish disclosure of security vulnerabilities in software is counterfeiting regulations. In a decision of February 2006 [Cour d'appel de Paris 13?me chambre, section A. Arr?t du 21 f?vrier 2006. Guillaume T. (dit Guillermito) / Eyal D., Tegam International], the Paris Court of Appeals convicted Mr G. for counterfeit ing the Viguard Software. Mr G was interested in software vulnerabilities, and he disclosed on internet vulnerabilities of the Viguard software. The problem is that Mr G wasn't (the owner) of a license on the software and that he copied and disassembled certain elements of the software to publish them on Internet. In the other cases, It will be more difficult to punish a disclosure, excepted if this disclosure is a violation of business secrets or an act of unfair competition. (Germany) Marco Gercke: Marco gave a detailed interview to SecurityFocus and talked about vulnerability disclosure. (Greece) Irini Vassilaki: Greek law does not explicitly prohibit the disclosure of vulnerabilities in software. The only provision that could cover this issue is Art. 370C par. 2 of the Greek criminal code that punishes hacking. This normally punishes the access to data that are stored in a computer system or are transported via telecommunications networks. The act must be committed "without right". This is especially the case when the access takes place through the violation of security measures, which have be taken by the owner or other right holder of the system. There is no case law according the interpretation of Art. 370C par. 2 GrCC. According the legal literature "without right" is every activity that takes place without the authorization of the right holder of the system. Therefore, any interference with the software that could (result in) the disclosure of vulnerabilities and occurs beyond such authorization takes place "without right". For the prosecution of this offense, a complaint is required. I cannot imagine, however, that the disclosure of the vulnerabilities of software will be reported to the police by the right holder. This would have as result that the "weak parts" of the software would be public and this would have negative consequences for the right holder. (Hungary) Ferenc Suba: Before you disclose a security vulnerability in software, you should ask yourself a couple of questions to clarify the legal consequences of your action in Hungary. First you should validate, whether the information you give to the public is correct. If you publish incorrect vulnerability information, you may be liable for damages according to civil law, because you have damaged the reputation of the software producer. Having checked that, you should pose the question whether the disclosure hurts the rights or legitimate interests of the software producer, any other third person or the public order. Concentrating on the software producer, you will not infringe any portion of this copyright or patent rights -- in case of computer implemented inventions -- if you limit the disclosure to the vulnerability itself and you do not extend the publication to the parts of the software that are protected by the Copyright Act, the Patent Act or even the Penal Code. If you look at third parties and public order, it is always important to show that you are acting in good faith, i.e. you are not disclosing the vulnerability to enable others to commit a crime against information systems, since it would fall under a crime regulated in the Penal Code. This can be done by attaching a patch information to the vulnerability. Having paid attention to the above, you can be sure that the disclosure will be a legal one and in conformity with the relevant provisions of civil and penal laws of Hungary. Moreover, the legal disclosure of security vulnerabilities in softwares can be seen as an action that supports the fulfillment of regulatory requirements laid down in the Data Protection Act (in respect to data protection), the Act on Credit Institutions (in respect to the protection of their information systems), the Act on Electronic Communications (in respect to the protection of the electronic communication and information systems), and the Government Decree on the National Security Supervisory Authority (in respect to the electronic security of the institutions falling under the scope the authority). (Ireland) TJ McIntyre: We have no law in this area as of yet. It is possible that possession of hacking tools or a crack or exploit code might amount to the offense of possession of an item with intent to damage property (note that property includes data). It is also possible that the method used to discover a vulnerability might itself amount to a crime under s.5 CDA 1991 or s.9 Criminal Justice (Theft and Fraud Offences) Act 2001. There may also be contractual or licence provisions which restrict a user's ability to disclose vulnerabilities. Otherwise though this area is a blank slate. (Italy) Gabriele Faggioli: No legal measure exists in our ordinance that specifically refers to vulnerabilities and/or exploits. However, some norms do exist that abstractly can be considered applicable to research and the publication of vulnerability and/or exploits. First of all, it is important to consider that research into vulnerabilities related to operating systems and applications is not always be considered a legal activity. With reference to proprietary software -- with closed-source code -- precise norms are defined by the law on copyrights (Law n. 633 of 22nd April 1941 and subsequent modifications). On the one hand, (the laws) allow the legitimate owner of a copy to observe, study or subject operation of the program to a test, with the objective of establishing the ideas and principles upon which each element of the program is based -- if such activities are performed during the loading, visualization, execution, transmission or storage operations of the program. On the other hand, the possibility of performing de-compilation operations are limited to special cases, such as the achievement of inter-operability with other programs. Implemented in accordance with the law on copyrights, research and the subsequent publication of vulnerabilities related to a software is not illegal as long as some specific details are adopted. In particular, the person that discovers the vulnerabilities should inform the manufacturer of the program that the vulnerability refers to, in advance in order to allow him to create a "patch" before any possible publication. In the absence of this prior transmission of information, the individual that has disseminated the vulnerability may be called upon to compensate, on a civil level, damages caused by third parties due to the effect of its publication. This behavior may be considered contrary to the principle of good faith, as such damages, even if they are involuntary, generated indirectly by the integral publication of vulnerabilities, could have been avoided or limited through a much more diligent behavior by the person in charge of their diffusion. Another topic applies to research of vulnerability that refers to specific information technology systems implemented by third parties -- for example by a company. These research activities may integrate the abusive computer access crime regulated by article 615/ter of the penal code if used, for example, through penetration tests not authorized by the company. The norm indicated, in reality, specifically punishes the behavior of anybody that illegally enters a computer system protected by safety measures or remains in the system against the specific desire of whoever has the right to exclude him, and the crime can be punishable as a pure attempt. The subsequent publication of vulnerabilities may, in this case, have an independent penal importance. Article 615/quarter of the penal code ("Abusive detention and diffusion of access codes to computer or remote systems") considers it a crime for an individual who, with the objective of creating profit for himself or for others or creating damages to others, illegally obtains, reproduces, diffuses, communicates or delivers codes, passwords or other suitable means for access to a computer or remote system, protected by safety means, or provides indications or instructions suitable for the aforementioned purposes. With reference to the publication of exploits (or programs/codes created to take advantage of a previously identified vulnerability), article 615 of the penal code may be used as it punishes the diffusion, communication or delivery of programs whose objective or whose effects include damage to a computer or remote system or alteration of its operation. This norm, traditionally associated with the diffusion of computer viruses, may be applied to the publication of exploits that may result in alterations to the computer system whose vulnerabilities are exploited. Despite the aforementioned norms examined, considered to be abstractly applicable to the publication of vulnerability and exploit, no ruling has yet been issued by Italian judges on a concrete case. At the same time, no intervention has been planned by our legislators in order to regulate this topic. (Poland) Tomasz Rychlicki: Polish Law of February 4, 1994, on Copyright and Neighboring Rights (in Polish: ustawa o prawie autorskim i prawach pokrewnych) allows -- unless otherwise provided in the contract -- for acts such as reproducing the program in its entirety or in part, either permanently or provisionally, where the loading, display, running, transmission or storage of a computer program calls for such reproduction, if they are necessary for the lawful