From rforno at infowarrior.org Tue Jan 1 03:02:30 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 31 Dec 2007 22:02:30 -0500 Subject: [Infowarrior] - FW: Feds Release Pass Card details In-Reply-To: <49318DDC-7829-4B63-A613-E26AA3E09F6E@cs.cmu.edu> Message-ID: ------ Forwarded Message From: "Brock N. Meeks" Date: December 31, 2007 4:13:01 PM EST Subject: Feds Release Pass Card details The government has dragged its feet in releasing the final details about his Pass Card technology, and now they dump it into the Federal Register on the last day of the year. The government has decided to go with a technology that is more suited to tracking inventory and can be read from up to 20 feet away. Govt. officials counter by saying privacy protections will be built into the cards. The AP filed this story today: Passport card technology criticized By EILEEN SULLIVAN Associated Press Writer WASHINGTON -- Passport cards for Americans who travel to Canada, Mexico, Bermuda and the Caribbean will be equipped with technology that allows information on the card to be read from a distance. The technology was approved Monday by the State Department and privacy advocates were quick to criticize the department for not doing more to protect information on the card, which can be used by U.S. citizens instead of a passport when traveling to other countries in the western hemisphere. The technology would allow the cards to be read from up to 20 feet away. This process only takes one or two seconds, said Ann Barrett, deputy assistant secretary for passport services at the State Department. The card would not have to be physically swiped through a reader, as is the current process with passports. The technology is "inherently insecure and poses threats to personal privacy, including identity theft," Ari Schwartz, of the Center for Democracy and Technology, said in a statement. Schwartz said this specific technology, called "vicinity read," is better suited for tracking inventory, not people. The State Department said privacy protections will be built into the card. The chip on the card will not contain biographical information, Barrett said. [snip] As seen in the Ft. Worth Star-Telegram http://www.star-telegram.com/464/story/384245.html From rforno at infowarrior.org Tue Jan 1 03:10:50 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 31 Dec 2007 22:10:50 -0500 Subject: [Infowarrior] - Redacted Air-Traffic Safety Survey Released Message-ID: Redacted Air-Traffic Safety Survey Released NASA Downplays Pilots' Complaints About Fatigue, Security By Del Quentin Wilber Washington Post Staff Writer Tuesday, January 1, 2008; D01 http://www.washingtonpost.com/wp-dyn/content/article/2007/12/31/AR2007123101 689_pf.html NASA yesterday released partial results of a massive air-safety survey of airline pilots who repeatedly complained about fatigue, problems with air-traffic controllers, airport security, and the layouts of runways and taxiways. Reacting to criticism about its initial decision to withhold the database for fear of harming airlines' bottom lines, NASA released a heavily redacted version of the survey on its Web site yesterday afternoon. But the space and aeronautics agency published the information in a way that made it difficult to analyze. NASA Administrator Michael Griffin told reporters in a conference call that the agency had no plans to study the database for trends. He said NASA conducted the survey only to determine whether gathering information from pilots in such a way was worthwhile. Despite the lack of analysis by NASA scientists, Griffin said there was nothing in the database that should concern air travelers. "It's hard for me to see any data the traveling public would care about or ought to care about," he said. "We were asked to release the data, and we did." The NASA database, which included more than 10,000 pages of information, was based on extensive telephone polling of airline and general aviation pilots about incidents ranging from engine failures and bird strikes to fires onboard planes and encounters with severe turbulence. The survey cost about $11 million and was conducted from 2001 to 2004. The survey included narrative responses by pilots, but NASA released the information in such a way as to make it impossible to determine details of what the pilots were describing. The narratives sometimes included terse answers such as "fatigue" and "crew rest." Others were slightly more extensive. "Pilots asleep on flight deck is a problem," one pilot said. Another suggested that survey workers ask pilots how often they fall asleep in the cockpit. The reports included discussions of pilots' difficulties in talking to controllers in busy airspace. Air traffic control "capacity inadequate to handle traffic load," one pilot reported. "There are too many people on the frequency, and they are causing a safety problem," another pilot responded. NASA had refused to release the data several months ago in response to a request by the Associated Press, saying publication might affect the public's confidence in the airlines. NASA was roundly criticized by members of Congress and aviation safety experts for refusing to publish the survey. Rep. Bart Gordon (D-Tenn.), chairman of the House Science and Technology Committee, said yesterday that the agency should not have redacted so much of the data nor released it in a format that made it difficult to analyze. He promised more hearings into the matter. "It was just an effort to get something out the door rather than a serious effort to provide transparency," Gordon said. "It was heavily redacted, and there is not much usefulness to the data until we get more information." Jim Hall, a former chairman of the National Transportation Safety Board, also criticized the way NASA released its database. "When a government agency is not transparent with the American people, particularly on an issue like safety, they are not fulfilling their responsibilities and earning their pay," Hall said. The debate over the database comes as U.S. commercial aviation is enjoying its safest period in history, according to Federal Aviation Administration officials. The last major fatal U.S. air crash occurred in August 2006. FAA officials said they had no plans to launch an independent study of the survey. But the FAA is looking at ways to "integrate the data with the existing data we have," said Laura Brown, an FAA spokeswoman. Outside safety experts said analyzing the database could provide helpful clues that might prevent a crash. "I hope that somebody will have the initiative to crunch the data and be able to put together trends," said John Cox, a former investigator with the Air Line Pilots Association, a major pilots union. From rforno at infowarrior.org Tue Jan 1 03:12:02 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 31 Dec 2007 22:12:02 -0500 Subject: [Infowarrior] - Electronic Passports Raise Privacy Issues Message-ID: Electronic Passports Raise Privacy Issues By Ellen Nakashima Washington Post Staff Writer Tuesday, January 1, 2008; A06 http://www.washingtonpost.com/wp-dyn/content/article/2007/12/31/AR2007123101 922_pf.html The federal government will soon offer passport cards equipped with electronic data chips to U.S. citizens who travel frequently between the United States and Canada, Mexico or the Caribbean. The cards can be read wirelessly from 20 feet, offering convenience to travelers but raising security and privacy concerns about the possibility of data being intercepted. The goal of the passport card, an alternative to the traditional passport, is to reduce the wait at land and sea border checkpoints by using an electronic device that can simultaneously read multiple cards' radio frequency identification (RFID) signals from a distance, checking travelers against terrorist and criminal watchlists while they wait. "As people are approaching a port of inspection, they can show the card to the reader, and by the time they get to the inspector, all the information will have been verified and they can be waved on through," said Ann Barrett, deputy assistant secretary of state for passport services, commenting on the final rule on passport cards published yesterday in the Federal Register. The $45 card will be optional and cannot be used for air travel. Travelers can opt for a more secure, if more costly, e-passport that costs $97 and contains a radio frequency chip that can be read at a distance of only three inches. Privacy and security experts said the new passport cards that transmit information over longer distances are much less secure. "The government is fundamentally weakening border security and privacy for passport holders in order to get people through the lines faster," said Ari Schwartz, deputy director of the Center for Democracy and Technology, which submitted comments in opposition to the proposed rule, along with 4,000 others, the vast majority in opposition. The problem with the card, Schwartz said, is that it uses a standard that wasn't meant to track people. "It's not made as an identity document," he said. "The technology they're using was designed to track goods -- pallets of toilet paper at Wal-Mart," he said. The government said that to protect the data against copying or theft, the chip will contain a unique identifying number linked to information in a secure government database but not to names, Social Security numbers or other personal information. It will also come with a protective sleeve to guard against hackers trying to skim data wirelessly, Barrett said. The card is part of the Western Hemisphere Travel Initiative, aimed at strengthening border security while easing entry for citizens and legitimate visitors with standard identity documents. Although the chip is passive and can be read only when a reader pings it, a reader with a strong battery can detect the chip's signal from as far as 40 feet away, Schwartz said. It can easily be cloned, posing the risk that a hacker could make a duplicate card to fool a border agent, he said. Avi Rubin, a professor at Johns Hopkins University, said that two years ago, he duplicated an RFID chip in his "speedpass" used for buying gas, copied the information onto a laptop and, after extending a radio antenna from the laptop out the car door, was able to buy gas with the cloned RFID chip. Randy Vanderhoof, executive director of the Smart Card Alliance, represents technology firms that make another kind of RFID chip, one that can only be read up close, and he is critical of the passport card's technology. It offers no way to check whether the card is valid or a duplicate, he said, so a hacker could alter the number on the chip using the same techniques used in cloning. "Because there's no security in the numbering system, a person who obtains a passport card and is later placed on a watchlist could easily alter the number on the passport card to someone else's who's not on the watchlist," Vanderhoof said. Last year, the Government Accountability Office reviewed technology similar to that used in the passport cards. The report found low read rates and said the technology should be used only to track goods, not to identify people. The State Department hopes to begin issuing the cards in the spring. For more information, go to http://www.travel.state.gov From rforno at infowarrior.org Tue Jan 1 03:14:35 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 31 Dec 2007 22:14:35 -0500 Subject: [Infowarrior] - USAF Cyber Command launches its Web site Message-ID: Cyber Command launches its Web site By Erik Holmes - Staff writer Posted : Monday Dec 31, 2007 8:16:38 EST http://www.airforcetimes.com/news/2007/12/airforce_cyber_web_071228w/ The new Air Force command that is dedicated to winning the information war in cyberspace now has a presence ? where else? ? on the Web. Air Force Cyber Command launched its Web site last week, said command spokesman Capt. Rob Goza. The site uses the same template and therefore has the same look and structure as all Air Force Web sites, he said. It has the command logo ? an armored hand holding three red lightning bolts and an olive branch ? above the words ?freedom of action,? ?decision superiority? and ?network domination.? The site features Cyberspace 101, a primer defining cyberspace and the command?s mission, as well as videos about the Air Force?s newest domain. Cyber Command, commanded by Maj. Gen. William T. Lord, stood up on a provisional basis Sept. 18. It is located at Barksdale Air Force Base, La., at least for the time being. It is scheduled to stand up as a permanent major command in October 2008. From rforno at infowarrior.org Tue Jan 1 14:49:57 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 Jan 2008 09:49:57 -0500 Subject: [Infowarrior] - Australia announces mandatory Net filters Message-ID: Conroy announces mandatory internet filters to protect children http://www.abc.net.au/news/stories/2007/12/31/2129471.htm Posted Mon Dec 31, 2007 2:45pm AEDT Updated Mon Dec 31, 2007 8:33pm AEDT Senator Conroy says the Government will work with the industry to ensure the filters do not affect the speed of the internet [File photo]. Senator Conroy says the Government will work with the industry to ensure the filters do not affect the speed of the internet [File photo]. (AAP: Alan Porritt) Telecommunications Minister Stephen Conroy says new measures are being put in place to provide greater protection to children from online pornography and violent websites. Senator Conroy says it will be mandatory for all internet service providers to provide clean feeds, or ISP filtering, to houses and schools that are free of pornography and inappropriate material. Online civil libertarians have warned the freedom of the internet is at stake, but Senator Conroy says that is nonsense. He says the scheme will better protect children from pornography and violent websites. "Labor makes no apologies to those that argue that any regulation of the internet is like going down the Chinese road," he said. "If people equate freedom of speech with watching child pornography, then the Rudd-Labor Government is going to disagree." Senator Conroy says anyone wanting uncensored access to the internet will have to opt out of the service. He says the Government will work with the industry to ensure the filters do not affect the speed of the internet. "There are people who are going to make all sorts of statements about the impact on the [internet] speed," he said. "The internet hasn't ground to a halt in the UK, it hasn't ground to a halt in Scandinavian countries and it's not grinding the internet to a halt in Europe. "But that is why we are engaged constructively with the sector, engaging in trials to find a way to implement this in the best possible way and to work with the sector." Tags: community-and-society, pornography, government-and-politics, federal-government, information-and-communication, censorship, internet, australia From rforno at infowarrior.org Tue Jan 1 16:48:45 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 Jan 2008 11:48:45 -0500 Subject: [Infowarrior] - DTV converter coupons from the USG available In-Reply-To: Message-ID: Feds share coupons to help TV transition By JOHN DUNBAR, Associated Press WriterMon Dec 31, 6:18 PM ET Millions of $40 government coupons become available Tuesday to help low-tech television owners buy special converter boxes for older TVs that might not work after the switch to digital broadcasting. Beginning Feb. 18, 2009, anyone who does not own a digital set and still gets their programming via over-the-air antennas will no longer receive a picture. That's the day the television industry completes its transition from old-style analog broadcasting to digital. The converter boxes are expected to cost between $50 and $70 and will be available at most major electronics retail stores. Starting Tuesday, the National Telecommunications and Information Administration will begin accepting requests for two $40 coupons per household to be used toward the purchase of the boxes. Viewers who have satellite or cable service will not need a box. To request a coupon, consumers can apply online at http://www.dtv2009.gov starting Tuesday. The government also has set up a 24-hour hotline to take requests, 1-888-DTV-2009 (1-888-388-2009). < - > From rforno at infowarrior.org Tue Jan 1 22:58:37 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 Jan 2008 17:58:37 -0500 Subject: [Infowarrior] - Microsoft offers peek into "juicy" flaw details Message-ID: Microsoft offers peek into "juicy" flaw details Published: 2007-12-28 http://www.securityfocus.com/brief/651?ref=rss Microsoft launched a blog on Thursday, promising to use the online bulletin board to keep its customers abreast of the "juicy spill-over technical stuff" found by the company's vulnerability researchers. The blog, titled "Security Vulnerability Research and Defense," will host a variety of technical elements -- such as complicated workarounds, debugging techniques and information on vulnerability triage -- that do not regularly make it into Microsoft's security bulletins, the company stated. The software giant posted two analyses of vulnerabilities patched earlier this month. "During our vulnerability research, we discover a lot of interesting technical information," a Microsoft researcher stated on the blog. "We?re going to share as much of that information as possible here because we believe that helping you understand vulnerabilities, workarounds, and mitigations will help you more effectively secure your organization." The blog is the latest change in the way that Microsoft informs its users about security flaws and patches. In May, the software titan modified the layout of it bulletins and started giving more information about upcoming advisories through its Advanced Notification Service. Microsoft has found that the number of high severity vulnerabilities slightly decreased in the first six months of 2007. Earlier this month, Microsoft published its final regularly scheduled patches for the year, bringing the total number of bulletins published by the company to 69 in 2007. From rforno at infowarrior.org Wed Jan 2 01:04:39 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 Jan 2008 20:04:39 -0500 Subject: [Infowarrior] - Enough with the "my" moniker... Message-ID: For better or worse, the local FOX station here in DC is doing a full-court press to offer all things digital to everyone. While it's a common thing for local news stations to undertake such ventures, FOX seems stuck in the mid-1990s. Specifically, their main website is "myfoxdc.com" and their various subordinate 'sites' (really linked/hosted services) like "mydctrafficcameras" or "myweatherphotos") offered as well. For no reason in particular I sat through an hour of their local news tonight and was amazed