acquirer to be able to make use of the program according to its intended purpose, including the correction of errors (article 74, sec. 4(1) and article 75, sec. 1). The following acts shall not require authorization: analysis and study of and experimentation with the operation of the computer program by the lawful acquirer in order to ascertain its underlying ideas and principles, if the person concerned performs the above acts at the time of the operations associated with the loading, display, running, transmission or storage of the computer program (article 75, sec. 2(2)). As you can see there isn't any prohibition on publishing your discoveries in copyright law, but we also have the Polish Penal Code (in Polish: Kodeks Karny) and the highly criticized Doctrine Article 269b, which prohibits creating, acquiring, selling or making available to other persons devices, computer software, passwords, codes or other data which allows access to information stored in computer system or network. Article 269b of the Polish Penal Code penalizes an act of a person who produces, acquires, sells or makes accessible for other persons devices or computer programs and also computer's passwords, access codes or other data, that enable access to information stored in computer system or telecommunication network. Such person can be sentenced up to 3 years of imprisonment. Hacking is not defined in the Polish Penal Code. However article 269b contains undefined term such as "other data" which is contradictory to one of the main criminal law principles -- "in dubio pro reo" -- all doubts should be decided in a favor of defendant. What is more important, Article 269b of the PPC is an example of an incorrect implementation of the Council of Europe Convention on Cybercrime (article 6 sec. 2) which clearly allows production, sale, procurement for use, import, distribution or otherwise making available or possession of devices computer programs computer passwords, access codes, or similar data that are use not for the purpose of committing an offense established by the Convention. For example: for the authorized testing or protection of a computer system. There is no definition of "authorized testing" but it may be presumed that every legitimate user of computer program is entitled to such actions. In European Union countries this presumption is supported by provision included in the Council Directive 91/250/EEC of 14 May 1991 on the legal protection of computer programs. So, as you can see, you can publish any kind of vulnerability in Poland and Europe (and in any country which is a party of CoE CoC). There is also another very important issue with the national legislation as regards to the Council of Europe Convention on Cybercrime, which 21 countries signed including the U.S.A. When the national legislation which implements the CoC is improperly implemented and a person is charged based on those national regulation's provisions he/she has always the right to challenge it before the European Court of Human Rights. The court will always follow the Convention's text. (Romania) Bogdan Manolea: The Romanian cybercrime law does not rule specifically on the disclosure of security vulnerabilities in software. From a theoretical point of view this might be considered, depending on the circumstances of the case of course, as an "aiding and abetting" of the crime of illegal access to a computer system (see art. 42, especially point b) and could be prosecuted in a penal case. If the disclosure is directly linked also with an unauthorized entry in a computer system by the same person, then this is a crime according with art. 42, Law 161/2003. There are no court rulings that I know on this matter and I don't know of any resource on the Internet especially in this topic (in Romanian or about Romania). Writing an exploit is a crime under article 46, but only if it can be used in (only) an illegal way... If we have an exploit that can be used in a legal way, then there is no punishment for producing or sharing it. Article 46 (1) The following are considered criminal offenses and punished with imprisonment from 1 to 6 years. 1. the production, sale, import, distribution or making available, in any other form, without right, of a device or a computer program designed or adapted for the purpose of committing one of the offenses established in accordance with arts. 42-45; 2. the production, sale, import, distribution or making available, in any other form, without right, of a password, access code or other such computer data allowing total or partial access to a computer system for the purpose of one of the offenses established in accordance with arts.42-45; (2) The possession, without right, of a device, computer program, password, access code or computer data referred to at paragraph (1) for the purpose of one of the offenses established in accordance with arts.42-45 is also punished similarly. Anyway, this is a theoretical discussion -- in practice the Romanian cybercrime police are so busy with the phising cases, they won't have time for such a minor crime. (UK) Peter Sommer: There is no specific provision in English Law, but if the discloser is in a contractual relationship with the supplier, the contract may seek to ban reverse engineering or impose a duty of confidentiality. In those circumstances the supplier could resort to civil proceedings. The only obvious criminal route might be via "incitement" -- that is that by publicizing the breach others were being encouraged to take advantage. But the prosecutor would need to demonstrate "intent"; and the discoverer of the flaw could almost certainly say that the intent was to make the product secure, not to take advantage. I think that UK authorities would be reluctant to prosecute in these circumstances. On the whole, if a flaw is discovered in your product, you would do better to rectify it, rather than going to the law. There is perhaps one further aspect of the law to consider: the means by which the security flaw was uncovered. The Council of Europe Cybercrime Treaty (to which the USA is a signatory),includes provisions against the use of "anti-hacking" tools. If you have uncovered a flaw using certain techniques and that publicize the results you may, in certain circumstances, be admitting to breaking the law! Privacy Statement Copyright 2006, SecurityFocus From rforno at infowarrior.org Wed Feb 27 03:40:28 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 26 Feb 2008 22:40:28 -0500 Subject: [Infowarrior] - GOP Halts Effort to Retrieve White House E-Mails Message-ID: GOP Halts Effort to Retrieve White House E-Mails http://www.washingtonpost.com/wp-dyn/content/article/2008/02/26/AR2008022602 312.html?hpid=topnews By Dan Eggen Washington Post Staff Writer Wednesday, February 27, 2008; Page A02 After promising last year to search its computers for tens of thousands of e-mails sent by White House officials, the Republican National Committee has informed a House committee that it no longer plans to retrieve the communications by restoring computer backup tapes, the panel's chairman said yesterday. The move increases the likelihood that an untold number of RNC e-mails dealing with official White House business during the first term of the Bush administration -- including many sent or received by former presidential adviser Karl Rove -- will never be recovered, said House Democrats and public records advocates. The RNC had previously told the House Oversight and Government Reform Committee that it was attempting to restore e-mails from 2001 to 2003, when the RNC had a policy of purging all e-mails, including those to and from White House officials, after 30 days. But Chairman Henry A. Waxman (D-Calif.) disclosed during a hearing yesterday that the RNC has now said it "has no intention of trying to restore the missing White House e-mails." "The result is a potentially enormous gap in the historical record," Waxman said, including the buildup to the Iraq war. RNC spokesman Danny Diaz said in a statement that the committee "is fully compliant with the spirit and letter of the law." He declined further comment. Administration officials have acknowledged that Rove and many other White House officials routinely used RNC accounts for government business, despite rules requiring that they conduct such business through official communications channels. The RNC also deleted all e-mails until 2004, when it exempted White House officials from its e-mail purging policy. About 80 White House aides used RNC accounts for official government business, committee staff said. Rove, for example, sent or received 140,000 e-mails on RNC servers from 2002 to 2007, and more than half involved official ".gov" accounts, the panel has said. The RNC dispute is part of a broader debate over whether the Bush administration has complied with long-standing statutory requirements to preserve official White House records -- including those reflecting potentially sensitive policy discussions -- for history and in case of future legal demands. The committee is investigating allegations that vast stores of official Bush administration e-mails have also gone missing from the White House, which scrapped a Clinton-era archiving system and has struggled with data retention problems. A former White House technology manager told the committee in statements released yesterday that the Bush administration's e-mail system "was primitive and the risk that data would be lost was high." Steven McDevitt, who left the White House in 2006, said he supervised an internal study that found hundreds of days in which no electronic messages were stored for one or more White House offices from January 2003 to August 2005. The study stated a range when tallying the total number of days in which each office had no recorded e-mails, from 473 -- which had been previously reported -- to more than 1,000, McDevitt said. McDevitt also said security was so lax that e-mail could be modified by anyone on the computer network until the middle of 2005. Administration officials defended their efforts to fix the problems, and said they are still working to locate and identify e-mails reported as missing. "We are very energized about getting to the bottom of this," said Theresa Payton, chief information officer at the Office of Administration. At the hearing, Payton and GOP lawmakers attacked the 2005 White House study overseen by McDevitt, calling it flawed and unreliable. McDevitt said the 250-page study involved numerous senior technology officials as well as outside contractors. Rep. Thomas M. Davis III (Va.), the committee's ranking Republican, said in a statement that the missing e-mail allegations are "based on a discredited internal report conveniently leaked to the media." He also said that yesterday's hearing was "less about preserving records and more about resurrecting the spurious claim that the White House 'lost millions of official e-mails.' " Davis also said, based on a briefing by Payton, that the actual number of days with missing e-mails was 202. "A substantial portion of the so-called 'missing' e-mails appear not to be missing at all, just filed in the wrong digital drawer," Davis said. No other committee member followed up on that allegation during the hearing. From rforno at infowarrior.org Wed Feb 27 13:50:19 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 27 Feb 2008 08:50:19 -0500 Subject: [Infowarrior] - Automated killer robots 'threat to humanity': expert Message-ID: Automated killer robots 'threat to humanity': expert Feb 27 06:18 AM US/Eastern http://www.breitbart.com/article.php?id=080227111811.y9syyq8p&show_article=1 Increasingly autonomous, gun-totting robots developed for warfare could easily fall into the hands of terrorists and may one day unleash a robot arms race, a top expert on artificial intelligence told AFP. "They pose a threat to humanity," said University of Sheffield professor Noel Sharkey ahead of a keynote address Wednesday before Britain's Royal United Services Institute. Intelligent machines deployed on battlefields around the world -- from mobile grenade launchers to rocket-firing drones -- can already identify and lock onto targets without human help. There are more than 4,000 US military robots on the ground in Iraq, as well as unmanned aircraft that have clocked hundreds of thousands of flight hours. The first three armed combat robots fitted with large-caliber machine guns deployed to Iraq last summer, manufactured by US arms maker Foster-Miller, proved so successful that 80 more are on order, said Sharkey. But up to now, a human hand has always been required to push the button or pull the trigger. It we are not careful, he said, that could change. Military leaders "are quite clear that they want autonomous robots as soon as possible, because they are more cost-effective and give a risk-free war," he said. Several countries, led by the United States, have already invested heavily in robot warriors developed for use on the battlefield. South Korea and Israel both deploy armed robot border guards, while China, India, Russia and Britain have all increased the use of military robots. Washington plans to spend four billion dollars by 2010 on unmanned technology systems, with total spending expected rise to 24 billion, according to the Department of Defense's Unmanned Systems Roadmap 2007-2032, released in December. James Canton, an expert on technology innovation and CEO of the Institute for Global Futures, predicts that deployment within a decade of detachments that will include 150 soldiers and 2,000 robots. The use of such devices by terrorists should be a serious concern, said Sharkey. Captured robots would not be difficult to reverse engineer, and could easily replace suicide bombers as the weapon-of-choice. "I don't know why that has not happened already," he said. But even more worrisome, he continued, is the subtle progression from the semi-autonomous military robots deployed today to fully independent killing machines. "I have worked in artificial intelligence for decades, and the idea of a robot making decisions about human termination terrifies me," Sharkey said. Ronald Arkin of Georgia Institute of Technology, who has worked closely with the US military on robotics, agrees that the shift towards autonomy will be gradual. But he is not convinced that robots don't have a place on the front line. "Robotics systems may have the potential to out-perform humans from a perspective of the laws of war and the rules of engagement," he told a conference on technology in warfare at Stanford University last month. The sensors of intelligent machines, he argued, may ultimately be better equipped to understand an environment and to process information. "And there are no emotions that can cloud judgement, such as anger," he added. Nor is there any inherent right to self-defence. For now, however, there remain several barriers to the creation and deployment of Terminator-like killing machines. Some are technical. Teaching a computer-driven machine -- even an intelligent one -- how to distinguish between civilians and combatants, or how to gauge a proportional response as mandated by the Geneva Conventions, is simply beyond the reach of artificial intelligence today. But even if technical barriers are overcome, the prospect of armies increasingly dependent on remotely-controlled or autonomous robots raises a host of ethical issues that have barely been addressed. Arkin points out that the US Department of Defense's 230 billion dollar Future Combat Systems programme -- the largest military contract in US history -- provides for three classes of aerial and three land-based robotics systems. "But nowhere is there any consideration of the ethical implications of the weaponisation of these systems," he said. For Sharkey, the best solution may be an outright ban on autonomous weapons systems. "We have to say where we want to draw the line and what we want to do -- and then get an international agreement," he said. Copyright AFP 2008, AFP stories and photos shall not be published, broadcast, rewritten for broadcast or publication or redistributed directly or indirectly in any medium From rforno at infowarrior.org Wed Feb 27 14:40:59 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 27 Feb 2008 09:40:59 -0500 Subject: [Infowarrior] - German Court Shoots Down PC Surveillance Message-ID: German Court Shoots Down PC Surveillance By THE ASSOCIATED PRESS Filed at 9:18 a.m. ET http://www.nytimes.com/aponline/technology/AP-Germany-Computer-Surveillance. html BERLIN (AP) -- Government surveillance of personal computers violates the individual right to privacy, Germany's highest court found Wednesday, in a ruling that German investigators say will restrict their ability to pursue terrorists. In the ruling, Germany's Constitutional Court in Karlsruhe, established the privacy of data stored or exchanged on personal computers as a basic right protected by the nation's constitution. ''Collecting such data directly encroaches on a citizen's rights, given that fear of being observed ... can prevent unselfconscious personal communication,'' presiding judge Hans-Juergen Papier said in his ruling. At the same time, Papier said authorities would be allowed to spy on suspects' computers using virus-like software in exceptional cases. However, any such action must have the approval of a judge before going forward. ''Given the gravity of the intrusion, the secret infiltration of an IT system in such a way that use of the system and its data can be searched can only be constitutionally allowed if clear evidence of a concrete threat to a prominent object of legal protection exists,'' Papier said. While Wednesday's ruling was based on a law in the state of North Rhine-Westphalia that had permitted online spying, the high court's decision will set a nationwide precedent, Papier said. Interior Minister Wolfgang Schaeuble welcomed the ruling, saying his ministry would refer to the clause allowing surveillance in specific cases in preparing new legislation to guide Germany's national intelligence services. A previous proposal to use the technology to fight terror and investigate a range of crimes met with sharp criticism from civil rights groups and opposition politicians. ''We expect that with a decision from the court we'll get a wider acceptance of the law than when it was just the Interior Minister saying the same thing,'' Schaeuble said. ''I hope that the insecurity felt by young people will be tempered by this decision; it shows that our government ... protects the people's rights.'' Schaeuble said the decision will be examined carefully. ''The court's decision must be carefully analyzed and will be accounted for as the legislation is modified,'' he said. Justice Minister Brigitte Zypries also welcomed the decision, saying that it ''strengthened the trust of citizens and the economic system in the integrity and confidentiality of computer systems.'' ------ Associated Press Writer Cameron Abadi contributed to this report. From rforno at infowarrior.org Wed Feb 27 19:56:10 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 27 Feb 2008 14:56:10 -0500 Subject: [Infowarrior] - William F. Buckley Jr. Is Dead at 82 Message-ID: February 