at how much they hyped the "MY-(whatever)" services they offer both during their newscast and commercial breaks. Is it just me, or is the "my" moniker so Windows 95-ish? "My Documents", "My Computer", "My Network Places", and now "My Traffic Cameras", "My Fox DC", and "My Weather Photos"?? Enough! Like the i-prefix, it's an outdated term meant to convey a sense of hipness and webification. Given the stations' HUGE push toward user-generated content such as blogs and videos, I was curious what their Terms of Service relating to these services says. To my surprise, they're taking the same view that GeoCities, Yahoo, and others did years ago with regard to blogs and website hosting. To wit: " You agree that any content you post becomes the property of FIM. You understand and agree that FIM and its parent and affiliated companies may use, publish, copy, sublicense, adapt, edit, distribute, publicly perform, display and delete the content you post as they see fit. This right will terminate at the time you remove such content from the Site. Notwithstanding the foregoing, a back-up or residual copy of the content posted by you to the Site may remain on the FIM servers after you have removed such content from the Site, and FIM retains the rights to those copies." (Source: http://community.myfoxdc.com/blogs/blogrules.aspx) Translation: "Anything you post or send to us, we own and can use as we se fit forever and owe you nothing for it." IMHO companies (news or whomever) engaging in such practices under the guise of the current user-content-is-king philosophy (ie, Web2.0) are simply applying Web1.0 (if not outdated industrial age) policies to such ventures.....and still don't understand the nature of the Internet age. Bleh. -rick From rforno at infowarrior.org Wed Jan 2 01:14:12 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 Jan 2008 20:14:12 -0500 Subject: [Infowarrior] - Some China firms avoid U.S. technology transfer licenses Message-ID: Some China firms avoid U.S. technology transfer licenses By Steven R. Weisman Tuesday, January 1, 2008 http://www.iht.com/bin/printfriendly.php?id=8978324 WASHINGTON: Six months ago, the U.S. government quietly eased some restrictions on the export of sensitive technologies to China. The new approach was intended to help U.S. companies increase sales of high-technology equipment to China despite tight curbs on sharing technology that might have military applications. But now the administration is facing questions from weapons experts about whether some equipment - newly authorized for export to Chinese companies deemed trustworthy by Washington - could instead end up helping China modernize its military. Equally worrisome, the weapons experts say, is the possibility that China could share the technology with Iran or Syria. The technologies include advanced aircraft engine parts, navigation systems, telecommunications equipment and sophisticated composite materials. The questions raised about the new policy are in a report to be released soon, possibly this week, by the Wisconsin Project on Nuclear Arms Control, an independent research foundation that opposes the spread of arms technologies. The government's new approach is part of an overall drive to require licenses for the export of an expanded list of technologies in aircraft engines, lasers, telecommunications, aircraft materials and other fields of interest to China's military. But while imposing license requirements for the transfer of these technologies, the administration is also validating certain Chinese companies so that they can import these technologies without licenses. Five such companies were designated in October, but as many as a dozen others are in the pipeline for possible future designation. Mario Mancuso, the under secretary of commerce for security and industry, said the new system was resulting in more effective protections. "We believe that the system we have set up ensures that we are protecting our national security consistent with our goal of promoting legitimate exports for civilian use," he said during an interview. "We have adopted a consistent, broad-based approach to hedging against helping China's military modernization." But the Wisconsin Project report, made available to The New York Times, asserts that two nonmilitary Chinese companies designated as trustworthy are in fact high risk because of links to the Chinese government, the Peoples Liberation Army and other Chinese entities accused in the past of ties to Syria and Iran. One of the Chinese companies, BHA Aerocomposite Parts, is partly owned by two U.S. companies: the aircraft manufacturer Boeing and the aerospace materials maker Hexcel, with each holding a 40 percent stake. The remaining 20 percent is owned by a Chinese government-owned company, AVIC I, or China Aviation Industry Corp. I. "In principle you could find companies that would be above suspicion, but in this case they haven't done it," said Gary Milholin, the Washington director of the Wisconsin Project. "If you just look at the relations these companies have, rather than be above suspicion, they are highly suspicious." The Wisconsin Project report also asserts that both Boeing and Hexcel have been cited for past lapses in obtaining proper licenses for exports. Spokesmen for both Boeing and Hexcel said during interviews that they were fully confident that BHA had no ties to the Chinese military and that its use of aircraft parts and materials were strictly for commercial and civilian ends. Milholin said that research by his staff had uncovered several links with the Chinese military establishment involving both BHA and another of the five companies, Shanghai Hua Hong NEC Electronics. AVIC I, the Chinese government entity that owns a minority share of BHA, also produces fighters, nuclear-capable bombers and aviation weapons systems for the People's Liberation Army, the report says. The U.S. State Department has cited another AVIC I subsidiary, China National Aero-Technology Import & Export, for links to arms sales to Iran and Syria. The report also says that Shanghai Hua Hong NEC Electronics is majority owned "through a corporate chain" by China Electronics, which the report says is a government conglomerate that produces military equipment along with consumer electronics. It has a subsidiary, the report says, that procures arms for the military. Milholin said that the new administration policy granting companies the right to import some technologies without prior licenses was adopted quietly as "a stealth attack on export controls." But Mancuso, the Commerce Department official who oversees the program, noted that the department proposed it publicly in mid-2006 and adopted it a year later after lengthy public comment by interested parties and members of Congress. In addition, he said, no Chinese company can receive sensitive technologies - as part of a category known as "validated end users" - without a review of its record by the State, Energy and Defense departments and by relevant intelligence agencies. The five companies designated in October, he said, were approved without dissent by these units of the government. "China is a huge market for our commercial technology exports," Mancuso said. "Yet there are real security risks we are mindful of. We take that concern very, very seriously." Only those companies that have "a demonstrable record of using sensitive technologies responsibly" are approved, he said. Beyond that, he said that companies for which licensing requirements had been lifted were subject to additional disclosure obligations, including on-site visits by U.S. government personnel. Business groups that advocate greater technology-sharing with China in civilian aeronautics and other areas say that the administration has been cautious in its new policy, in particular choosing Chinese companies with U.S. partners or owners. The three other Chinese companies announced as "validated end users" in October are Applied Materials China, a subsidiary of Applied Materials USA, a maker of semiconductors; Chinese facilities operated by National Semiconductor, an American company; and Semiconductor Manufacturing International. From rforno at infowarrior.org Wed Jan 2 01:16:35 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 Jan 2008 20:16:35 -0500 Subject: [Infowarrior] - Lessig refutes ASCAP FUD over Creative Commons Message-ID: ASCAP's essay, "Common Understanding: 10 Things Every Music Creator Should Know About Creative Commons Licensing" nicely highlights some important considerations that any musician should review before using a CC license. Unfortunately, however, it also continues some common misunderstandings about Creative Commons. I've reprinted, and responded, to these in the extended entry below. But before the details, there is one important fact of agreement to keep in view, and one important disagreement: We certainly agree with ASCAP that "music creators should fully understand the terms to which they are agreeing and the implications down the line." That applies to CC licenses as much as to a recording contract. And we're as keen as anyone to make sure that understanding is there. But it is not the case that CC asserts that "artists should give up all or some of their rights" -- if by that ASCAP means either that we believe giving up "all or some of their rights" always benefits an author or artists, or that, benefit notwithstanding, an artist should sacrifice his or her rights for the common good. Neither is correct. We know that sometimes, freer access helps. We provide tools to make it easier for artists to enable freer access. We also believe that when making creative work freely available doesn't hurt, and sometimes helps, the culture is benefited by choosing freedom rather than licensing lawyers. And finally, we believe that some forms of creative work -- e.g., the work of scientists, or governments -- should be freely available. But that normative claim is far from the work we do with the authors or artists that ASCAP deals with. Our business with respect to them is not to exhort them to charity. Artists and authors have it bad enough without a bunch of nerdy lawyer-types trying to pile on more guilt. < - BIG SNIP - > http://lessig.org/blog/2007/12/commons_misunderstandings_asca.html From rforno at infowarrior.org Wed Jan 2 03:39:06 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 Jan 2008 22:39:06 -0500 Subject: [Infowarrior] - High school homeland security studies get noticed Message-ID: School's homeland security studies get noticed By Mimi Hall, USA TODAY JOPPA, Md. ? Call it vocational education for the 9/11 generation. The nation's first comprehensive high school homeland security program, a three-year course to help kids land jobs in the growing anti-terrorism industry, is in its infancy in Maryland. But it's recently been attracting the attention of educators and school districts from as far away as California and Florida. The program, started at Maryland's Joppatowne High School with 61 sophomores, provides "an opportunity for kids to see relevance to being in school," says Frank Mezzanotte of the Harford (Md.) County Public Schools. "It gives kids additional options." Students have toured a Coast Guard command center, visited a county detection center, practiced emergency response in a fictional town called "Joppaville" and heard an Iraqi-born speaker explain cultural differences between Americans and Middle Easterners. "We're trying to set high expectations," says student Megan Bell, 15. "We don't want to be known as just the school with the good football team. Now we have homeland security." Other school districts are taking notice. Mezzanotte says he's been contacted by individual schools and education departments in more than a half-dozen states. "Joppatowne broke the ground for all of us," says Lise Foran of Anne Arundel County Public Schools in Maryland. Next fall, Meade High School will begin a Homeland Security program. "We're following in Joppatowne's footsteps." And on Wednesday, Mezzanotte will be in Las Vegas, where he has been asked to give a presentation on the program to the Association for Career and Technical Education annual conference. Some question whether the program will teach students to be open-minded about the government's national security policies, given its goal of getting kids jobs with defense and homeland security contractors and the military. The liberal magazine Mother Jones dubbed Joppatowne "the academy of military-industrial-complex studies." Jonathan Zimmerman, a New York University history of education professor, says "the devil lies in whether this is going to be a school for education or indoctrination." Other educators applaud the school for taking steps to prepare kids for one of the nation's expanding job markets and for connecting what they learn in school to what's happening in the real world. "This sounds to me like it has all the earmarks of what keeps young people in school," says former West Virginia governor Bob Wise, now head of the Alliance for Excellent Education. "It gives them the skills necessary for the modern workplace." Find this article at: http://www.usatoday.com/news/nation/2007-12-10-homeland_N.htm From rforno at infowarrior.org Wed Jan 2 20:41:29 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 02 Jan 2008 15:41:29 -0500 Subject: [Infowarrior] - MS Office Drops Support For Older File Formats Message-ID: Microsoft Office Drops Support For Older File Formats By Scott Gilbertson EmailJanuary 02, 2008 | 9:44:23 AM http://blog.wired.com/monkeybites/2008/01/microsoft-offic.html You might not have noticed it yet, but the recent service pack 3 release for Microsoft Office 2003 contains a hidden "feature" ? it disables support for older Microsoft Office formats. If you've got any old Word, Excel, 1-2-3, Quattro, or Corel Draw documents hanging around your hard drive you'll need to delve into the Windows Registry to open them. A note posted to the Microsoft Support Center says that ?by default, these file formats are blocked because they are less secure,? and goes on to warn that ?they may pose a risk to you.? Which files are blocked depends a bit on your environment since network administrators can add whatever file formats they want to the registry, but by default it appears most files in formats which existed prior to Office 97 won?t open. The particularly annoying part of the change is that there?s no easy workaround. To get Office 2003 SP3 to open older files you?ll need to hack the Windows registry. While it?s easy for the casual user to dismiss this sort of break in backwards compatibility since it?s unlikely they have many key documents in older formats, there?s some understandably upset folks who have to maintain legacy documents in large corporate and academic networks. As one commenter points out in the Slashdot thread, the situation for large customers is quite complicated: * There is no easy way to identify the files that need conversion. Microsoft gives you no tool or flag to quickly identify old files, which share the same filename conventions as current files. Except of course to open them in Office 2K3SP3 and watch them fail. * Although bulk conversion tools exist, they cost money and they won?t reach files that are secured in such a way that IT support staff can?t get at them (e.g., on a CD-ROM in a locked filing cabinet). * Because a ridiculously complicated registry hack is required to enable the converters for the old documents, there?s no easy way to apply it, for example as an Active Directory group policy. We?re left with error-prone methods like push tools & login scripts. To add insult to injury, Microsoft's explanation for the changes doesn't wash ? file formats are not insecure and cannot by themselves allow something like a buffer overflow exploit. The security vulnerability is in the program that opens the files and allows the exploits to execute. The issue then is not the older documents but that Microsoft has decided that, rather than address the insecure code in Office, it will simply disable support for the formats which could exploit those insecurities. If you?re affected by the changes and want to open your documents, have a look at the registry hack ? according to Microsoft it?s your only option. Naturally, there?s an alternative which is somewhat easier (and free): just grab a copy of OpenOffice which can handle the older file formats. Once you?ve got them open, now might be a good time to convert them to ODF documents lest Office 2017 decide to again disable support for older file formats. From rforno at infowarrior.org Wed Jan 2 21:02:34 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 02 Jan 2008 16:02:34 -0500 Subject: [Infowarrior] - Video: Mifare RFID vulnerabilities demonstrated Message-ID: (Note: I understand that Mifare RFID chips are what's being used for the E-Passport scheme in the US and elsewhere.......video is from a presentation at the 24th CCC event that was held in Berlin this past week.......rf) < - snip - > Mifare are the most widely deployed brand of secure RFID chips, but their security relies on proprietary and secret cryptographic primitives. We analyzed the hardware of the Mifare tags and found weaknesses in several parts of the ciphers. http://video.google.com/videoplay?docid=4252367680974396650 ....the link is on Google for now, but I'm sure there will be any number of entities trying to get it removed, so for those curious, grab it now. From rforno at infowarrior.org Wed Jan 2 21:21:09 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 02 Jan 2008 16:21:09 -0500 Subject: [Infowarrior] - The Dogs of Web War In-Reply-To: Message-ID: January 2008, Vol. 91, No. 1 US armed forces face ?peer? adversaries in only one area?military cyberspace. The Dogs of Web War By Rebecca Grant After years of claims and counterclaims concerning the severity of national security threats in cyberspace, the picture is at last starting to become clear. Recent jousting within cyberspace has provided clues about what to expect from combat in this new domain. For example, China has been positively identified as a source of ?campaign-style? cyber attacks on Department of Defense systems. Russia, moreover, is the prime suspect in last spring?s notorious cyber assault on Estonia. Outside the military realm, too, cyber attacks are forming a persistent threat to aerospace enterprises and other parts of the US industrial base. More than ever before, cyberspace is on the minds of America?s top leaders. Air Force Gen. Kevin P. Chilton, the new head of US Strategic Command, said during his confirmation hearing that ?attacks impacting our freedom to operate in space and cyberspace pose serious strategic threats.? Defending the nation from cyberspace attacks is STRATCOM?s mission?but one of