27, 2008 William F. Buckley Jr. Is Dead at 82 By DOUGLAS MARTIN http://www.nytimes.com/2008/02/27/business/media/27cnd-buckley.html?hp=&page wanted=print William F. Buckley Jr., who marshaled polysyllabic exuberance, famously arched eyebrows and a refined, perspicacious mind to elevate conservatism to the center of American political discourse, died Wednesday at his home in Stamford, Conn. Mr Buckley, 82, suffered from diabetes and emphysema, his son Christopher said, although the exact cause of death was not immediately known. He was found at his desk in the study of his home, his son said. ?He might have been working on a column,? Mr. Buckley said. Mr. Buckley?s winningly capricious personality, replete with ten-dollar words and a darting tongue writers loved to compare with an anteater?s, hosted one of television?s longest-running programs, ?Firing Line,? and founded and shepherded the influential conservative magazine, ?National Review.? He also found time to write at least 55 books, ranging from sailing odysseys to spy novels to celebrations of his own dashing daily life, and to edit five more. His political novel ?The Rake? was published last August, and a book looking back at the National Review?s history in November; a personal memoir of Barry Goldwater is due to be publication in April, and Mr. Buckley was working on a similar book about Ronald Reagan for release in the fall. The more than 4.5 million words of his 5,600 biweekly newspaper columns, ?On the Right,? would fill 45 more medium-sized books. Mr. Buckley?s greatest achievement was making conservatism ? not just electoral Republicanism, but conservatism as a system of ideas ? respectable in liberal post-World War II America. He mobilized the young enthusiasts who helped nominate Barry Goldwater in 1964, and saw his dreams fulfilled when Reagan and the Bushes captured the Oval Office. To Mr. Buckley?s enormous delight, Arthur M. Schlesinger, Jr., the historian, termed him ?the scourge of liberalism.? In remarks at National Review?s 30th anniversary in 1985, President Reagan joked that he picked up his first issue of the magazine in a plain brown wrapper and still anxiously awaited his biweekly edition ? ?without the wrapper.? ?You didn?t just part the Red Sea ? you rolled it back, dried it up and left exposed, for all the world to see, the naked desert that is statism,? Mr. Reagan said. ?And then, as if that weren?t enough,? the president continued, ?you gave the world something different, something in its weariness it desperately needed, the sound of laughter and the sight of the rich, green uplands of freedom.? The liberal advance had begun with the New Deal, and so accelerated in the next generation that Lionel Trilling, one of America?s leading intellectuals, wrote in 1950: ?In the United States at this time liberalism is not only the dominant but even the sole intellectual tradition. For it is the plain fact that there are no conservative or reactionary ideas in general circulation.? Mr. Buckley declared war on this liberal order, beginning with his blistering assault on Yale as a traitorous den of atheistic collectivism immediately after his graduation (with honors) from the university. ?All great biblical stories begin with Genesis,? George Will wrote in the National Review in 1980. ?And before there was Ronald Reagan, there was Barry Goldwater, and before there was Barry Goldwater there was National Review, and before there was National Review there was Bill Buckley with a spark in his mind, and the spark in 1980 has become a conflagration.? Mr. Buckley weaved the tapestry of what became the new American conservatism from libertarian writers like Max Eastman, free market economists like Milton Friedman, traditionalist scholars like Russell Kirk and anti-Communist writers like Whittaker Chambers. But the persuasiveness of his argument hinged not on these perhaps arcane sources, but on his own tightly argued case for a conservatism based on the national interest and a higher morality. His most receptive audience became young conservatives first energized by Barry Goldwater?s emergence at the Republican convention in 1960 as the right-wing alternative to Nixon. Some met in Sept., 1960, at Mr. Buckley?s Connecticut estate to form Young Americans for Freedom. Their numbers ? and influence ? grew. Nicholas Lemann observed in Washington Monthly in 1988 that during the Reagan administration ?the 5,000 middle-level officials, journalists and policy intellectuals that it takes to run a government? were ?deeply influenced by Buckley?s example.? He suggested that neither moderate Washington insiders nor ?Ed Meese-style provincial conservatives? could have pulled off the Reagan tax cut and other reforms. Speaking of the true believers, Mr. Lemann continued, ?Some of these people had been personally groomed by Buckley, and most of the rest saw him as a role model.? Mr. Buckley rose to prominence with a generation of talented writers fascinated by political themes, names like Mailer, Capote, Vidal, Styron and Baldwin. Like the others, he attracted controversy like a magnet. Even conservatives ? from members of the John Birch Society to disciples of conservative author Ayn Rand to George Wallace to moderate Republicans ? frequently pounced on him. Many of varied political stripes came to see his life as something of an art form ? from racing through city streets on a motorcycle to a quixotic campaign for mayor of New York in 1965 to startling opinions like favoring the decriminalization of marijuana. He was often described as liberals? favorite conservative, particularly after suavely hosting an adaptation of Evelyn Waugh?s ?Brideshead Revisited? on public television in 1982. Norman Mailer may indeed have dismissed Mr. Buckley as a ?second-rate intellect incapable of entertaining two serious thoughts in a row,? but he could not help admiring his stage presence. ?No other act can project simultaneous hints that he is in the act of playing Commodore of the Yacht Club, Joseph Goebbels, Robert Mitchum, Maverick, Savonarola, the nice prep school kid next door, and the snows of yesteryear,? Mr. Mailer said in an interview with Harpers in 1967. Mr. Buckley?s vocabulary, sparkling with phrases from distant eras and described in newspaper and magazine profiles as sesquipedalian (characterized by the use of long words) became the stuff of legend. Less kind commentators called him ?pleonastic? (use of more words than necessary). And, inescapably, there was that aurora of pure mischief. In 1985, David Remnick, writing in The Washington Post, said, ?He has the eyes of a child who has just displayed a horrid use for the microwave oven and the family cat.? William Francis Buckley Jr., was born in Manhattan on Nov. 24, 1925, the sixth of the 10 children of Aloise Steiner Buckley and William Frank Buckley Jr. (John B. Judis relates in his 1988 biography, ?William F. Buckley, Jr.: Patron Saint Of the Conservative,? that he was christened with the middle name Francis instead of Frank, according to his sister, Patricia, because there was no saint named Frank. Later, in ?Who?s Who? entries and elsewhere, he used Frank.) The elder Mr. Buckley made a fortune in the oil fields of Mexico, and educated his children with personal tutors at Great Elm, the family estate in Sharon, Conn. They also attended exclusive Roman Catholic schools in England and France. Young William absorbed his family?s conservatism along with its deep Catholicism. At 6, he wrote the King of England demanding he repay his country?s war debt. At 14, he followed his brothers to the Millbrook School, a preparatory school 15 miles across the New York state line from Sharon. In his spare time at Millbrook, young Bill typed schoolmates? papers for them, charging $1 a paper, with a 25-cent surcharge for correcting the grammar. He did not neglect politics, showing up uninvited to a faculty meeting to complain about a teacher abridging his right to free speech and ardently opposing United States? involvement in World War II. His father wrote him to suggest he ?learn to be more moderate in the expression of your views.? He graduated from Millbrook in 1943, then spent a half a year at the University of Mexico studying Spanish, which had been his first language. He served in the Army from 1944 to 1946, and managed to make second lieutenant after first putting colleagues off with his mannerisms. ?I think the army experience did something to Bill,? his sister, Patricia, told Mr. Judis. ?He got to understand people more.? Mr. Buckley then entered Yale where he studied political science, economics and history; established himself as a fearsome debater; was elected chairman of the Yale Daily News, and joined Skull and Bones, the most prestigious secret society. As a senior, he was given the honor of delivering the speech for Yale?s Alumni Day celebration, but was replaced after the university?s administration objected to his strong attacks on the university. He responded by writing his critique in the book that brought him to national attention, in part because he gave the publisher, Regnery, $10,000 to advertise it. Published in 1951, ?God and Man at Yale: The Superstitions of ?Academic Freedom,?? charged the powers at Yale with having an atheistic and collectivist bent and called for the firing of faculty members who advocated values not in accord with those that the institution should be upholding ? which was to say, his own. Among the avalanche of negative reviews, the one in Atlantic by McGeorge Bundy, a Yale graduate, was conspicuous. He found the book ?dishonest in its use of facts, false in its theory, and