the big challenges is assessing the strategic threat and demarcating lines of response. It all begins with knowing the adversary. China is at the top of most lists of nations with advanced cyber capability?and the will to use it. Because of the overall tenor of military competition with China, every report of Chinese activity raises hackles. In fact, there?s been a steady level of reported skirmishing in cyberspace this decade. < - > http://afa.org/magazine/jan2008/0108dogs.html From rforno at infowarrior.org Thu Jan 3 00:14:16 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 02 Jan 2008 19:14:16 -0500 Subject: [Infowarrior] - The New Cyber General Message-ID: DefenseTech The New Cyber General http://www.defensetech.org/archives/003930.html During a media conference on November 2, 2007, Secretary of the Air Force Michael W. Wynne said the 8th Air Force would become the new Air Force Cyber Command. Now this statement has become reality. A three-star general, Lt. Gen. Robert Elder Jr. is the commander and will lead the Air Force's (AFCYBER) Cyber Command. AFCYBER will have over 20,000 personnel, and the Air Force is recruiting officers and airmen from all over for careers in Cyber War. Thousands of existing air force electronic warfare specialists will be assigned, or offered, jobs in AFCYBER. This will include units operating in the full spectrum of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures. Compliment of high tech equipment includes the following: U2 - strategic reconnaissance aircraft EC-135 electronic-eavesdropping aircraft EC-130E Commando Solo radio/TV broadcasting aircraft EC-130H Compass Call radio-jamming aircraft A cyber attack can be launched from anywhere and at anytime. A cyber weapon attack requires no physical access (land or air) to the target or targets or significant skill. Basic cyber weapons are openly shared via the internet today. Technolytics conducted analysis of the evolution of cyber weapons and determined we are currently moving from basic weapons like vulnerability exploits and traditional viruses to more advanced classes of weapons such as self-morphing malicious code. The U.S. Air Force is currently training 40,000 Cyber Warriors that make up this unique force. The cyber war training program will take from six to 15 months to complete. The first Undergraduate Network Warfare Training Class graduated Dec. 7, 2007. They are representing the Air Force's expansion into the lead role in cyberspace threat management. It is estimated that it will take over seven years to get the full complement of staff trained. The training coupled with experience will combine to give them what they need to perform their critical mission. Not all of the people trained as Cyber Warriors will be in the 8th Air Force. Many will be assigned throughout the Air Force to take care of Cyber War needs of their units. We are developing a new breed of soldier- cyber soldiers are ones who engage in cyber conflicts, wars, or espionage. They are armed with hackers' skill and knowledge and newly developed cyber weapons and stand ready to defend our nation against cyber threats. Construction of a Cyber Innovation Center (CIC), which would serve as the civilian counterpart to the AFCYBER, began in the fourth quarter of 2007. The CIC will be built on a 58-acre site, near Barksdale Air Force Base. Bossier City, LA has allotted $50 million USD for the construction, while the state of Louisiana has matched the financing and approved another $50 million. While many believe that Barksdale Air Force Base will be the HQ for AFCYBER, other are not so sure. Officials from six states are competing over the headquarters location of the Air Force's Cyberspace Command, which promises thousands of jobs and millions in revenue. Lobby efforts have turned into an all out war between several Air Force towns in recent weeks. This coupled with rumors that the Capital Hill is discussing establishing a new department or agency to deal with cyber threats. The final decision about the location of AFCYBER should be made by the end of February 2008. The new command is expected to meet its initial operational late in 2008 and become fully operational by October 2009. While location of and reporting responsibility seem a bit uncertain, what is certain is the threat we face from the build up of cyber weapons by more that 120 countries is very real. -- Kevin Coleman January 2, 2008 09:08 AM | From rforno at infowarrior.org Thu Jan 3 03:08:31 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 02 Jan 2008 22:08:31 -0500 Subject: [Infowarrior] - Regulating the Japanese cyberspace, one step at a time Message-ID: Regulating the Japanese cyberspace, one step at a time Thursday, December 27, 2007 Printer friendly version by shioyama With little fanfare from local or foreign media, the Japanese government made major moves this month toward legislating extensive regulation over online communication and information exchange within its national borders. In a series of little-publicized meetings attracting minimal mainstream coverage, two distinct government ministries, that of Internal Affairs and Communications (Somusho) and that of Education, Culture, Sports, Science and Technology (Monbukagakusho), pushed ahead with regulation in three major areas of online communication: web content, mobile phone access, and file sharing. < - BIG SNIP - > http://gyaku.jp/en/index.php?cmd=contentview&pid=000320 From rforno at infowarrior.org Thu Jan 3 03:36:21 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 02 Jan 2008 22:36:21 -0500 Subject: [Infowarrior] - A note (plea) for the indie music community Message-ID: (c/o Anonymous) The following is part of a well-written farewell note penned the owner of an indie music store (Strangeland) in the DC area that's closing down later this spring. His heartfelt comments present a disturbing picture of the current state (and likely future) of the indie music scene and I thought them worthy enough to repost to the list.....sadly, it's not the first such note I've seen like this in recent years, either. :( --rick < - > The independent music scene is dying a very painful death right now and it?s dying at the hands of its alleged fans. Downloading/piracy from major labels may strike a blow against ?the man?, but doing the same for independent/underground music is KILLING those that make and make available that type of music, from the bands to the labels, the promoters to the shop & venue owners. Right now downloading is at the ?fall of Rome? stage, with people ravenously downloading anything they can get their hands on, downloading stuff that they don?t even get around to listening to just so that they can brag about how many songs they have. At the same time fewer people are pulling themselves away from their computers (Tivos, Nintendo Wiis, online gaming, etc.) to see, support and buy merch from bands who are struggling to tour at all before going back to their day jobs. The effects of this detrimental behavior won?t be truly felt until a couple years from now. As the support structure for underground music continues to erode at an exponential rate, indie labels/shops/magazines will continue to fold. As show attendance continues to decline, fewer bands will tour and venues will shut down. As club attendance continues to decline, once popular club events will cease to be. And certainly the effects will be TRULY FELT when all that remains on the desolate musical landscape is local level MySpace band demos and major label pop fodder? with nothing in between, thus robbing us of the next generation VNV Nation, Jesu, Rancid, Dimmu Borgir, etc. You can only rape independent music for so long before nothing is left. Without support, art ceases to exist. So I urge you from the bottom of my heart, please support the bands you like. Buy their albums. See them live. Buy merch at their shows (very often this means dinner and gas money to them). In the end this is a very small price to pay in order to keep good independent music going. (NOTE: The store owner's complete letter is at: http://strangelandrecs.livejournal.com/11979.html -- please note that while his letter includes notice of upcoming events and sales, I receive no compensation by mentioning them here......--rf) From rforno at infowarrior.org Thu Jan 3 13:21:16 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 Jan 2008 08:21:16 -0500 Subject: [Infowarrior] - China Limits Providers of Internet Video Message-ID: China Limits Providers of Internet Video Thursday January 3, 7:54 am ET By Min Lee, AP Entertainment Writer http://biz.yahoo.com/ap/080103/china_internet_video.html?.v=7 HONG KONG (AP) -- China has decided to restrict the broadcasting of Internet videos -- including those posted on video-sharing Web sites -- to sites run by state-controlled companies and require providers to report questionable content to the government. ADVERTISEMENT It wasn't immediately clear how the new rules would affect YouTube and other providers of Internet video that host Web sites available in China but are based in other countries. The new regulations, which take effect Jan. 31, were approved by both the State Administration of Radio, Film and Television and the Ministry of Information Industry and were described on their Web sites Thursday. Under the new policy, Web sites that provide video programming or allow users to upload video must obtain government permits and applicants must be either state-owned or state-controlled companies. The majority of Internet video providers in China are private, according to an explanation of the regulations posted on Chinafilm.com, which is run by the state-run China Film Group. The policy will ban providers from broadcasting video that involves national secrets, hurts the reputation of China, disrupts social stability or promotes pornography. Providers will be required to delete and report such content. "Those who provide Internet video services should insist on serving the people, serve socialism ... and abide by the moral code of socialism," the rules say. The permits are subject to renewal every three years and operators who commit "major" violations may be banned from providing online video programming for five years. The status of sites such as YouTube, a popular video-sharing site, remains in question. San Bruno, Calif.-based YouTube is available in China and runs a Chinese-language Web site, but it wasn't immediately clear if any of its computer servers are located in China. YouTube LLC, a subsidiary of Google Inc., didn't immediately respond to an e-mail from The Associated Press seeking comment. Tudou.com, which claims to be China's largest video sharing Web site, also didn't immediately respond to an e-mail requesting comment. The effect of Chinese laws on American Internet companies operating in the country recently came under the spotlight as two Chinese journalists were jailed after Yahoo Inc. provided Chinese authorities with information about their online activities. Both journalists are serving 10-year prison sentences. In November, Yahoo settled a lawsuit, agreeing to pay the attorneys' fees of the journalists. Yahoo also said it would "provide financial, humanitarian and legal support to these families." No other details of the settlement were disclosed. From rforno at infowarrior.org Thu Jan 3 13:27:23 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 Jan 2008 08:27:23 -0500 Subject: [Infowarrior] - Netflix, DRM, and problems Message-ID: Yet another detailed posting about why DRM is more problematic than it's worth to everyone involved along the food chain: http://davisfreeberg.com/2008/01/03/bad-copp-no-netflix/ From rforno at infowarrior.org Thu Jan 3 13:32:08 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 Jan 2008 08:32:08 -0500 Subject: [Infowarrior] - Privately-held Weather Channel up for sale Message-ID: Chain Said to Seek Bids for Weather Channel By ANDREW ROSS SORKIN http://www.nytimes.com/2008/01/03/business/media/03weather.html?_r=1&oref=sl ogin&pagewanted=print The Weather Channel, one of the last privately owned cable channels, is being put up for sale and could fetch more than $5 billion, according to people briefed on the auction. The channel and its rapidly growing Web site, weather.com, are already attracting interest from some of the biggest names in media, including NBC, a unit of General Electric; the News Corporation; and Comcast, these people said. The sale of the Weather Channel, these people said, is part of a larger breakup of its parent, Landmark Communications, a privately held company controlled by the Batten family of Norfolk, Va., which also owns daily newspapers and other media properties. Landmark?s newspaper holdings include The Virginian-Pilot in Norfolk, The News & Record of Greensboro, N.C., and The Roanoke Times in Virginia, as well as 50 other community newspapers. The company, which does not release its earnings, generated $1.75 billion in revenue in 2006 and has 12,000 employees, according to Hoover?s. JPMorgan Chase is advising Landmark on the sale of the Weather Channel, and Lehman Brothers is advising the company on the sale of its other media assets, people briefed on the process said. A spokesman for Landmark could not be reached. The sale of the Weather Channel, once written off as a dull network for weather buffs, could become especially heated as it is one of the few remaining basic cable channels available for sale. One potential suitor approached by Landmark described the Weather Channel as ?beachfront property.? Its audience has mushroomed as the channel has expanded its coverage of hurricanes and others storms around the world and created programming about climate change, taking an aggressive and sometimes controversial role in the global warming debate. The channel is also a godsend for advertisers. Like live sports, it is largely immune from TiVos and other digital video recorders. The channel has 800 employees; 125 are meteorologists. Perhaps more appealing for some big media companies may be the Weather Channel?s Web business, which was started in 1995. Weather.com ranks as the nation?s 18th-largest media site by traffic, with more than 32 million unique users in November, according to Nielsen/NetRatings. That is bigger than CNN and Facebook. Weather.com has partnerships with dozens of big media companies. In October, the site struck a deal to provide forecasts to MySpace, a unit of the News Corporation. The company also has deals with Yahoo and AOL. Among the Weather Channel?s suitors, NBC is expected to compete aggressively, people involved in the auction said. NBC has a weather-related unit called NBC Weather Plus, a joint project of NBC News and NBC affiliates, but the venture has never taken off. NBC Weather Plus includes a cable channel, frequently available only on digital cable platforms and high on the dial, along with a Web site, weatherplus.com. Fox, a unit of the News Corporation, has also expressed interest in the Weather Channel, which it could link with its Fox News cable channel and its hundreds of affiliates. Other big media companies like Comcast, which is increasingly looking to add content, may participate in the auction as well. Time Warner and perhaps even Yahoo could also jump in. Media companies have expressed interest in the Weather Channel before. In an interview last June, Debora J. Wilson, the Weather Channel?s chief executive, said: ?Every media conglomeration has approached Landmark, and there?s never been a yes. We actually think that we?re stronger being independent.? Ms. Wilson added that she was glad to avoid the ?distractions? that would come with being part of a larger company. ?We like focusing on what we do.? The breakup and sale of Landmark Communications would spell the end of a small but storied fixture in the media landscape. The company was formed at the turn of the 20th century when Samuel L. Slover acquired The Newport News Times-Herald in Virginia. Mr. Slover?s nephew, Frank Batten, the former chairman, took over the company in 1954. Over the years, Mr. Batten bought and sold newspapers and television affiliates in the South and Midwest. It is unclear how big the appetite will be for the company?s remaining newspaper assets, though community newspapers have fared much better than large dailies in recent years. Of course, Mr. Batten?s best investment was the creation of the Weather Channel in 1982. In his memoir, ?The Weather Channel: The Improbable Rise of a Media Phenomenon,? Mr. Batten wrote: ?Our first year was full of crises and a full-fledged near-death experience,? but eventually ?narrowcasting ? the long-delayed potential of cable television ? has become a reality.? From rforno at infowarrior.org Thu Jan 3 13:40:00 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 Jan 2008 08:40:00 -0500 Subject: [Infowarrior] - 2007 International Privacy Ranking (PI.Org) Message-ID: Leading surveillance societies in the EU and the World 2007 28/12/2007 The 2007 International Privacy Ranking http://tinyurl.com/ywpp9y Summary of key findings (Please note that "worst ranking" and "lowest ranking" denotes countries that exhibit poor privacy performance and high levels of surveillance. * The 2007 rankings indicate an overall worsening of privacy protection across the world, reflecting an increase in surveillance and a declining performance o privacy safeguards. * Concern over immigration and border control dominated the world agenda in 2007. Countries have moved swiftly to implement database, identity and fingerprinting systems, often without regard to the privacy implications for their own citizens * The 2007 rankings show an increasing trend amongst governments to archive data on the geographic, communications and financial records of all their citizens and residents. This trend leads to the conclusion that all citizens, regardless of legal status, are under suspicion. * The privacy trends have been fueled by the emergence of a profitable surveillance industry dominated by global IT companies and the creation of numerous international treaties that frequently operate outside judicial or democratic processes. * Despite political shifts in the US Congress, surveillance initiatives in the US continue to expand, affecting visitors and citizens alike. * Surveillance initiatives initiated by Brussels have caused a substantial decline in privacy across Europe, eroding protections even in those countries that have shown a traditionally high regard for privacy. * The privacy performance of older democracies in Europe is generally failing, while the performance of newer democracies is becoming generally stronger. * The lowest ranking countries in the survey continue to be Malaysia, Russia and China. The highest-ranking countries in 2007 are Greece, Romania and Canada. * The 2006 