a discredit to its author.? But Peter Viereck, writing in The New York Times Sunday Book Review viewed the book as ?a necessary counterbalance.? After a year in the Central Intelligence Agency in Mexico City (his case officer was E. Howard Hunt, who went on to win celebrity for his part in the Watergate break-in), Mr. Buckley went to work for the American Mercury magazine, but resigned after spotting anti-Semitic tendencies in the magazine. Over the next few years, Mr. Buckley worked as a freelance writer and lecturer, and wrote a second book with L. Brent Bozell, his brother-in-law. Published in 1954, ?McCarthy and His Enemies? was a sturdy defense of the senator from Wisconsin who was then in the throes of his campaign against communists, liberals and the Democratic Party. In 1955, Mr. Buckley started National Review as voice for ?the disciples of truth, who defend the organic moral order? with a $100,000 gift from his father. The first issue, which came out in November, claimed the publication ?stands athwart history yelling Stop.? It proved it by lining up squarely behind Southern segregationists, saying blacks should be denied the vote. After some conservatives objected, Mr. Buckley suggested instead that both uneducated whites and blacks should not be allowed to vote. Mr. Buckley did not accord automatic support to Republicans, starting with Eisenhower?s campaign for re-election in 1956. National Review?s tepid endorsement: ?We prefer Ike.? Circulation increased from 16,000 in 1957 to 125,000 at the time of Goldwater?s candidacy in 1964, and leveled off to around 100,000 in 1980. It is now 155,000. The magazine has always had to be subsidized by readers? donations. Along with offering a forum to big-gun conservatives like Russell Kirk, James Burnham and Robert Nisbet, National Review cultivated the career of several younger writers, including Garry Wills, Joan Didion and John Leonard, who would shake off the conservative attachment and go their leftward ways. National Review also helped define the conservative movement by isolating cranks from Mr. Buckley?s chosen mainstream. ?Bill was responsible or rejecting the John Birch Society and the other kooks who passed off anti-Semitism or some such as conservatism,? Hugh Kenner, a biographer of Ezra Pound and a frequent contributor to National Review told The Washington Post. ?Without Bill ? if he had decided to become an academic or a businessman or something else ? without him, there probably would be no respectable conservative movement in this country.? Mr. Buckley?s personal visibility was magnified by his ?Firing Line? program which ran from 1966 to 1999. First carried on WOR-TV and then on the Public Broadcasting Service, it became the longest running show hosted by a single host ? beating out Johnny Carson by three years. He led the conservative team in 1,504 debates on topics like ?Resolved: The women?s movement has been disastrous.? There were exchanges on foreign policy with the likes of Norman Thomas; feminism with Germaine Greer and race relations with James Baldwin. Not a few viewers thought Mr. Buckley?s toothy grin before he scored a point resembled nothing so much as a switchblade. To New York City politician Mark Green, he purred, ?You?ve been on the show close to 100 times over the years. Tell me, Mark, have you learned anything yet.? But Harold Macmillan, former prime minister of Britain, flummoxed the master. ?Isn?t this show over yet?? he asked. At age 50, Mr. Buckley added two pursuits to his repertoire ? he took up the harpsichord and became novelist. Some 10 of the novels are spy tales starring Blackford Oakes, who fights for the American way and bedded the Queen of England in the first book. Others of his books included a historical novel with Elvis Presley as a significant character, another starring Fidel Castro, a reasoned critique of anti-Semitism, and journals that more than succeeded dramatizing a life of taste and wealth ? his own. For example, in ?Cruising Speed: A Documentary,? published in 1971, he discussed the kind of meals he liked to eat. ?Rawle could give us anything, beginning with lobster Newburgh and ending with Baked Alaska,? he wrote. ?We settle on a fish chowder, of which he is surely the supreme practitioner, and cheese and bacon sandwiches, grilled, with a most prickly Riesling picked up at St. Barts for peanuts,? he wrote. Mr. Buckley?s spirit of fun was apparent in his 1965 campaign for mayor of New York on the ticket of the Conservative Party. When asked what he would do if he won, he answered, ?Demand a recount.? He got 13.4 percent of the vote. For Murray Kempton, one of his many friends on the left, the Buckley press conference style called up ?an Edwardian resident commissioner reading aloud the 39 articles of the Anglican establishment to a conscript of assembled Zulus.? Unlike his brother James who served as a United States senator from New York, Mr. Buckley generally avoided official government posts. He did serve from 1969 to 1972 as a presidential appointee to the National Advisory Commission on Information, and as a member of the United States delegation to the United Nations in 1973. The merits of the argument aside, Mr. Buckley irrevocably proved that his brand of candor did not lend itself to public life when an Op-Ed article he wrote for The New York Times offered a partial cure for the AIDS epidemic: ?Everyone detected with AIDS should be tattooed in the upper forearm to prevent common needle users, and on the buttocks, to prevent the victimization of homosexuals,? he wrote. In his last years, as honors like the Presidential Medal of Freedom came his way, Mr. Buckley gradually loosened his grip on his intellectual empire. In 1998, he ended his frenetic schedule of public speeches (some 70 a year over 40 years, he once estimated). In 1999, he stopped ?Firing Line,? and in 2004, he relinquished his voting stock in National Review. He wrote his last spy novel the 11th in his series), sold his sailboat and stopped playing the harpsichord publicly. But he began a new historical novel and kept up his columns, including one on the ?bewitching power? of ?The Sopranos? television series. He commanded wide attention by criticizing the Iraq war as a failure. On April 15, 2007, his wife, the former Patricia Alden Austin Taylor, who had carved out a formidable reputation as a socialite and philanthropist but considered her role as a homemaker, mother and wife most important, died. Mr. and Mrs. Buckley called each other ?Ducky.? He is survived by his son, Christopher, of Washington, D.C.; his sisters Priscilla L. Buckley, of Sharon, Conn., Patricia Buckley Bozell, of Washington, D.C., and Carol Buckley, of Columbia, S.C.; his brothers James L., of Sharon, and F. Reid, of Camden, S.C., a granddaughter and a grandson In the end it was Mr. Buckley?s graceful, often self-deprecating wit that endeared him to others. In his spy novel ?Who?s on First,? he described the possible impact of his National Review through his character Boris Bolgin. ? ?Do you ever read the National Review, Jozsef?? asks Boris Bolgin, the chief of KGB counter intelligence for Western Europe, ?it is edited by this young bourgeois fanatic.? ? An earlier version of this article included an outdated reference to books Mr. Buckley published in 2007 and to the total number of books he From rforno at infowarrior.org Thu Feb 28 00:33:31 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 27 Feb 2008 19:33:31 -0500 Subject: [Infowarrior] - UK Chip & Pin Report In-Reply-To: Message-ID: (c/o Dissent) http://cryptome.org/UK-Chip-PIN-07.pdf This report has been produced by APACS, the UK trade association for payments and for those institutions that deliver payment services to customers. The report is for the key stakeholders who participated in the introduction of Chip & PIN in the UK including APACS and its sub committees, the British Retail Consortium and members of the Chip & PIN Programme. The report aims to assess whether the forecasts and assumptions contained in the original high-level Business Case have been met and to provide explanation, where applicable, for any divergence. The report will also quantify, where robust data is available, the figures used to justify the Business Case. This report represents the final chapter in the UK?s successful implementation of Chip & PIN and demonstrates that the UK is a market leader in this technology. It will present the high level business case used to justify the movement towards Chip & PIN in the UK and compare the forecast reductions in fraud against actuals (2000 - 2006) and more recent forecast figures until 2010 to assess the effectiveness of Chip & PIN on fraud compared with the anticipated levels had it not been implemented. Included in the report is qualitative analysis from UK stakeholders on key learnings from their involvement in Chip & PIN?s design and implementation together with independent analysis of the role played by the Programme Management Office (PMO). Although this is the final report covering the introduction to the UK of Chip & PIN, it does not represent the end of the story. Globally, there are moves to introduce similar Chip & PIN initiatives and the UK will itself not stand still. Having introduced the Chip & PIN infrastructure, which provides a platform for future innovation, there are a number of planned developments that will build on its robustness to tackle other areas of card fraud. Without the Chip & PIN infrastructure in place, the introduction of additional authentication to address fraud in remote channels and the launch of contactless card technology would be more difficult. Looking at global Chip & PIN developments, Europe is committed to becoming EMV-compliant by 2010 under its Single Euro Payments Area (SEPA) initiative. Central Europe, Middle East and Africa (CEMEA) already has a liability shift for Point of Sale (POS) transactions in place and ATM transactions are expected to follow suit. Canada has its own PMO in place and is expected to implement a liability shift for Lost & Stolen and Counterfeit cards by 2010 and Asia Pacific is believed to be considering a liability shift for chip and signature cards. From rforno at infowarrior.org Thu Feb 28 00:47:25 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 27 Feb 2008 19:47:25 -0500 Subject: [Infowarrior] - Use of Google for Data Triggers Fears Message-ID: Use of Google for Data Triggers Fears Wednesday February 27, 6:26 pm ET By Jordan Robertson, AP Technology Writer http://biz.yahoo.com/ap/080227/techbit_google_hacking.html?.v=4 Automated 'Google Hacking' Software for Unearthing Data on Other Sites Triggers Security Fears SAN JOSE, Calif. (AP) -- It's called "Google hacking" -- a slick data-mining technique used by the Internet's cops and crooks alike to unearth sensitive material mistakenly posted to public Web sites. ADVERTISEMENT And it's just gotten easier, thanks to a program that automates what has typically been painstaking manual labor. The program's authors say they hope it will "screw a large Internet search engine and make the Web a safer place." Google hacking doesn't mean anyone's hacking Google's Web site. Rather, it refers to a sophisticated searching technique used to uncover flaws in the way Web sites handle confidential details, such as public files containing password and credit card numbers and clues about the vulnerability of the site's own servers. It works by examining the hidden recesses of a Web site, areas that have been indexed by Google but don't pop up in traditional searches. Sometimes Web sites accidentally post revealing information about themselves, either because employees mistakenly put confidential documents online, or the site wasn't properly configured to obscure sensitive areas. Security experts say Google hacking wouldn't be an issue if Web sites had proper security safeguards in place. By looking through Google for evidence of specific types of files used by a Web site or telling responses from the Web site's servers, hackers can learn a lot about how the site was built -- and thus how to begin crafting their attacks. Although Google hacking has been used for several years by good guys and bad guys to monitor security, experts caution that the new program, called Goolag, could tip the balance in favor of criminals. "It just makes their job that much easier -- in a very short period of time they can do all these searches for sensitive information," said Ryan Barnett, director of application security at Breach Security Inc. and a SANS Institute faculty member. Google hackers have typically had to enter in detailed Google search strings by hand, using specially crafted queries to unearth links buried deep in the list of a site's contents. Google has been able to clamp down on past attempts to automate the process. Experts say the new program, on the other hand, appears to work differently, tricking Google into believing a real person is typing the queries -- in other words, someone Google would be unlikely to block. Google declined to comment on Goolag, released by the hacker group Cult of the Dead Cow. From rforno at infowarrior.org Thu Feb 28 02:37:48 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 27 Feb 2008 21:37:48 -0500 Subject: [Infowarrior] - Bank of America, HSBC Most Prone to I.D. Theft, Report Says Message-ID: Bank of America, HSBC Most Prone to I.D. Theft, Report Says - Updated By Ryan Singel EmailFebruary 27, 2008 | 1:30:42 PMCategories: Sunshine and Secrecy http://blog.wired.com/27bstroke6/2008/02/bank-of-america.html In a first ever study of which companies have the most identity theft incidents, Bank of America, HSBC, and Washington Mutual were named as the companies with the most incidents per billions of dollars of deposits, according to a study released Wednesday by Berkeley Law School fellow Chris Hoofnagle. Among the nations' largest banks, ING Bank looks to be the safest, with only 0.085 identity theft complaints per billion dollars of insured deposits. In terms of sheer numbers of complaints, Bank of America, AT&T and Sprint were named most often in the complaints, followed closely by Chase, Capital One and Citibank. The study, entitled Measuring Identity Theft at Top Banks (Version 1.0), looks to be the first-ever attempt to name-and-shame companies based on their identity theft protections, or lack thereof. Hoofnagle, who started as a privacy and consumer rights advocate at the Electronic Privacy Information Center, says he did the study because he wants people to be able to choose institutions based on identity theft statistics. He used a open-government request to get more than 88,000 complaints filed by individuals to the Federal Trade Commission in January, March and September 2006. The FTC publishes statistical data about the complaints yearly, but does not publish the companies' names. "In order for the market to effectively address the ongoing identity theft epidemic, consumers need reliable information about incidence of the crime among institutions," Hoofnagle wrote in the study. "If data were available on this crime, consumers could choose safer institutions, regulators could focus attention on problem actors, and businesses themselves could compete to protect consumers from this crime." To get a rough tally of the number of incidents per customer, Hoofnagle compared the number of incidents against publicly available FDIC data on the institutions insured deposits. No similar data existed for telecoms companies, making even rough ranking per customer impossible. Hoofnagle admits the data is rough, but hopes the study will force better data to come to light in the future. He also hopes the data could force lawmakers and regulators to mandate public disclosure of identity theft statistics from banks (.pdf). While the FTC data is currently the best source of data on identity theft, it relies on individuals to complain to them. It does not count police reports filed or incidents reported to banks, cell phone companies or credit bureaus. For instance, the FTC data does not distinguish between fraud cases where an impostor establishes new accounts in a persons' name from more common cases where a person uses a stolen credit card to make purchases. The data also does not distinguish between identity theft committed online such as through phishing emails and identity theft done without the help of the internet. UPDATE: Bank of America spokeswoman Betty Riess says the company hasn't seen the study yet, but says BoA takes security seriously. "Keep in mind that if we have a customer who reports they are a victim of identity theft that doesn't correlate to security at BoA," Riess said, referring to the fact that a BoA customer experiencing identity theft could have had their mail stolen or fallen prey to a phishing attack. "Protecting customer information is a top priority at BoA and we have multiple layers of security." Riess added that BoA uses online security offerings from RSA and lets customers use one-time credit card numbers for purchases from unfamiliar online retailers. See Also: From rforno at infowarrior.org Thu Feb 28 02:38:43 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 27 Feb 2008 21:38:43 -0500 Subject: [Infowarrior] - Air Force Blocks Access to Many Blogs Message-ID: Air Force Blocks Access to Many Blogs By Noah Shachtman EmailFebruary 27, 2008 | 2:28:02 PMCategories: Info War http://blog.wired.com/defense/2008/02/air-force-banni.html Cybercommand The Air Force is tightening restrictions on which blogs its troops can read, cutting off access to just about any independent site with the word "blog" in its web address. It's the latest move in a larger struggle within the military over the value -- and hazards -- of the sites. At least one senior Air Force official calls the squeeze so "utterly stupid, it makes me want to scream." Until recently, each major command of the Air Force had some control over what sites their troops could visit, the Air Force Times reports. Then the Air Force Network Operations Center, under the service's new "Cyber Command," took over. AFNOC has imposed bans on all sites with "blog" in their URLs, thus cutting off any sites hosted by Blogspot. Other blogs, and sites in general, are blocked based on content reviews performed at the base, command and AFNOC level ... The idea isn't to keep airmen in the dark -- they can still access news sources that are "primary, official-use sources," said Maj. Henry Schott, A5 for Air Force Network Operations. "Basically ... if it's a place like The New York Times, an established, reputable media outlet, then it's fairly cut and dry that that's a good source, an authorized source," he said ... AFNOC blocks sites by using Blue Coat software, which categorizes sites based on their content and allows users to block sub-categories as they choose. "Often, we block first and then review exceptions," said Tech. Sgt. Christopher DeWitt, a Cyber Command spokesman. As a result, airmen posting online have cited instances of seemingly innocuous sites -- such as educational databases and some work-related sites -- getting wrapped up in broad proxy filters. "A couple of years back, I fought this issue concerning the Counterterrorism Blog," one