leader, Germany, slipped significantly in the 2007 rankings, dropping from 1st to 7th place behind Portugal and Slovenia. * In terms of statutory protections and privacy enforcement, the US is the worst ranking country in the democratic world. In terms of overall privacy protection the United States has performed very poorly, being out-ranked by both India and the Philippines and falling into the "black" category, denoting endemic surveillance. * The worst ranking EU country is the United Kingdom, which again fell into the "black" category along with Russia and Singapore. However for the first time Scotland has been given its own ranking score and performed significantly better than England & Wales. * Argentina scored higher than 18 of the 27 EU countries. * Australia ranks higher than Slovakia but lower than South Africa and New Zealand. From rforno at infowarrior.org Thu Jan 3 13:45:22 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 Jan 2008 08:45:22 -0500 Subject: [Infowarrior] - MIT Journal Article about US News Coverage Message-ID: "You Don't Understand Our Audience" What I learned about network television at Dateline NBC. By John Hockenberry < - > http://www.technologyreview.com/printer_friendly_article.aspx?id=19845 From rforno at infowarrior.org Thu Jan 3 13:47:21 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 Jan 2008 08:47:21 -0500 Subject: [Infowarrior] - AU Study: Recut, Reframe, Recycle Message-ID: Recut, Reframe, Recycle http://www.centerforsocialmedia.org/resources/publications/recut_reframe_rec ycle/ When college kids make mashups of Hollywood movies, are they violating the law? Not necessarily, according to the latest study on copyright and creativity from the Center and American University?s Washington College of Law. The study, Recut, Reframe, Recycle: Quoting Copyrighted Material in User-Generated Video, by Center director Pat Aufderheide and Peter Jaszi, co-director of the law school?s Program on Information Justice and Intellectual Property, shows that many uses of copyrighted material in today?s online videos are eligible for fair use consideration. The study points to a wide variety of practices?satire, parody, negative and positive commentary, discussion-triggers, illustration, diaries, archiving and of course, pastiche or collage (remixes and mashups)?all of which could be legal in some circumstances. Fair use is the part of copyright law that permits new makers, in some situations, to quote copyrighted material without asking permission or paying the owners. The courts tell us that fair use should be ?transformative??adding value to what they take and using it for a purpose different from the original work. So when makers mash up several works?say, The Ten Commandments , Ben-Hur and 10 Things I Hate about You , making Ten Things I Hate about Commandments ?they aren?t necessarily stealing. They are quoting in order to make a new commentary on popular culture, and creating a new piece of popular culture. Unfortunately, this emerging, participatory media culture is at risk, with new industry practices to control piracy. Large content holders such as NBC Universal and Viacom, and online platforms such as MySpace and Veoh are already crafting agreements on removing copyrighted material from the online sites. Legal as well as illegal copying could all too easily disappear. Worse still, a new generation of media makers could grow up with a deformed and truncated notion of their rights as creators. The study recommends the development of a blue-ribbon committee of scholars, makers and lawyers to develop best-practices principles. Such principles, similar to ones documentary filmmakers developed in the Documentary Filmmakers? Statement of Best Practices in Fair Use can help new creators and online providers decide what?s legal, and assure that the Internet remains a safe space for new forms of self-expression. The study is part of a larger Participatory Media project, funded by the Ford Foundation as part of the Center for Social Media?s Future of Public Media Project. < - > http://www.centerforsocialmedia.org/resources/publications/recut_reframe_rec ycle/ From rforno at infowarrior.org Thu Jan 3 17:40:53 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 Jan 2008 12:40:53 -0500 Subject: [Infowarrior] - Citibank 'hack' limits ATM cash in NYC Message-ID: Citibank limits ATM cash in city http://www.nydailynews.com/money/2008/01/03/2008-01-03_citibank_limits_atm_c ash_in_city-2.html BY KERRY BURKE and LARRY McSHANE DAILY NEWS STAFF WRITERS Thursday, January 3rd 2008, 4:00 AM A jump in ATM fraud led Citibank to slash the maximum amount of cash available to customers from their accounts - a security move greeted warily Wednesday by its patrons. The new cap on cash kicked out by the company's ATMs began in mid-December after what Citibank called "isolated fraudulent activity" around the city. The bank, with 134 branches around town, would not say how many customers were affected or how much money was involved. One Brooklyn woman said she went to her bank branch on Christmas Eve and was unable to take out her normal cash limit, so she called customer assistance. "She told me customer accounts had been hacked into through cash machines around the city," the woman said. "As a result, the bank had decided to slash how much customers could withdraw from their own accounts. They cut my amount in half. "She said most New York customers were affected and she suggested I change my password." The bank insisted the problem was not national in scope, although it would not provide any other information. Citibank declined to specify the amount of the new withdrawal cap. "Though we can't provide details of ongoing security investigations, we are working closely with law enforcement on this matter," the bank said in a two-paragraph statement. Citibank customers were divided over the new policy. "It's your account and your money," said Mari Lopez, 22, a Manhattan student. Manhattan truck driver Hamadou Boureima favored the move. "It's a good idea. In case someone steals your card and identity, you'll have some money left," Boureima said at a Manhattan Citibank branch. "Otherwise, someone can take everything." Customers caught short of cash when making ATM withdrawals can call customer service and get instant access to more money, Citibank said. The bank said customers were not responsible for fraudulent activity in their accounts. That didn't pacify Pam Tinney, 43, of the Bronx, who felt the new limit was an overreaction. "If they made the ATMs more secure, we wouldn't have to worry," she said. "It's our money. We should be able to take out any amount we want, when we want." lmcshane at nydailynews.com From rforno at infowarrior.org Thu Jan 3 17:55:17 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 Jan 2008 12:55:17 -0500 Subject: [Infowarrior] - Plaxo reportedly for sale Message-ID: January 3, 2008 Social Net Site Is Said to Be for Sale By ANDREW ROSS SORKIN http://www.nytimes.com/2008/01/03/technology/03plaxo.html?pagewanted=print Plaxo, an early social networking site that helps people keep their address books updated, is up for auction, people briefed on the offering said Wednesday night. The company, which has not made a profit, is seeking as much as $100 million, these people said. Plaxo, which has been overtaken by rivals like Linked In and Facebook, has tried to reinvent itself as an aggregate of information from other social networking sites. In October, the company started Plaxo Pulse, a service that collects information from Facebook, MySpace, Twitter, Digg and others, moving away from Plaxo?s original mission simply to keep electronic address books up-to-date. Indeed, Plaxo?s core business stirred some controversy because it sent out millions of e-mail messages on behalf of its users, creating the impression that the company was distributing spam. The site then faced additional difficulties because some service providers stopped allowing Plaxo to use their services. Plaxo says it has 15 million registered users. Plaxo was founded in 2001 by Todd Masonis along with a fellow Stanford engineering student, Cameron Ring, and Sean Parker, who was also a founder of Napster, the music downloading site. The company has received more than $20 million in financing from venture capital firms like Sequoia Capital, an early investor in Google, as well as Globespan Capital Partners, Harbinger Venture Management and Cisco Systems. Some individual investors, like Ram Shriram, a member of Google?s board, and Timothy A. Koogle, a former vice chairman of Yahoo, have also provided financing. Plaxo has hired Revolution Partners, a specialty investment bank, to handle the auction, these people said Wednesday. From rforno at infowarrior.org Thu Jan 3 18:51:53 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 Jan 2008 13:51:53 -0500 Subject: [Infowarrior] - UK couple banned from mall, called 'terrorists' for taking photo of grandkids Message-ID: Couple banned for life from shopping centre and branded 'terrorists' - for taking photos of their grandchildren Last updated at 17:57pm on 2nd January 2008 http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id= 505649&in_page_id=1770 A couple were banned for life from a shopping centre - because they were taking photos of their beloved grandchildren. Kim and Trevor Sparshott were ordered to stop taking photos because they were causing a security threat. They were thrown out of the centre after they took out a camera to snap the look on the youngsters' faces when they turned up unexpectedly. The couple were on a four-day break from their home in Spain and wanted to surprise their family by arriving at the centre, in Fareham, Hants, while they were shopping. But when they went to take a photo, a security guard pounced and ordered them out. The guard then insisted that cameras were banned because of the risk of a terrorist attack - and barred the bemused couple for life. Speaking from her home in Malaga, Spain, Mrs Sparshott, 51, said: "I couldn't believe it. I was so shocked. "He said we had committed an act of terrorism. "At first I wanted the ground to swallow me up whole because it was so embarassing - but then I got really angry." Mr Sparshott, 52, added: "Instead of being a nice surprise for our family it turned into a nightmare. I was furious. "In these worrying times we understand the need for caution, but surely a quiet word when he first saw us would have stopped all this unpleasantness." The couple, who had been visiting their daughter, who lives in Gosport, Hants, with her husband and children, returned to Spain in shock. They wrote a letter of complaint to the centre, and received a reply from manager Pam Gillard who said taking photos was a security risk. In the reply to the Sparshotts, Ms Gillard said: "By the sounds of it my officers/duty manager didn't explain the position very clearly and for that I apologise." Speaking after the incident, she added: "Fareham Shopping Centre is private property and has a policy to support the security of the shops, where the taking of photographs needs prior permission. "The Sparshotts are welcome back to the centre." Ms Gillard refused to comment further on the centre's security policies, but added that the camera ban was not because of a terrorist threat. The situation has amazed civil rights campaigners, who say the centre's reaction was 'completely over the top'. Roger Smith, director of civil liberties group Justice, said: "The key is proportionality - it is quite reasonable to have restrictions on what people can do, but this is just daft. "It seems completely over the top." From rforno at infowarrior.org Thu Jan 3 18:53:12 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 Jan 2008 13:53:12 -0500 Subject: [Infowarrior] - CD Liner Notes of the Distant Present Message-ID: CD Liner Notes of the Distant Present http://www.somethingawful.com/d/news/riaa-liner-notes.php From rforno at infowarrior.org Fri Jan 4 04:03:56 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 Jan 2008 23:03:56 -0500 Subject: [Infowarrior] - UK gov sets rules for hacker tool ban Message-ID: UK gov sets rules for hacker tool ban Consultants in frame? Definitely Maybe By John Leyden ? More by this author Published Wednesday 2nd January 2008 15:54 GMT http://www.theregister.co.uk/2008/01/02/hacker_toll_ban_guidance/ The UK government has published guidelines for the application of a law that makes it illegal to create or distribute so-called "hacking tools". The controversial measure is among amendments to the Computer Misuse Act included in the Police and Justice Act 2006. However, the ban along with measures to increase the maximum penalty for hacking offences to ten years and make denial of service offences clearly illegal, are still not in force and probably won't be until May 2008 in order not to create overlap with the Serious Crime Bill, currently making its way through the House of Commons. A revamp of the UK's outdated computer crime laws is long overdue. However, provisions to ban the development, ownership and distribution of so-called "hacker tools" draw sharp criticism from industry. Critics point out that many of these tools are used by system administrators and security consultants quite legitimately to probe for vulnerabilities in corporate systems. The distinctions between, for example, a password cracker and a password recovery tool, or a utility designed to run denial of service attacks and one designed to stress-test a network, are subtle. The problem is that anything from nmap through wireshark to perl can be used for both legitimate and illicit purposes, in much the same way that a hammer can be used for putting up shelving or breaking into a car. Following industry lobbying the government has come through with guidelines that address some, but not all, of these concerns about "dual-use" tools. The guidelines establish that to successfully prosecute the author of a tool it needs to be shown that they intended it to be used to commit computer crime. But the Home Office, despite lobbying, refused to withdraw the distribution offence. This leaves the door open to prosecute people who distribute a tool, such as nmap, that's subsequently abused by hackers. The Crown Prosecution Service guidance, published after a long delay on Monday, also asks prosecutors to consider if an article is "available on a wide scale commercial basis and sold through legitimate channels". Critics argue this test fails to factor in the widespread use of open source tools or rapid product innovation. IT and the law are never easy bedfellows. While the guidelines probably make it less likely the security consultants will be prosecuted by over-zealous lawyers for actions they don't understand are legitimate, they are still a bit of a mess. Richard Clayton, a security researcher at Cambridge University and long-time contributor to UK security policy working groups, has a useful analysis of the proposals here. ? From rforno at infowarrior.org Fri Jan 4 04:05:19 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 Jan 2008 23:05:19 -0500 Subject: [Infowarrior] - 4 root servers going to Ipv6 Message-ID: IPv6: coming to a root server near you By Iljitsch van Beijnum | Published: January 02, 2008 - 11:43PM CT http://arstechnica.com/news.ars/post/20080102-icann-to-add-ipv6-addresses-fo r-root-dns-servers.html Just before year's end, ICANN/IANA sent out a short message saying that "on 4 February 2008, IANA will add AAAA records for the IPv6 addresses of the four root servers whose operators have requested it." The Internet Corporation for Assigned Names and Numbers (ICANN) is mostly responsible for the global Domain Name System, the Internet Assigned Numbers Authority (IANA) is the part of ICANN. That means that as of February 4, 2008, it will (theoretically) be possible for two IPv6 hosts to communicate across the IPv6 Internet without having to rely on any IPv4 infrastructure. It's been a long journey to get to this point. Although there were some false starts (see this book chapter about IPv6 and the DNS), putting IPv6 information in the DNS has been routine for many years. For instance. Dutch ISP BIT at www.bit.nl is reachable over IPv6, and the root servers know the IPv6 addresses of the .nl servers, which in turn know the IPv6 addresses of the BIT DNS servers. So the only thing that prevents IPv6-users from reaching BIT, should anyone be careless enough to unplug the IPv4 Internet, is the fact that the root DNS servers are only listed by their IPv4 address. When a DNS server starts up, it has to find the root servers that sit at the top of the name delegation chain. For this purpose, a DNS server keeps a local hints file, named.root, (or named.cache or named.ca, found in /var/named/ on many systems) that has the names and addresses for all the root servers. However, system administrators don't always keep this file up to date, so the first thing that a DNS server does upon startup is ask for an up-to-date list of root servers. So as long as there is still a single correct root server address in that named.root file, everything will work. The trouble is that the original Domain Name System specification only allows for 512-byte packets in the DNS protocol. With 13 root servers, we're already well over 400 bytes. Any useful number of IPv6 addresses for root servers would push this beyond the 512-byte limit. So for a long time, the parties involved have considered the possibilities of ill effects when IPv6 addresses for the root DNS servers are added to "the dot." (A dot signifies the end of a DNS name. A dot without a name is therefore the root of the DNS hierarchy.) The message from IANA links to a lengthy report, written by ICANN's Security and Stability Advisory and Root Server System Advisory Committees, detailing all the possible issues that could come up. The majority of modern DNS software is capable of sending and receiving packets larger than 512 bytes, so anyone running these should be fine. If a DNS server doesn't indicate this capability in its request, the root server will fit as much as it can within a 512-byte packet and mark the answer as "truncated," which is the requester's cue to retry the request over TCP rather than the usual UDP. So older DNS software shouldn't have any problems, either, so long as firewalls don't block DNS packets larger than 512 bytes or DNS requests over TCP. If you run a resolving DNS server (that doesn't include a DNS server in a home router), this is something you may want to check with your firewall administrator/vendor before February 4. If you run really old DNS software, this might be a good time to upgrade. However, if it's well-behaved, you shouldn't have any problems as long as you don't download the new named.root file with IPv6 addresses in