Air Force officer tells Danger Room. "An AF [Air Force] professional education course website recommended it as a great source for daily worldwide CT [counterterrorism] news. However it had been banned, because it called itself a blog. And as we all know, all blogs are bad!" He's joking, of course. But blogs and social networking sites have faced all sorts of restrictions on military networks, for all sorts of reasons. MySpace and YouTube are officially banned, for eating up too much bandwidth. Stringent regulations, read literally, require Army officers to review each and every item one of his soldiers puts online, in case they leak secrets. And in televised commercials, screensavers and fliers, troops are told that blogging is a major security risk -- even though official sites have proven to leak many, many more secrets. Now there's the Air Force's argument, that blogs aren't legitimate media outlets -- and therefore, shouldn't be read at work. But this view isn't universally held in the military. Many believe blogs to be a valuable source of information -- and a way for ordinary troops to shape opinions, at home and abroad. Gen. David Petraeus, who heads the U.S. effort in Iraq, has commended military bloggers. Lt. Gen. William B. Caldwell IV, who replaced Petraeus as the head of the Combined Arms Center and Fort Leavenworth, recently wrote (in a blog post, no less) that soldiers should be encouraged to "get onto blogs and [s]end their YouTube videos to their friends and family." Within the Air Force, there's also a strong contingent that wants to see open access to the sites -- and is mortified by the AFNOC's restrictions. "When I hear stuff this utterly stupid, it makes me want to scream.... Piles of torn out hair are accumulating around my desk as we speak," one senior Air Force official writes in an e-mail. "I'm certain that by blocking blogs for official use, our airmen will never, ever be able to read them on their own home computers, so we have indeed saved them from a contaminating influence. Sorry, didn't mean to drip sarcasm on your rug." One of the blogs banned is In From the Cold, which examines military, intelligence and political affairs from a largely right-of-center perspective. It's written by "Nathan Hale," the pseudonym for a former journalist and Air Force intelligence officer, who spent more than two decades in the service. He tells Danger Room, "If knowledge and information are power -- and no one disputes that -- then why not trust your people and empower them to explore all sides of issues affecting the service, air power and national security?" Obviously, DoD [Department of Defense] can decide what internet content should be filtered -- they spent billions on the IT architecture and billions more to maintain it. But if it's a matter of "ensuring worker productivity" and deterring "wasteful surfing of the internet," does it really make sense to block relatively small blogs (that just happen to focus on military and security issues), while allowing everyone to access ESPN or FoxSports? Wonder how much work time will be lost on filling out "March Madness" brackets, versus reading a military or intelligence blog? In short, there doesn't seem to be any consistency in the current DoD policy. And that's no surprise. A few months ago, a senior Pentagon P.A. [public affairs] official told me that his service had no plans to engage the blogosphere, because their studies showed that "people don't rely on blogs for news and information." And he said it with a straight face. The Air Force recently launched an $81 million marketing campaign to convince lawmakers and average citizens of its relevance in today's fights. By making it harder for troops to blog, an Air Force officer says, the service had undermined "some of their most credible advocates." "The Air Force isn't getting the planes that they want because they are incapable of communicating their usefulness and applicability in this new war. Because Air Force officers talk more like corporate bureaucrats than cocky war fighters, no one is inspired or convinced of their pressing (and quite legitimate) need to modernize the force," he adds. "Air Force bloggers spoke the lingo of someone heavily invested in the fight, because they operate outside the survival-minded careerist world of public affairs, with many of them penning blog posts from theater." Perhaps, says retired Air Force Col. Tom Ehrhard, who's now a Senior Fellow at the Center for Strategic and Budgetary Assessments. But there are legitimate security reasons why blogs need to be restricted. Adversaries may be using blogs to take advantage of airmen, he notes. It is increasingly clear that active exploitation could take advantage of airmen and civilians who want to inform and correct the often outrageous, false assertions on these blogs. In doing so, it is easy for well-meaning insiders to violate operational security (OPSEC) tenets, either directly or tangentially. We are in a different world today when it comes to sensitive military information, and foreign intelligence operatives surely understand this and will exploit it. As a former member of Strategic Air Command, where OPSEC was (rightly) an obsession, this has been obvious to me for some time in reading aerospace-oriented blogs. This policy strikes me as a timely reminder to Air Force professionals that they should be on guard when blogging, because someone is watching. UPDATE: I'm getting a lot of conflicting data about exactly which blogs are blocked, and which ones aren't. Shoot me a note if you're currently in the Air Force, and would like to help set me straight. All off-the-record, naturally. From rforno at infowarrior.org Fri Feb 29 02:26:53 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 28 Feb 2008 21:26:53 -0500 Subject: [Infowarrior] - RIPE NCC publishes case study of youtube.com hijack Message-ID: From: Daniel Karrenberg Date: February 28, 2008 8:01:37 AM PST To: ripe-list at ripe.net Dear Colleagues, As you may be aware from recent news reports, traffic to the youtube.com website was 'hijacked' on a global scale on Sunday, 24 February 2008. The incident was a result of the unauthorised announcement of the prefix 208.65.153.0/24 and caused the popular video sharing website to become unreachable from most, if not all, of the Internet. The RIPE NCC conducted an analysis into how this incident was seen and tracked by the RIPE NCC's Routing Information Service (RIS) and has published a case study at: http://www.ripe.net/news/study-youtube-hijacking.html The RIPE NCC RIS is a service that collects Border Gateway Protocol (BGP) routing information from roughly 600 peers at 16 Internet Exchange Points (IXPs) across the world. Data is stored in near real- time and can be instantly queried by anyone to provide multiple views of routing activity for any point in time. The RIS forms part of the RIPE NCC's suite of Information Services, which together provide a deeper insight into the workings of the Internet. The RIPE NCC is a neutral and impartial organisation, and commercial interests therefore do not influence the data collected. The RIPE NCC Information Services suite also includes the Test Traffic Measurement (TTM) service, the DNS Monitoring (DNSMON) service and Hostcount. All of these services are available to anyone, and most of them are offered free of charge. More information about RIPE NCC Information Services can be found at: http://is-portal.ripe.net Regards, Daniel Karrenberg Chief Scientist, RIPE NCC From rforno at infowarrior.org Fri Feb 29 13:52:51 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 29 Feb 2008 08:52:51 -0500 Subject: [Infowarrior] - Microsoft Altered Vista Requirements to Help Intel, E-Mail Says Message-ID: Microsoft Altered Vista Requirements to Help Intel, E-Mail Says http://www.bloomberg.com/apps/news?pid=conewsstory&refer=conews&tkr=MSFT:US& sid=at_BclYjo7Og By Dina Bass and Ian King Feb. 29 (Bloomberg) -- Microsoft Corp. caved in to pressure from partner Intel Corp. to certify some chips as capable of running the Windows Vista operating system to help Intel meet earnings estimates, a Microsoft executive said. The decision was made over the objection of some Microsoft officials, who expressed concern that Intel's 915 chipset wasn't capable of properly displaying Vista's graphics features, according to e-mails released Feb. 27 that were introduced as evidence in a case in Seattle. ``We lowered the requirements to help Intel make their quarterly earnings, so they could continue to sell motherboards with 915 graphics embedded,'' John Kalkman, a Microsoft general manager who handles relations with personal-computer makers, wrote in one message. Microsoft's Mike Ybarra complained in another e-mail to Windows division co-President Jim Allchin that Microsoft was ``caving to Intel'' and ``allowing Intel to drive our consumer experience.'' Microsoft made the decision after Intel complaints that the chipmaker was ``losing orders,'' Microsoft Senior Vice President Will Poole said in another e-mail. Microsoft was sued by consumers who claim the world's biggest software maker labeled some PCs as ``Vista Capable'' that weren't able to properly run the new operating system. Microsoft used the labels to encourage consumers to buy PCs before Vista reached stores. The software, which had been delayed, went on sale broadly in January 2007. Intel's Denial Intel, the biggest maker of computer processors, denied the contents of the e-mail. ``With respect to the statement in the e-mail from one John Kalkman, we have no idea who he is and we are absolutely certain he would have zero