it that will no doubt show up on the IANA web site in the next few weeks. In the binary DNS protocol, the unknown information is of a known size and can be ignored by older software, but IPv6 addresses in a text file can only be parsed by software that is IPv6-aware. From rforno at infowarrior.org Fri Jan 4 18:58:35 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 04 Jan 2008 13:58:35 -0500 Subject: [Infowarrior] - Sears exposes customer information via its web site In-Reply-To: <20080104182655.GA21114@gsp.org> Message-ID: ------ Forwarded Message From: Rich Summary: if you know someone's name, address and phone number, you can retrieve their purchase history from Sears' web site. http://www.benedelman.org/news/010408-1.html This is an interesting follow-on to the recent discovery that Sears is pushing spyware: http://community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com- join-the-community-get-spyware.aspx http://www.benedelman.org/news/010108-1.html From rforno at infowarrior.org Sat Jan 5 17:03:48 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 05 Jan 2008 12:03:48 -0500 Subject: [Infowarrior] - FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack Message-ID: FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack By Kim Zetter Email 01.04.08 | 7:30 PM http://www.wired.com/politics/security/news/2008/01/dreamliner_security Boeing's new 787 Dreamliner passenger jet may have a serious security vulnerability in its onboard computer networks that could allow passengers to access the plane's control systems, according to the U.S. Federal Aviation Administration. The computer network in the Dreamliner's passenger compartment, designed to give passengers in-flight internet access, is connected to the plane's control, navigation and communication systems, an FAA report reveals. The revelation is causing concern in security circles because the physical connection of the networks makes the plane's control systems vulnerable to hackers. A more secure design would physically separate the two computer networks. Boeing said it's aware of the issue and has designed a solution it will test shortly. "This is serious," said Mark Loveless, a network security analyst with Autonomic Networks, a company in stealth mode, who presented a conference talk last year on Hacking the Friendly Skies (PowerPoint). "This isn?t a desktop computer. It's controlling the systems that are keeping people from plunging to their deaths. So I hope they are really thinking about how to get this right." Currently in the final stages of production, the 787 Dreamliner is Boeing's new mid-sized jet, which will seat between 210 and 330 passengers, depending on configuration. Boeing says it has taken more than 800 advance orders for the new plane, which is due to enter service in November 2008. But the FAA is requiring Boeing to demonstrate that it has addressed the computer-network issue before the planes begin service. According to the FAA document published in the Federal Register (mirrored at Cryptome.org), the vulnerability exists because the plane's computer systems connect the passenger network with the flight-safety, control and navigation network. It also connects to the airline's business and administrative-support network, which communicates maintenance issues to ground crews. The design "allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required for the safe operation of the airplane," says the FAA document. "Because of this new passenger connectivity, the proposed data-network design and integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane." The information is published in a "special conditions" document that the FAA produces when it encounters new aircraft designs and technologies that aren't addressed by existing regulations and standards. An FAA spokesman said he would not be able to comment on the issue until next week. Boeing spokeswoman Lori Gunter said the wording of the FAA document is misleading, and that the plane's networks don't completely connect. Gunter wouldn't go into detail about how Boeing is tackling the issue but says it is employing a combination of solutions that involves some physical separation of the networks, known as "air gaps," and software firewalls. Gunter also mentioned other technical solutions, which she said are proprietary and didn't want to discuss in public. "There are places where the networks are not touching, and there are places where they are," she said. Gunter added that although data can pass between the networks, "there are protections in place" to ensure that the passenger internet service doesn't access the maintenance data or the navigation system "under any circumstance." She said the safeguards protect the critical networks from unauthorized access, but the company still needs to conduct lab and in-flight testing to ensure that they work. This will occur in March when the first Dreamliner is ready for a test flight. Gunter said Boeing has been working on the issue with the FAA for a number of years already and was aware that the agency was planning to publish a "special conditions" document regarding the Dreamliner. Gunter said the FAA and Boeing have already agreed on the tests that the plane manufacturer will have to do to demonstrate that it has addressed the FAA's security concerns. "It will all be done before the first airplane is delivered," she said. Loveless said he's glad the FAA and Boeing are addressing the issue, but without knowing specifically what Boeing is doing, it is impossible to say whether the proposed solution will work as intended. Loveless said software firewalls offer some protection, but are not bulletproof, and he noted that the FAA has previously overlooked serious onboard-security issues. "The fact that they are not sharing information about it is a concern," he said. "I'd be happier if a credible auditing firm took a look at it." Special conditions are not unusual. The FAA publishes them whenever it encounters unusual issues regarding a plane's design or performance in order to communicate on record that it expects the manufacturer to address the issue. It's then up to the manufacturer to demonstrate to the FAA that it has solved the problem. Gunter said the FAA has issued eight special conditions on the Boeing 787, but that not all of them pertain to the plane's computer systems. From rforno at infowarrior.org Sat Jan 5 17:13:05 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 05 Jan 2008 12:13:05 -0500 Subject: [Infowarrior] - Germany: collect ISP data for terrorist, not music investigations Message-ID: Zypries: Retained data cannot be used in civil cases http://www.heise.de/english/newsticker/news/101210 Retained telephone and Internet data may be used only by the police and the public prosecutor's office, says German Justice Minister Brigitte Zypries. "Connection information can assist in the prosecution of terrorists and organized criminals but cannot be used to help the music industry pursue its rights under civil law," said the SPD party politician in an interview with Focus, the German news magazine. "Any government that tries to broaden its scope will lose all credibility." The new law on data retention requires telecommunication companies to store all telephone and Internet connection information for six months starting on 1 January, and to make this data available to the prosecutor's office upon request. The music industry, backed by a number of political figures, had demanded access to this data to help pursue its claims for compensation against pirates. Zypries rejected their demands. "The demarcation lines here are quite clear," she told Focus. For further information on the monitoring of telecommunications and the retention of data, see: * Neue Regeln zur ?berwachung der Telekommunikation, German article For up-to-date information about the debate on the extended anti-terror legislation, the "Anti-Terror-Datei" database and online searching, see: * Von Datenschutz und Sch?uble-Katalog: Terrorbek?mpfung, TK-?berwachung, Online-Durchsuchung, German article From rforno at infowarrior.org Sun Jan 6 20:12:22 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 06 Jan 2008 15:12:22 -0500 Subject: [Infowarrior] - Camouflaged code threatens security apps Message-ID: Camouflaged code threatens security apps Evil twin hash bash By John Leyden ? More by this author Published Friday 4th January 2008 20:01 GMT http://www.theregister.co.uk/2008/01/04/code_camouflage/ Antivirus firms are concerned about the emergence of techniques that could render meaningless the use of checksums to mark applications as safe. The issue concerns hash functions - one way mathematical functions that produce a small fixed length checksum or message digest from a much longer batch of code or email message. When two different input values produce the same output value this is called a collision. Weaknesses in hashing algorithms, such as MD5, that allowed the discovery of collisions much more quickly than would be possible using brute-force attacks have been known about by cryptographic researchers for more than three years. Previous techniques meant one type of junk message might be mistaken for another junk message, a weakness of interest to cryptographers but that carried little sting in practice. In addition, high speed computers were needed to discover collisions. But a recent post on a full disclosure list explains a method to append a few thousand bytes to two arbitrary files such that both files have the same MD5 value. One of the arbitrary files might be malicious. Not only that but the researchers - Marc Stevens, Arjen K. Lenstra, and Benne de Weger - produced their proof-of-concept files using a single PC in less than two days. Symantec reports that the approach threatens to undermine the use of hash functions to identify applications as safe (whitelisting). Malware authors might get harmless code, which generates the same MD5 output as a companion (malicious) app, whitelisted by submitting it to a classification server. Such a technique would clear the way to later distribute a companion malicious application that generates a MD5 result previously flagged as safe. The approach is far from trivial but creates a means to smuggle malicious apps past whitelisting tools. Both the malicious and harmless apps might be digitally signed to make the malware look even more harmless. "While what they have achieved is not the same as producing an identical MD5 for an existing file, it's still not a good thing. In particular it causes serious trouble for application white-listing implementations," Symantec notes. Looking for extra bytes might be a common sense means of detecting the trick. But the extra bytes may look like compressed data in an installer application, or some kind of signature, so that approach to solving the problem is unreliable. MD5 is not the only hashing function known to have cryptographic weaknesses. SHA-1 is also known to produce collisions and is thus potentially subject to the same kinds of trickery. The solution might be to move towards more robust hashing algorithms such as SHA-2, Symantec researcher Peter Ferrie concludes. ? From rforno at infowarrior.org Mon Jan 7 00:31:24 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 06 Jan 2008 19:31:24 -0500 Subject: [Infowarrior] - =?iso-8859-1?q?TSA_Struggling_with_=8C_Stovepiped?= =?iso-8859-1?q?_=B9_Information_Infrastructure?= Message-ID: http://www.nationaldefensemagazine.org/issues/2008/January/SecurityBeat.htm# TSA TSA Struggling with ?Stovepiped? Information Infrastructure Baggage ClaimAnyone who has followed the Defense Department?s never-ending struggle to allow its disparate communications systems to link to each other knows what the term ?stovepiped? means. Different systems used by different services built by different contractors are not able to share information. The Transportation Security Administration ? starting with a clean slate in 2001 ? could have avoided these pitfalls, but instead chose ad hoc technologies that resulted in a wasteful, inefficient information backbone, according to a Department of Homeland Security Inspector General report. Part of the blame falls on Congress and the tight deadlines it imposed in the wake of the 9/11 attacks, the report said. ?Due to time constraints, TSA?s technical environment evolved in a decentralized manner, leading to stovepiped systems with limited information sharing and technical standards,? the report said. For example, performance data on airport baggage screeners and metal detectors must be collected from every machine once per hour. Each system has its own way of collecting, storing and downloading data. A TSA staff member must take this data, write a daily report and e-mail or fax the information to TSA headquarters. The process is ?cumbersome, time consuming and labor intensive,? the report said. TSA concurred with the report?s findings and spelled out plans to address some of the issues. The report warned that TSA will have to beef up its hiring to effectively get a handle on the problem. ?The declining number of staff within the central IT division also impedes the [chief information officer?s] ability to manage the IT infrastructure and support new technology requirements.? From rforno at infowarrior.org Mon Jan 7 04:07:26 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 06 Jan 2008 23:07:26 -0500 Subject: [Infowarrior] - If Your Hard Drive Could Testify ... Message-ID: Sidebar If Your Hard Drive Could Testify ... By ADAM LIPTAK http://www.nytimes.com/2008/01/07/us/07bar.html?hp=&pagewanted=print A couple of years ago, Michael T. Arnold landed at the Los Angeles International Airport after a 20-hour flight from the Philippines. He had his laptop with him, and a customs officer took a look at what was on his hard drive. Clicking on folders called ?Kodak pictures? and ?Kodak memories,? the officer found child pornography. The search was not unusual: the government contends that it is perfectly free to inspect every laptop that enters the country, whether or not there is anything suspicious about the computer or its owner. Rummaging through a computer?s hard drive, the government says, is no different than looking through a suitcase. One federal appeals court has agreed, and a second seems ready to follow suit. There is one lonely voice on the other side. In 2006, Judge Dean D. Pregerson of Federal District Court in Los Angeles suppressed the evidence against Mr. Arnold. ?Electronic storage devices function as an extension of our own memory,? Judge Pregerson wrote, in explaining why the government should not be allowed to inspect them without cause. ?They are capable of storing our thoughts, ranging from the most whimsical to the most profound.? Computer hard drives can include, Judge Pregerson continued, diaries, letters, medical information, financial records, trade secrets, attorney-client materials and ? the clincher, of course ? information about reporters? ?confidential sources and story leads.? But Judge Pregerson?s decision seems to be headed for reversal. The three judges who heard the arguments in October in the appeal of his decision seemed persuaded that a computer is just a container and deserves no special protection from searches at the border. The same information in hard-copy form, their questions suggested, would doubtless be subject to search. The United States Court of Appeals for the Fourth Circuit, in Richmond, Va., took that position in a 2005 decision. It upheld the conviction of John W. Ickes Jr., who crossed the Canadian border with a computer containing child pornography. A customs agent?s suspicions were raised, the court?s decision said, ?after discovering a video camera containing a tape of a tennis match which focused excessively on a young ball boy.? It is true that the government should have great leeway in searching physical objects at the border. But the law requires a little more ? a ?reasonable suspicion? ? when the search is especially invasive, as when the human body is involved. Searching a computer, said Jennifer M. Chac?n, a law professor at the University of California, Davis, ?is fairly intrusive.? Like searches of the body, she said, such ?an invasive search should require reasonable suspicion.? An interesting supporting brief filed in the Arnold case by the Association of Corporate Travel Executives and the Electronic Frontier Foundation said there have to be some limits on the government?s ability to acquire information. ?Under the government?s reasoning,? the brief said, ?border authorities could systematically collect all of the information contained on every laptop computer, BlackBerry and other electronic device carried across our national borders by every traveler, American or foreign.? That is, the brief said, ?simply electronic surveillance after the fact.? The government went even further in the case of Sebastien Boucher, a Canadian who lives in New Hampshire. Mr. Boucher crossed the Canadian border by car about a year ago, and a customs agent noticed a laptop in the back seat. Asked whether he had child pornography on his laptop, Mr. Boucher said he was not sure. He said he downloaded a lot of pornography but deleted child pornography when he found it. Some of the files on Mr. Boucher?s computer were encrypted using a program called Pretty Good Privacy, and Mr. Boucher helped the agent look at them, apparently by entering an encryption code. The agent said he saw lots of revolting pornography involving children. The government seized the laptop. But when it tried to open the encrypted files again, it could not. A grand jury instructed Mr. Boucher to provide the password. But a federal magistrate judge quashed that subpoena in November, saying that requiring Mr. Boucher to provide it would violate his Fifth Amendment right against self-incrimination. Last week, the government appealed. The magistrate judge, Jerome J. Niedermeier of Federal District Court in Burlington, Vt., used an analogy from Supreme Court precedent. It is one thing to require a defendant to surrender a key to a safe and another to make him reveal its combination. The government can make you provide samples of your blood, handwriting and the sound of your voice. It can make you put on a shirt or stand in a lineup. But it cannot make you testify about facts or beliefs that may incriminate you, Judge Niedermeier said. ?The core value of the Fifth Amendment is that you can?t be made to speak in ways that indicate your guilt,? Michael Froomkin, a law professor at the University of Miami, wrote about the Boucher case on his Discourse.net blog. But Orin S. Kerr, a law professor at the George Washington University, said Judge Niedermeier had probably gotten it wrong. ?In a normal case,? Professor Kerr said in an interview, ?there would be a privilege.? But given what Mr. Boucher had already done at the border, he said, making him provide the password again would probably not violate the Fifth Amendment. There are all sorts of lessons in these cases. One is that the border seems be a privacy-free zone. A second is that encryption programs work. A third is that you should keep your password to yourself. And the most important, as my wife keeps telling me, is that you should leave your laptop at home. From rforno at infowarrior.org Mon Jan 7 04:09:50 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 06 Jan 2008 23:09:50 -0500 Subject: [Infowarrior] - =?iso-8859-1?q?In_Response_to_M=2ET=2EA=2E_=B9_s_?= =?iso-8859-1?q?=8C_Say_Something_=B9_Ads=2C_a_Glimpse_of_Modern_Fears?= Message-ID: In Response to M.T.A.?s ?Say Something? Ads, a Glimpse of Modern Fears By WILLIAM NEUMAN http://www.nytimes.com/2008/01/07/nyregion/07see.html?pagewanted=print After 9/11, the Metropolitan Transportation Authority coined the slogan, ?If you see something, say something,? and put it on posters encouraging subway and bus riders to call a police counterterrorism hot line if they encountered anything suspicious. Then, last July, the authority trumpeted results on new posters and in television ads: ?Last year, 1,944 New Yorkers saw something and said something.? But the new posters, also placed in the commuter railroad trains, left out two things: What, exactly, did those 1,944 New Yorkers see, and what did they say? Presumably, no active terror plots were interrupted, or that would have been announced at the time by the authorities. Now, an overview of police data relating to calls to the hot line over the past two years reveals the answer and provides a unique snapshot of post-9/11 New York, part paranoia and part well-founded caution. Indeed, no terrorists were arrested, but a wide spectrum of other activity was reported. Suspicious people were seen in subway tunnels, subway yards and bus garages. Some callers saw people suspiciously photographing subway facilities. The vast majority of calls had nothing to do with the transit system, including reports of people believed to be selling phony ID cards. Or stockpiling weapons. Or attempting to buy explosives on the Internet (those turned out to be fireworks). Some callers tried to turn the authority?s slogan on its head. These people saw nothing but said something anyway ? calling in phony bomb threats or terror tips. At least five people were arrested in the past two years and charged with making false reports. Eleven calls were about people seen counting in the subway, a seemingly innocuous act that was interpreted as ominous by at least some who witnessed it. One thing the overview did not clear up: just where did the number 1,944 come from? Police and transit officials could not say exactly. All together, calls to the hot line, 1-888-NYC-SAFE, have resulted in 18 arrests by the New York police over the past two years; none have turned out to reveal a direct connection to terrorism. ?It?s just one small part of the initiative the Police Department has to capture any information that might prevent another 9/11 or another catastrophic attack on the city,? said Paul J. Browne, a police spokesman. ?One call one day may be the one that stops an attempt to destroy the Brooklyn Bridge.? He said that some cases related to hot line calls were still being investigated. It is impossible to tell how many people called the counterterrorism hot line because of the posters. In all, the hot line received 8,999 calls in 2006, including calls that were transferred from 911 and the 311 help line, Mr. Browne said. They included a significant number of calls about suspicious packages, many in the transit system. Most involved backpacks, briefcases or other items accidentally left behind by their owners. None of them, Mr. Browne said, were bombs. There were, however, 816 calls to the hot line in 2006 that were deemed serious enough to require investigation by the department?s intelligence division or its joint terrorism task force with the F.B.I. Mr. Browne said that 109 of those calls had a connection to the transit system and included reports of suspicious people in tunnels and yards, and of people taking pictures of the tracks. The hot line received many more calls in 2007, possibly because of the authority?s advertising campaign, Mr. Browne said. Through early December, the counterterrorism hot line received 13,473 calls, with 644 of those meriting investigation. Of that group, 45 calls were transit related. Then there were the 11 calls about people counting. Mr. Browne said several callers reported seeing men clicking hand-held counting devices while riding on subway trains or waiting on platforms. The callers said that the men appeared to be Muslims and that they seemed to be counting the number of people boarding subway trains or the number of trains passing through a station. They feared the men might be collecting data to maximize the casualties in a terror attack. ?They saw someone clicking this device and gave different interpretations to that and saw a possible threat,? Mr. Browne said. But when the police looked into the claims, they determined that the men were counting prayers with the devices, essentially a modern version of rosary beads. The counters are similar to those used by baseball coaches to keep track of the number of pitches thrown in a game or by stores conducting inventory. They are a common item in the Islamic shops on Atlantic Avenue in Downtown Brooklyn, where they sell for $5 to $8. Ali Mohammed, 44, a Brooklyn grocery owner who was shopping on Atlantic Avenue recently, said that many Muslims use a tally counter as they repeat the many names of God. ?Anybody?s dress, anybody?s behavior or outlook, it can be suspicious to anybody,? Mr. Mohammed said. ?But especially if they?re Muslim, somebody is going to be suspicious.? None of those calls led to arrests, but several others did, although they had nothing to do with the subway or buses. At least three calls resulted in arrests for trying to sell false identification, including driver?s licenses and Social Security cards. One informer told the police about a Staten Island man who was later found to have a cache of firearms. A Queens man was charged with having an illegal gun and with unlawful dealing in fireworks. A Brooklyn man was charged with making anti-Semitic threats against his landlord and threatening to use sarin gas on him. At least two men arrested on tips from the hot line were turned over to immigration officials for deportation, Mr. Browne said. And then there were the phony tipsters. A Brooklyn jeweler, Rimon Alkatri, was convicted last month of making a false report and faces up to seven years in prison. Mr. Browne said that in May 2006, Mr. Alkatri told a hot line operator that terrorists were planning a subway bomb attack. But Mr. Alkatri was charged with falsely reporting an incident and accused of making up the story to get back at some former business associates. On Sept. 3, 2007, a man called the police and said there would be an attack on Pennsylvania Station the next day. The police traced the call, and in October they arrested a Long Island resident, Yvan Peralta, and charged him with making a false report, Mr. Browne said. He said Mr. Peralta told the police he had been drinking when he made the call. Other apparently phony tipsters included a man who said that Police Headquarters in Lower Manhattan would be hit with a rocket attack, a man who said he was going to use plastic explosives to blow up a Queens hospice and a man who called in a bomb threat against a Pepsi-Cola building in the Bronx. The current version of the ?See Something, Say Something? ads began running in July, said Christopher P. Boylan, a deputy executive director of the authority. The television and newspaper ads ended late last year, but posters remain on some trains. The campaign cost $3 million. But despite the ad?s specific mention of 1,944 New Yorkers, there was some mystery surrounding the number. Mr. Browne and Mr. Boylan said that it included the police hot line calls that were followed up by counterterrorism investigators and similar calls to the New York State Police, the F.B.I. and the Port Authority Police Department. Mr. Browne, however, provided figures showing that a total of 2,096 terror tips to the four agencies were investigated in 2006. Mr. Boylan said he did not know exactly how the authority had come up with the number. ?I don?t want to say that the accuracy of the number is secondary to the message,? Mr. Boylan said, ?but the message that we wanted to get across is that those calls are, in fact, having an impact.? From rforno at infowarrior.org Mon Jan 7 12:48:23 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 07 Jan 2008 07:48:23 -0500 Subject: [Infowarrior] - Pentagon revising computer-snooping policy Message-ID: Monday, January 7, 2008 Last modified Monday, January 7, 2008 4:08 AM PST http://www.nctimes.com/articles/2008/01/07/news/top_stories/15_50_901_6_08.t xt Pentagon revising computer-snooping policy By: TERI FIGUEROA - Staff Writer Search-and-seizure warnings prompted outcry from military attorneys obligated to protect client communications. A warning to users of military computers that government agents could seize -- without cause or a warrant -- anything found on the machines is now under revision, the top legal adviser in the Marine Corps said this week. "The key aspect of the revision is to make certain that we maintain the protections of privileged communications" within the Marine Corps and the Department of Defense, staff Judge Advocate Brig. Gen. James Walker said this week in a telephone interview from his Pentagon office. "It is a problem, and I honestly think it is going to be fixed." The warning, which appeared on all military computers as the user booted up the machine, raised eyebrows shortly after it was posted on all Marine Corps computers in early December. For a few weeks, the first words on the screens of military computer users when they started the machines stated that law enforcement agents could search and seize whatever they desire ---- for any reason or none at all. Marine Corps lawyers representing defendants in the military justice system, including Marines facing war crimes trials in the deaths of Iraqis, said a policy that allowed the government to read their correspondence and see their work jeopardized the attorney-client privilege central to a providing a full defense. A November memo from the Pentagon detailing the new policy stated that privileged communications remain protected from search and seizure. That piece of information, however, did not appear on the warnings that showed up on the computer screens. The policy "is not intended to negate any privilege recognized by law," Maj. Patrick Ryder, a spokesman for the office of the secretary of defense, wrote in an e-mail Thursday to the North County Times. Ryder also noted that the proposed policy "does not seek to broaden" the Pentagon's authority over searching and seizing any information found on military computers. Instead, Ryder wrote, the purpose of the new policy was twofold: to clarify the old policy that allowed for search and some authorized seizures, and to make the warning language standard throughout all military branches. "In general terms, the main difference in the two user consent banners is that the updated version seeks to make it clearer to users what they are consenting to when they use a DoD (Department of Defense) computer," Ryder wrote. But there remains a problem with the revised banner warnings that appeared on the computers last month. Ryder said one of the services brought up a concern with the banner warning and it was pulled until that concern -- which Ryder declined to define -- could be resolved. On Wednesday, Walker said the banner on computer screens came down late last week. That was welcome news to David Blair-Loy, the legal director of the American Civil Liberties Union of San Diego and Imperial Counties. "I think that's entirely appropriate," Blair-Loy said of the decision to pull the warning and revise the policy. "In criminal cases, it impacts the constitutional right to counsel. We are very glad they are going to revise the policy." The November change in the banner warning policy came in response to a ruling from the Court of Appeals of the Armed Forces -- the military equivalent to the Supreme Court -- after the military high court overturned the conviction of a lance corporal on drug charges. The lance corporal had allegedly sent e-mails from her military computer detailing her drug use. The military high court, however, found the junior service member had an expectation of privacy regarding e-mails sent using the military computer, because the military had not adequately notified her that her computer could be searched and the communications could be used against her. Contact staff writer Teri Figueroa at (760) 631-6624 or tfigueroa at nctimes.com. From rforno at infowarrior.org Mon Jan 7 13:19:03 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 07 Jan 2008 08:19:03 -0500 Subject: [Infowarrior] - What This Gadget Can Do Is Up to You Message-ID: (c/o MontyS) What This Gadget Can Do Is Up to You Neuros Technology International http://www.nytimes.com/2008/01/06/business/06novel.html?ex=1357275600&en=592 b7920b10cf008&ei=5090 By ANNE EISENBERG Published: January 6, 2008 ?HACKERS, welcome! Here are detailed circuit diagrams of our products ? modify them as you wish.? That?s not an announcement you?ll find on the Web sites of most consumer electronics manufacturers, who tend to keep information on the innards of their machines as private as possible. But Neuros Technology International, creator of a new video recorder, has decided to go in a different direction. The company, based in Chicago, is providing full documentation of the hardware platform for its recorder, the Neuros OSD (for open source device), so that skilled users can customize or ?hack? the device ? and then pass along the improvements to others. The OSD is a versatile recorder. Using a memory card or a U.S.B. storage device, it saves copies of DVDs, VHS tapes and television programs from satellite receivers, cable boxes, TVs and any other device with standard video output. Because the OSD saves the recordings in the popular compressed video format MPEG-4 (pronounced EM-peg), the programs can be watched on a host of devices, including iPods and smartphones. The OSD is for sale at Fry?s, Micro Center, J&R Electronics and other locations for about $230. The OSD?s capabilities will grow to suit changing times, said Joe Born, founder and chief executive of the company. ?Digital video is a fast-moving space,? he said, and many consumers don?t want to buy a new piece of hardware every time a media company comes out with a new way to watch its shows. ?The best way to address this problem was to make the product open source, allowing our smartest developers and users to modify it.? The OSD has not only open hardware, but also open software: it is based on the Linux operating system. Neuros Technology encourages hacking of the device; it has contests with cash rewards for new applications for the OSD. One winner, for instance, designed a program that lets people use it to watch YouTube on their televisions. Using the OSD for daily video recording demands no special technical background, and no PC is required. Setup is easy: Plug a U.S.B. hard drive or other memory device into one side of this lightweight unit, and plug the TV and, for example, the DVD player into the other side. I recorded a show from a DVD this way and, to my delight, I was soon watching it on my iPod. Thank you, hackers! The OSD does not have a display screen. Its menu is viewed on the television screen and navigated by using the remote control that comes with it. The device can also be connected to a computer or to a home network of computers. People who are tired of stacks of DVDs and VHS tapes in the living room may find the Neuros an inexpensive way to tidy up: an entire library can be archived on a U.S.B. hard drive. Then you can stroll through your own personal video shop from the living room couch or, when traveling, plug the drive into a laptop to watch programs recorded from satellite or cable service at home. But these are just the daily functions, designed for duffers like me. Gamers at their consoles can record their online contests, edit the videos and share them with friends. Brett Manners, a mechanical engineer and wind-surfing instructor in Perth, Australia, had another innovative use for the device. He rigged up a combination of the OSD and a video camera and used it to record his wind-surfing adventures directly to MPEG-4 format. (To watch some excerpts, see ?Windsurfing With the Neuros OSD? on YouTube.) Products like the OSD are a good example of a small but growing trend toward openness, said Jimmy Guterman, editor of Release 2.0, a technology and business newsletter published by O?Reilly Media of Sebastopol, Calif. ?The open source hardware movement parallels the earlier open source software movement that started off as a renegade thing 15 years ago,? he said. ?Now it?s the center of I.T. at many major Web sites like Google.? He hopes for the same openness in hardware, although he said that the issue was more complicated. ?Companies may keep some aspects of their hardware closed, while opening others,? he said. Paul Saffo, a Silicon Valley forecaster, said openness was likely to apply to new products like the OSD, rather than to existing proprietary products. ?It?s a lot easier to design future products with openness built into them,? he said, ?than to open a closed product.? E-mail: novelties at nytimes.com. From rforno at infowarrior.org Tue Jan 8 13:11:29 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 Jan 2008 08:11:29 -0500 Subject: [Infowarrior] - eBay Strikes Back, Sues For Frivolous DMCA Takedowns Message-ID: eBay Strikes Back, Sues For Frivolous DMCA Takedowns http://techdirt.com/articles/20080106/220433.shtml For quite some time we've seen companies try to make bogus intellectual property claims against people reselling their products on eBay. For example, a company making shampoo once claimed that you couldn't resell its bottles online -- even when legally purchased. The companies always claim that only "authorized" resellers are allowed to sell their products, and they must do so at a specific price. Last year, when the Supreme Court changed rules about whether manufacturers could demand retailers abide by a specific price, it kicked off speculation that we'd see more such cases. In fact, that's exactly what happened. In one case, a company named Innovate! Technology claimed