visibility into Intel's financials, Intel's financial forecasts or anything to do with any particular quarter at any time,'' said Chuck Mulloy, a spokesman for Santa Clara, California-based Intel. Microsoft, based in Redmond, Washington, confirmed the authenticity of the e-mails and said in a statement that the comments ``reflect part of an active discussion about how best to implement the Windows Vista Capable program.'' Employees ``raised concerns and addressed issues with the intent to make this program better for our business partners and valuable for customers,'' Microsoft said. Vista Capable At issue in the case, filed March 29, 2007, is whether Microsoft permitted labeling PCs ``Vista Capable'' even if they could only run the Vista Basic version, the low-end variety that doesn't include the new graphics system. Some consumers bought PCs and tried to run more intensive versions of Vista, expecting it to work based on the labels. District Court Judge Marsha Pechman gave the case class-action status on Feb. 22. Vista's Aero graphics system, which included 3-D and transparent effects, is a key feature in most versions of Vista. It requires more advanced graphics chips. An e-mail to Microsoft Chief Executive Officer Steve Ballmer just weeks after Vista reached stores indicated Intel was having difficulty because its chipsets weren't working well with Vista. ``Intel has the biggest challenge,'' wrote Steven Sinofsky, a senior vice president tasked with leading Windows development after Vista was largely completed. ``Their 945 chipset, which is the baseline Vista set, `barely' works right now and is very broadly used. The 915 chipset, which is not Aero capable, is in a huge number of laptops.'' `Got Burned' Windows Product Management Vice President Mike Nash, in another e-mail released in the case, said he was confused by the labels too. He bought a laptop with the 915 chips and found it wouldn't run Vista's new graphics system. ``I personally got burned by the Intel 915 chipset issue on a laptop,'' Nash said in an e-mail to other Windows and PC relations executives. ``I chose my laptop because it had the Vista logo and was pretty disappointed. I now have a $2,100 e- mail machine.'' Microsoft fell 33 cents to $27.93 yesterday in Nasdaq Stock Market trading. Intel dropped 28 cents to $20.49. In the fourth quarter of 2006, Intel reported a 39 percent drop in net income, to $1.5 billion, on a 5 percent decline in sales. Net income rose 21 percent to $1.64 billion in the first quarter of 2007 as revenue declines slowed. Intel's chipsets are packages of semiconductors that work with its processors to control functions in the computer, including graphics and sound. Most corporate PCs rely on such chips for their graphics, rather then dedicated chips made by companies such as Nvidia Corp., which are more powerful. To contact the reporter on this story: Dina Bass in Seattle at dbass2 at bloomberg.net ; Ian King in San Francisco at ianking at bloomberg.net ; From rforno at infowarrior.org Fri Feb 29 13:56:39 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 29 Feb 2008 08:56:39 -0500 Subject: [Infowarrior] - MS cuts Vista prices on horrible retail sales Message-ID: Microsoft cuts Vista prices to urge upgrades Friday February 29, 2:43 am ET http://biz.yahoo.com/rb/080229/microsoft_vista.html?.v=3 SEATTLE (Reuters) - Microsoft Corp (NasdaqGS:MSFT - News) said on Thursday it plans to cut prices of its Windows Vista operating system sold at retail outlets in a move aimed at pushing customers to switch to the newest version of Windows. The world's largest software maker said it plans to lower retail prices for Vista in 70 countries later this year in tandem with the shipment of the first major update to Vista, known as Service Pack 1 (SP1). Packaged versions of Windows Vista sold at stores and on the Web account for less than 10 percent of all licenses of the dominant Windows operating system that sits on more than 90 percent of the world's personal computers. Most consumers opt to buy a new PC, which comes preloaded with the latest version of Windows. "We anticipate these changed will provide greater opportunities ... to sell more stand-alone copies of Windows," said Brad Brooks, a Microsoft corporate vice president. In the United States, Microsoft will reduce prices for Windows Vista Ultimate, the company's top-end operating system, to $319 from $399 for the full version and cut the price for an "upgrade" version to $219 from $259 for consumers who already run Windows XP or another edition of Vista. It also cut prices for upgrade versions of Vista Home Premium, its mainstream product, to $129 from $159. The price cuts vary by country. In emerging markets, Microsoft will stop selling "upgrade" versions of Vista, because, for many customers, it will be the first purchase of a genuine copy of Windows. The company will instead sell Vista Home Premium and Home Basic, a stripped-down version, at the upgrade prices. Microsoft has sold more than 100 million licenses of Vista since its January 2007 release and its adoption has underpinned strong earnings results at the company in recent quarters. Nonetheless, some consumers have raised issues with Vista's performance, stringent hardware requirement and lack of support for other software and devices like printers. Microsoft said it would continue to sell Windows XP until June 2008, delaying a scheduled transition to Vista. Brooks, who oversees consumer marketing of Vista, said he is confident the company can bring in enough new customers to offset the revenue declines from lowering prices after seeing the results of a recent three-month promotional trial of lower Vista prices. The announcement comes on the heels of sales data that showed a 30 percent drop in money spent for software at U.S. retailers in January, according to market research firm NPD. Microsoft said the announcement is unrelated to the sales data, which the company said could be a result of inventory build-up after the holiday shopping season. (Reporting by Daisuke Wakabayashi, editing by Leslie Gevirtz) From rforno at infowarrior.org Fri Feb 29 17:19:17 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 29 Feb 2008 12:19:17 -0500 Subject: [Infowarrior] - OT: Internet Crash Video Message-ID: Some Friday humor for you. Enjoy! http://www.youtube.com/watch?v=z4vDClhnJjs From rforno at infowarrior.org Fri Feb 29 21:50:12 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 29 Feb 2008 16:50:12 -0500 Subject: [Infowarrior] - US says military hotline with China likely within weeks Message-ID: US says military hotline with China likely within weeks Feb 29 11:39 AM US/Eastern http://www.breitbart.com/article.php?id=080229153930.2mavsec7&show_article=1 The United States and China aim to set up a telephone hotline between their militaries within a month following an agreement signed Friday, the US defence department said. The deal was signed in Shanghai alongside another one giving the United States access to China's military archives to search for missing servicemen from the Korean War and other conflicts, the official said. "We welcome this important step forward in enhancing communication between our militaries," the US defence department said in a statement. "The (hotline) will be a useful tool to make contact quickly, clarify issues, and avoid miscalculations." It added that the agreement allowed the two sides to move forward on installing the equipment over the next few weeks, meaning the hotline would probably become operational within a month. A US defence department official told AFP the signing ceremonies took place at noon. The official could not comment further, but more details were expected at a briefing in Shanghai on Saturday. The military hotline was first floated by the United States in 2003, and US President George W. Bush reached agreement on the link when meeting his Chinese counterpart Hu Jintao at a regional forum in Sydney in September. The two nations discussed the issue further in November last year when US Defence Secretary Robert Gates visited Beijing. In November, the two sides agreed to expand educational exchanges and military cooperation through a number of other methods, including joint naval exercises. The line will be China's first direct military telephone link with another country. US and Chinese heads of state have been able to communicate over a similar hotline since the late 1990s. In 2004, a direct telephone link was set up between the US secretary of state and the Chinese foreign minister. In the other agreement on Friday, US officials will be allowed access to some of China's military archives to help in the search for thousands of servicemen who went missing in conflicts since World War II. The United States believes that those records could help determine the fate of American servicemen who died in captivity, said Charles Ray, deputy assistant secretary of defence for POW/Missing Personnel Affairs. The Korean War is especially important because China entered the conflict on North Korea's side in 1950 and ran many POW camps. "The two militaries, through friendly consultation, have reached the following arrangement to develop military archives cooperation to search for information relating to US military personnel missing in action before, during, and after the Korean War," he said. More than 33,000 US troops were killed during the Korean War while about 8,100 are still listed as missing in action. Copyright AFP 2008, AFP stories and photos shall not be published, broadcast, rewritten for broadcast or publication or redistributed directly or indirectly in any medium