that someone selling their products on eBay violated their intellectual property (including patents, trademarks and copyright!). The real complaint, of course, had nothing to do with intellectual property, but that this seller was selling below the company's official pricing. This seemed pretty ridiculous already, but these types of cases are designed to scare off small time sellers who don't have big legal guns to back them up. However, Innovate appears to have made a huge strategic error that has brought some big legal guns into the case, and they're clearly pointed at shooting Innovate's use of the DMCA down. Greg Beck writes in to note that while the case was directly between Innovate and the eBay seller, Innovate made the mistake of pushing to get eBay involved in the case. Normally, eBay just does what's required of it in DMCA cases and gets out of the way. However, now that eBay is involved, it got involved in a big way. It's fighting back against Innovate, claiming that Innovate has been filing bogus DMCA requests and so now eBay is seeking damages, attorney's fees and an injunction preventing Innovate from filing any more DMCA notices to eBay. In other words, it's trying to make an example of Innovate. Hopefully it works, and others pursuing this same strategy of trying to stop legitimate competition through bogus DMCA notices will think twice before continuing. From rforno at infowarrior.org Tue Jan 8 13:12:24 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 Jan 2008 08:12:24 -0500 Subject: [Infowarrior] - A Privacy Manifesto for the Web 2.0 Era Message-ID: A Privacy Manifesto for the Web 2.0 Era Guest Column, Tuesday, January 8, 2008 at 12:00 AM PT Comments (3) http://gigaom.com/2008/01/08/a-privacy-manifesto-for-the-web-20-era/ Written by Alec Saunders, co-founder and CEO of iotum, creators of the first conference calling service for Facebook. Alec?s personal blog is about VoIP and web products, technologies and businesses. * In October, Verizon revealed that it would share customers? calling records, including numbers of incoming and outgoing calls and time spent on each call, with third parties. Customers were informed that they could opt out of the new practice by telephoning a 1-800 number within 30 days of having received notification from Verizon; failure to object was deemed by the company to be consent. * An ongoing practice of credit agencies is to charge consumers to see their own credit scores. Transunion, for example, charges a whopping $14.95 for a basic credit report. * In early January, Robert Scoble attempted to liberate his social graph from Facebook via the use of a prohibited automated script provided by Plaxo, prompting the social networking site to ban him. He was reinstated after the ban provoked a blogstorm. Scoble?s explanation boiled down to ?What? I was just trying to migrate my social graph to another network?shouldn?t that be allowed?? These three points highlight the disregard many corporations have for customers? privacy. Corporations collect vast amounts of data, assert ownership over the data they collect, restrict access by customers to their own data, and cavalierly exchange that data with third parties. The misunderstanding of the basic guarantees corporations should offer is profound, and as consumers we all suffer. Let?s start by defining what we mean by personal information. Personal information includes any factual or subjective information, recorded or not, in any form, about an individual. For example: name, address, telephone number, gender, identification numbers, income, blood type, credit records, loan records, existence of a dispute between a consumer and a merchant ? even intentions to acquire particular goods or services. And let?s not forget health, medical history, political opinions, religious beliefs, trade union membership, financial information and sexual preferences! Now, what rights should you have? Here are four principles that form a Privacy Manifesto for the Web 2.0 Era. 1. Every customer has the right to know what private information is being collected. That rules out any secret data collection schemes, as well as monitoring regimes that the customer hasn?t agreed to in advance. It also rules out any advertising scheme that relies on leaving cookies on a customer?s hard disk without the customer?s consent. 2. Every customer has the right to know the purpose for which the data is being collected, in advance. Corporations must spell out their intent, in advance, and not deviate from that intent. Reasonable limits must be imposed on the collection of personal information that are consistent with the purpose for which it is being collected. Furthermore, the common practice of inserting language into privacy policies stating that the terms may be modified without notice should be banned. If the corporation collecting data wishes to change its policy then it?s incumbent upon the corporation to obtain the consent of customers in advance. 3. Each customer owns his or her personal information. Corporations may not sell that information to others without the customer?s consent. Customers may ask, at any time, to review the personal information collected; to have the information corrected, if that information is in error; and to have the information removed from the corporation?s database. 4. Customers have a right to expect that those collecting their personal information will store it securely. Employees and other individuals who have access to that data must treat it with the same level of care as the organization collecting it is expected to. Viewed through the lens of these four principles: * Verizon should have asked customers? permission before sharing their information, and should have assumed that permission was denied until informed otherwise. * Credit agencies should, upon request, share an individual?s information with them; should require consent from the individual before sharing their information with a third party; and should allow an individual to opt out of the credit reporting processes altogether. * Facebook comes up smelling like a rose. The guarantee that they made to their users was that they wouldn?t share personal information with third parties. Facebook banned the use of automated scripts to prevent that information from being taken from the site. And Facebook explicitly recognizes in their terms of service that a user?s personal information is owned by the user, not Facebook, and the company is merely a licensee. Facebook?s privacy policy, however, contains a paragraph allowing them to unilaterally change the promises they make to their customers. Facebook should remove these weasel words. Plaxo?s role in the Scoble incident is both surprising and disappointing. The company has one of the best privacy policies on the web today. However, it?s also seeking to advance an agenda that would create an open social graph with CTO Joseph Smarr?s Bill of Rights for Users of the Social Web, which is the source of the conflict. Surely the Plaxo team can see how Facebook couldn?t permit such a flagrant abuse of its terms and conditions. While one can make a good case that the social graph should be open, given Facebook?s current terms, opening that social graph should only be done with the consent of the owners of that data ? Facebook?s users. In many parts of the world, governments are now creating legislation embodying the four principles of this Privacy Manifesto. Citizens of those countries have responded favorably, rewarding businesses that assure their privacy, and penalizing those that don?t. In Canada, for example, personal information is protected by something known as the Personal Information Protection and Electronic Documents Act (PIPEDA) and as a result, it?s not unheard of for customers to patronize businesses that store their data locally. Many Europeans are equally sensitive. Not only are the four principles of the Privacy Manifesto good for individuals, they?re good for business. From rforno at infowarrior.org Wed Jan 9 02:07:15 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 Jan 2008 21:07:15 -0500 Subject: [Infowarrior] - NSI hijacking domains via whois queries Message-ID: Domain Registrar Network Solutions Front Running On Whois Searches by Adam Strong in Categories: Featured http://www.domainnamenews.com/featured/domain-registrar-network-solutions-fr ont-running-on-whois-searches/1359 A story is developing regarding domain name registrar Network Solutions front running domains. According to multiple sources on DomainState.com, it appears that domains searched via NSI are being purchased by the registrar thereby preventing a registrant from purchasing it at any other registrar other than NSI. As an example, a random domain which DNN searches such as HowDoesThisDomainTasteTaste.com can be seen in this whois search to now be unavailable to register at other registrars but at NSI it can be purchased The whois contact now says : Registrant: Make this info private This Domain is available at NetworkSolutions.com 13681 Sunrise Valley Drive, Suite 300 HERNDON, VA 20171 US The domains are likely being purchased and held in NSI ownership until the potential registrant comes back to purchase the name through NSI. If the purchase is not made at NSI within 5 days, NSI uses the same 5 day grace period that domain tasting operations use and they delete the domain. Once a search for a domain is conducted at NSI the domain name is registered and only available to be purchased by a registrant at NSI. It is not clear if NSI has increased prices on domains that have received multiple whois searches and that they are front running. NSI also apparently has no problem taking over control of trademark domains using this practice as well. Searches for names such as microsoft-dell.com and ibm-microsoft-dell.com all appear as registered now by NSI and only available for purchase at NSI. Front running domain names is a bold move by any registrar as it breaks a certain level of trust that the general public places in using a whois search. ICANN SSAC has conducted a ?study? on front running recently in which they wrote ?ICANN?s Registrar Accreditation Agreement and Registry Agreements do not expressly prohibit registrars and registries from monitoring and collecting WHOIS query of domain name availability query data and either selling this information or using it directly,? Warehousing domains in order to sell them to ?potentially interested parties? isn?t specifically forbidden in the registrar contract with ICANN but is addressed in points 3.7.9 and 4.2.5 of the contract in which they leave room for new rules or revisions to the contract. In a quick look search it appears that other registries have addressed this issue. As an example, the SGNIC for example has a contract that expressly addresses this issue. "it shall not engage in and shall prohibit bulk access to Registrant?s data, warehousing of or speculation in Domain Names, and shall implement any policies SGNIC may from time to time prescribe to prohibit or restrict such activities. Without limiting the generality of the foregoing, Registrar shall not (i) submit any application for the registration, renewal, transfer, modification or cancellation of a Domain Name registration or any other request or transaction relating thereto purportedly on behalf of any Person when it is not in fact so authorized, or on behalf of a non-existent Person; (ii) accumulate or warehouse Domain Name registrations with which Registrar or such Person has no reasonable connection, for the purpose of removing them from availability for others, transferring them for immediate or deferred direct or indirect gain or profit or for any other reason whatsoever, nor shall it knowingly participate in any such undertaking." From rforno at infowarrior.org Wed Jan 9 02:08:26 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 Jan 2008 21:08:26 -0500 Subject: [Infowarrior] - FCC to Probe Comcast Data Discrimination Message-ID: FCC to Probe Comcast Data Discrimination By PETER SVENSSON ? 4 hours ago http://ap.google.com/article/ALeqM5gyYIyHWl3sEg1ZktvVRLdlmQ5hpwD8U1UOFO0 LAS VEGAS (AP) ? The Federal Communications Commission will investigate complaints that Comcast Corp. actively interferes with Internet traffic as its subscribers try to share files online, FCC Chairman Kevin Martin said Tuesday. A coalition of consumer groups and legal scholars asked the agency in November to stop Comcast from discriminating against certain types of data. Two groups also asked the FCC to fine the nation's No. 2 Internet provider $195,000 for every affected subscriber. "Sure, we're going to investigate and make sure that no consumer is going to be blocked," Martin told an audience at the International Consumer Electronics Show. In an investigation last year, The Associated Press found that Comcast in some cases hindered file sharing by subscribers who used BitTorrent, a popular file-sharing program. The findings, first reported Oct. 19, confirmed claims by users who also noticed interference with other file-sharing applications. Comcast denies that it blocks file sharing, but acknowledged after the AP story that it was "delaying" some of the traffic between computers that share files. The company said the intervention was necessary to improve the surfing experience for the majority of its subscribers. Peer-to-peer file sharing is a common way to illegally exchange copyright files, but companies are also rushing to utilize it for legal distribution of video and game content. If ISPs hinder or control that traffic, it makes them important gatekeepers of Internet content. The FCC's response will be an important test of its willingness to enforce "Net Neutrality," the principle that Internet traffic be treated equally by carriers. The agency has a broadly stated policy supporting the concept, but its position hasn't been tested in a real-world case. The FCC's policy statement makes an exception for "reasonable traffic management." Comcast has said its practices fall under that exception. "The question is going to arise: Are they reasonable network practices?" Martin said Tuesday. "When they have reasonable network practices, they should disclose those and make those public." Comcast subscribers who asked the company about interference on their connections before the AP story ran were met with flat denials. A Comcast spokesman did not have an immediate comment. Martin also said the commission was looking at complaints that wireless carriers denied text-messaging "short codes" to some applicants. The five-digit numbers are a popular way to sign up for updates on everything from sports to politics to entertainment news. Verizon Wireless in late September denied a request by Naral Pro-Choice America, an abortion rights group, to use its mobile network for a sign-up text messaging program. The company reversed course just a day later, calling it a mistake and an "isolated incident." Verizon Wireless has also denied a short code to a Swedish company, Rebtel Networks AB, that operates a service similar to a virtual calling card, allowing users to avoid paying the carrier's international rates on their cell-phone calls. Verizon Wireless has stuck to that denial, saying it does want to provide an advertising venue to a competitor. "I tell the staff that they should act on all of those complaints and investigate all of them," Martin said. From rforno at infowarrior.org Wed Jan 9 02:09:55 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 Jan 2008 21:09:55 -0500 Subject: [Infowarrior] - Microsoft Patches Critical Windows TCP Flaw Message-ID: Microsoft Patches Critical Windows TCP Flaw Tuesday, January 8th 2008 @ 11:50 AM PST Microsoft has published a security bulletin warning of a critical vulnerability in Windows 2000/XP/Vista that could enable attackers to control - or destroy - a system. Microsoft has issued a new security bulletin warning users of a critical vulnerability in the TCP software built into Windows 2000, Windows Server 2003, Windows XP, and Windows Vista that could enable attackers to take over or destroy the computers. The TCP/IP protocol is one of the fundamental building blocks of Internet services; the vulnerability has to do with the way Windows processes ICMP and multicast requests. The vulnerabilities were discovered and reported privately to Microsoft from Alex Wheeler and Ryan Smith of the IBM Internet Security Systems X-Force. Microsoft has released a patch via Microsoft Update that changes the way the Windows kernel processes TCP multicast and ICMP requests. Due to the enormous number of systems worldwide exposed to this vulnerability and the potential threat it brings, Microsoft is recommending Windows users apply the patch as soon as possible. http://news.digitaltrends.com/news/story/15368/printer_friendly/microsoft_pa tches_critical_windows_tcp_flaw From rforno at infowarrior.org Wed Jan 9 03:33:37 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 08 Jan 2008 22:33:37 -0500 Subject: [Infowarrior] - AT&T and Other ISPs May Be Getting Ready to Filter Message-ID: AT&T and Other ISPs May Be Getting Ready to Filter By Brad Stone http://bits.blogs.nytimes.com/2008/01/08/att-and-other-isps-may-be-getting-r eady-to-filter/index.html For the past fifteen years, Internet service providers have acted - to use an old cliche - as wide-open information super-highways, letting data flow uninterrupted and unimpeded between users and the Internet. But ISPs may be about to embrace a new metaphor: traffic cop. At a small panel discussion about digital piracy here at NBC?s booth on the Consumer Electronics Show floor, representatives from NBC, Microsoft, several digital filtering companies and telecom giant AT&T said the time was right to start filtering for copyrighted content at the network level. Such filtering for pirated material already occurs on sites like YouTube and Microsoft?s Soapbox, and on some university networks. Network-level filtering means your Internet service provider ? Comcast, AT&T, EarthLink, or whoever you send that monthly check to ? could soon start sniffing your digital packets, looking for material that infringes on someone?s copyright. ?What we are already doing to address piracy hasn?t been working. There?s no secret there,? said James Cicconi, senior vice president, external & legal affairs for AT&T. Mr. Cicconi said that AT&T has been talking to technology companies, and members of the MPAA and RIAA, for the last six months about implementing digital fingerprinting techniques on the network level. ?We are very interested in a technology based solution and we think a network-based solution is the optimal way to approach this,? he said. ?We recognize we are not there yet but there are a lot of promising technologies. But we are having an open discussion with a number of content companies, including NBC Universal, to try to explore various technologies that are out there.? Internet civil rights organizations oppose network-level filtering, arguing that it amounts to Big Brother monitoring of free speech, and that such filtering could block the use of material that may fall under fair-use legal provisions ? uses like parody, which enrich our culture. Rick Cotton, the general counsel of NBC Universal, who has led the company?s fights against companies like YouTube for the last three years, clearly doesn?t have much tolerance for that line of thinking. ?The volume of peer-to-peer traffic online, dominated by copyrighted materials, is overwhelming. That clearly should not be an acceptable, continuing status,? he said. ?The question is how we collectively collaborate to address this.? I asked the panelists how they would respond to objections from their customers over network level filtering ? for example, the kind of angry outcry Comcast saw last year, when it was accused of clamping down on BitTorrent traffic on its network. ?Whatever we do has to pass muster with consumers and with policy standards. There is going to be a spotlight on it,? said Mr. Cicconi of AT&T. After the session, he told me that ISPs like AT&T would have to handle such network filtering delicately, and do more than just stop an upload dead in its tracks, or send a legalistic cease and desist form letter to a customer. ?We?ve got to figure out a friendly way to do it, there?s no doubt about it,? he said. From rforno at infowarrior.org Thu Jan 10 01:26:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 Jan 2008 20:26:46 -0500 Subject: [Infowarrior] - TSA searches, detains 5 year old because his name was on no-fly list In-Reply-To: <20080109231856.GA4130@gsp.org> Message-ID: (c/o RSK) TSA searches, detains 5 year old because his name was on no-fly list http://www.boingboing.net/2008/01/09/tsa-searches-detains.html A five-year-old boy was taken into custody and thoroughly searched at Sea-Tac because his name is similar to a possible terrorist alias. As the Consumerist reports, "When his mother went to pick him up and hug him and comfort him during the proceedings, she was told not to touch him because he was a national security risk. They also had to frisk her again to make sure the little Dillinger hadn't passed anything dangerous weapons or materials to his mother when she hugged him." It's a case of a mistaken identity for a 5-year-old boy from Normandy Park. He had trouble boarding a plane because someone with the same name is wanted by the federal government. Mimi Jung reports from Sea-Tac Airport. You know, if you wanted to systematically discredit the idea of a Department of Homeland Security, if you wanted to make an utter mockery of aviation safety, you could not do a better job than this. From rforno at infowarrior.org Thu Jan 10 01:29:48 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 Jan 2008 20:29:48 -0500 Subject: [Infowarrior] - $500K prize offered to speed airport securty lines Message-ID: $500,000 prize offered to speed airport securty lines http://www.networkworld.com/community/node/23682 A security company is willing to fork over $500,000 in prize money to the person or company that comes up with an innovative technology to speed airport security lines. The company making the offer, Clear, says the winning technology must meet the following criteria: * Achieves acceptance by the Transportation Security Administration (TSA) for deployment at Clear lanes as providing the same or better security than the current Registered Traveler checkpoint process. * Reduces inconvenience by, for example, allowing for no divesting of shoes, outer garments, or any other item approved for carry-on aboard a US commercial flight, and thereby achieves an increase in throughput of 15% or more. * Is compact enough to be deployed at security checkpoints in at least three Clear airports. * Can be operated at a cost (including capital costs amortized over five years) of less than 25 cents per passenger screened when working at full capacity. In addition to the $500,000 prize, Clear will commit to a contract for the capital investment and operating costs necessary to deploy the winning checkpoint at every Clear checkpoint where the solution is accepted for installation by the airport and the TSA, the company stated. Clear offers its members pre-screening provides them with a swipe-card that lets them pass through designated airport security fast lanes at 13 US airports. From rforno at infowarrior.org Thu Jan 10 14:03:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 10 Jan 2008 09:03:46 -0500 Subject: [Infowarrior] - State Dept opens up passport data to spies/cops Message-ID: http://cryptome.org/dos010908.htm Summary: Passport Services has prepared an update of its system of records notice (SORN) as required by the Privacy Act 5 U.S.C. 552a and Appendix I to OMB Circular A-130 (``Federal Agency Responsibilities for Maintaining Records About Individuals''). Publication in the Federal Register of the updated SORN will establish a number of new ``routine uses'' for sharing passport records outside the Department of State. The purpose in granting access to other entities varies, but principally encompasses the following functions....... From rforno at infowarrior.org Thu Jan 10 16:49:32 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 10 Jan 2008 11:49:32 -0500 Subject: [Infowarrior] - OT: The US Fed finally wakes up? Message-ID: (more than a day late, and WAY more than a dollar short!!! --rf) Truth in Lending AGENCY: Board of Governors of the Federal Reserve System. ACTION: Proposed rule; request for public comment. http://cryptome.org/frs010908.htm SUMMARY: The Board proposes to amend Regulation Z, which implements the Truth in Lending Act and Home Ownership and Equity Protection Act. The goals of the amendments are to protect consumers in the mortgage market from unfair, abusive, or deceptive lending and servicing practices while preserving responsible lending and sustainable homeownership; ensure that advertisements for mortgage loans provide accurate and balanced information and do not contain misleading or deceptive representations; and provide consumers transaction-specific disclosures early enough to use while shopping for a mortgage. The proposed revisions would apply four protections to a newly-defined category of higher-priced mortgage loans secured by a consumer's principal dwelling, including a prohibition on a pattern or practice of lending based on the collateral without regard to consumers' ability to repay their obligations from income, or from other sources besides the collateral. The proposed revisions would apply three new protections to mortgage loans secured by a consumer's principal dwelling regardless of loan price, including a prohibition on a creditor paying a mortgage broker more than the consumer had agreed the broker would receive. The Board also proposes to require that advertisements provide accurate and balanced information, in a clear and conspicuous manner, about rates, monthly payments, and other loan features; and to ban several deceptive or misleading advertising practices, including representations that a rate or payment is ``fixed'' when it can change. Finally, the proposal would require creditors to provide consumers with transaction-specific mortgage loan disclosures before they pay any fee except a reasonable fee for reviewing credit history. DATES: Comments must be received on or before April 8, 2008. From rforno at infowarrior.org Thu Jan 10 17:02:59 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 10 Jan 2008 12:02:59 -0500 Subject: [Infowarrior] - FBI wiretaps dropped due to unpaid bills In-Reply-To: <10421C60-D874-446B-A70F-3A53E84F07AF@pacbell.net> Message-ID: http://news.yahoo.com/s/ap/20080110/ap_on_go_ca_st_pe/fbi_unpaid_phone_bills FBI wiretaps dropped due to unpaid bills By LARA JAKES JORDAN, Associated Press Writer Telephone companies cut off FBI wiretaps used to eavesdrop on suspected criminals because of the bureau's repeated failures to pay phone bills on time, according to a Justice Department audit released Thursday. The faulty bookkeeping is part of what the audit, by the Justice Department's inspector general, described as the FBI's lax oversight of money used in undercover investigations. Poor supervision of the program also allowed one agent to steal $25,000, the audit said. More than half of 990 bills to pay for telecommunication surveillance in five unidentified FBI field offices were not paid on time, the report shows. In one office alone, unpaid costs for wiretaps from one phone company totaled $66,000. And at least once, a wiretap used in a Foreign Intelligence Surveillance Act investigation ? the highly secretive and sensitive cases that allow eavesdropping on suspected terrorists or spies ? "was halted due to untimely payment." "We also found that late payments have resulted in telecommunications carriers actually disconnecting phone lines established to deliver surveillance results to the FBI, resulting in lost evidence," according to the audit by Inspector General Glenn A. Fine. From rforno at infowarrior.org Fri Jan 11 14:20:16 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Jan 2008 09:20:16 -0500 Subject: [Infowarrior] - China DDOS for Satellites? Message-ID: (talk about an interesting way to DDOS space-based assets, eh? Or at least deny them safe orbital passage without constant adjustments......rf) Washington Times January 11, 2008 http://washingtontimes.com/article/20080111/NATION/444629685/1002 U.S. Satellites Dodge Chinese Missile Debris '07 space weaponry test a continuing problem By Bill Gertz, Washington Times Two orbiting U.S. spacecraft were forced to change course to avoid being damaged by the thousands of pieces of space debris produced after China carried out an anti-satellite weapon test one year ago today. The maneuvering, ordered by ground controllers and conducted several months after the test, is an example of lingering problems caused by China's Jan. 11, 2007, missile firing in a bold demonstration of space weaponry against a weather satellite, said Air Force Brig. Gen. Ted Kresge, director of air, space and information operations at the Air Force Space Command in Colorado. < - > Beijing also is asserting national sovereignty over all space above Chinese territory, setting up the potential for a future confrontation with the U.S., which operates intelligence and other satellites that pass over China. < - > The broad area of wreckage in space is called the "Feng Yun-1C debris" and threatens about 800 satellites in space, 400 of which are American. According to the Joint Space Operations Center at Vandenberg Air Force Base in California, the commercial communication satellite Orbcomm FM 36 maneuvered to avoid passing within about 123 feet of the debris field on April 6. A NASA Earth observation satellite Terra was moved June 22 to avoid coming within about 90 feet of the debris. Gen. Kresge said the Chinese ASAT weapon test, after two misses, "made a mess" in space. There are no indications China is preparing more tests but doing so would create a "huge" problem, he said. "Essentially what it did was increase the amount of space debris orbiting the Earth by about 20 percent," he said. The debris threatens spacecraft for up to 100 years, he estimated. From rforno at infowarrior.org Fri Jan 11 14:24:21 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Jan 2008 09:24:21 -0500 Subject: [Infowarrior] - REAL ID: States Will Get More Time for Secure ID Plan Message-ID: States Will Get More Time for Secure ID Plan By Spencer S. Hsu Washington Post Staff Writer Friday, January 11, 2008; A03 http://www.washingtonpost.com/wp-dyn/content/article/2008/01/10/AR2008011003 971_pf.html The Bush administration will announce today that states will have more than five additional years to comply with its controversial nationwide Real ID program, the second such delay in a year, people briefed on the plan said yesterday. By May 2011, the program to tighten national standards for driver's licenses would require motorists born after Dec. 1, 1964, to submit a digital photograph upon application, a birth certificate or similar proof of identity, and a statement on penalty of perjury that information provided on applications was true, they said. Other changes would take effect in 2014. Drivers older than 50 would have until 2018 to meet the new license requirements, according to sources who spoke on the condition of anonymity before today's announcement by the Department of Homeland Security. DHS revised its ID plan after states and civil libertarians criticized draft regulations, issued last March and setting a 2013 deadline, as unworkable and threatening to Americans' privacy by creating a de facto national ID for 245 million U.S. drivers. Seventeen states have passed legislation opposing or opting out of the program. The 2005 law authorizing Real ID set a May 2008 deadline for its implementation. The delay will allow state motor vehicle departments to avoid a surge of applications and instead to phase in more secure licenses as motorists reach their scheduled license renewal dates, sources said. The change will lower the projected $14.6 billion state cost of the program to no more than $3.9 billion, officials said. "We have worked very closely with the states in terms of developing a plan that I think will be quite inexpensive, reasonable to implement and produce the results," recommended by the 9/11 Commission and mandated by Congress, namely more secure identification, Homeland Security Secretary Michael Chertoff said. He did not detail the plan. The announcement comes two months after New York Gov. Eliot L. Spitzer (D) withdrew a proposal to provide driver's licenses for illegal immigrants, and Bush administration officials and Real ID advocates have tied the national program to the debate over illegal immigration. As Chertoff, speaking to a department advisory board, put it yesterday, "False identification facilitates illegal immigration, which I'm hearing again and again is a very big concern for the American people." Elements of Real ID, such as the photograph requirement, could support efforts now being piloted by DHS to help employers verify the identity of prospective hires, said C. Stewart Verdery Jr., a consultant and former DHS assistant secretary for policy. By cutting costs and with Congress approving a $50 million down payment for states' Real ID costs in 2008, Verdery said, DHS is "on a glide path now to having this thing done." The American Civil Liberties Union, which has called Real ID a "real nightmare," called such claims a political spin, especially if costs were being shifted to the federal government or to individuals. "The devil is always in the details with DHS, and we'll have to look very closely" at the program, ACLU legislative counsel Timothy D. Sparapani said. David Quam, director of federal relations for the National Governors Association, cautioned that the final regulations "put us at the beginning of the process, not the end." From rforno at infowarrior.org Sat Jan 12 02:59:44 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Jan 2008 21:59:44 -0500 Subject: [Infowarrior] - New ID Rules May Complicate Air Travel Message-ID: New ID Rules May Complicate Air Travel http://apnews.myway.com/article/20080111/D8U3VK8O0.html Jan 11, 6:19 PM (ET) By DEVLIN BARRETT WASHINGTON (AP) - Millions of air travelers may find going through airport security much more complicated this spring, as the Bush administration heads toward a showdown with state governments over post-Sept. 11 rules for new driver's licenses. By May, the dispute could leave millions of people unable to use their licenses to board planes, but privacy advocates called that a hollow threat by federal officials. Homeland Security Secretary Michael Chertoff, who was unveiling final details of the REAL ID Act's rules on Friday, said that if states want their licenses to remain valid for air travel after May 2008, those states must seek a waiver indicating they want more time to comply with the legislation. Chertoff said that for any state which doesn't seek such a waiver by May, residents of that state will have to use a passport or certain types of federal border-crossing cards if they want to avoid a vigorous secondary screening at airport security. (AP) A woman has her photo taken by an unidentified DMV technician at the California Department of Motor... Full Image "The last thing I want to do is punish citizens of a state who would love to have a REAL ID license but can't get one," Chertoff said. "But in the end, the rule is the rule as passed by Congress." The plan's chief critic, the American Civil Liberties Union, called Chertoff's deadline a bluff - and urged state governments to call him on it. "Are they really prepared to shut those airports down? Which is what effectively would happen if the residents of those states are going to have to go through secondary scrutiny," said Barry Steinhardt, director of the ACLU's technology and liberty program. "This is a scare tactic." So far, 17 states have passed legislation or resolutions objecting to the REAL ID Act's provisions, many due to concerns it will cost them too much to comply. The 17, according to the ACLU, are Arkansas, Colorado, Georgia, Hawaii, Idaho, Illinois, Maine, Missouri, Montana, Nebraska, Nevada, New Hampshire, North Dakota, Oklahoma, South Carolina, Tennessee and Washington. Maine officials said Friday they were unsure if their own state law even allows them to ask for a waiver. (AP) Homeland Security Secretary Michael Chertoff speaks at a news conference on REAL ID at the National... Full Image "It certainly seems to be an effort by the federal government to create compliance with REAL ID whether states have an interest in doing so or not," said Don Cookson, spokesman for the Maine secretary of state's office. The Sept. 11 attacks were the main motivation for the changes: The hijacker-pilot who flew into the Pentagon, Hani Hanjour, had four driver's licenses and ID cards from three states. The Homeland Security Department and other officials say the only way to ensure an ID is safe is to check it against secure government data; critics such as the ACLU say that creates a system that is more likely to be infiltrated and have its personal data pilfered. Congress passed the REAL ID law in 2005, but the effort has been delayed by opposition from states worried about the cost and civil libertarians upset about what they believe are invasions of privacy. Under the rules announced Friday, Americans born after Dec. 1, 1964, will have to get more secure driver's licenses in the next six years, over which time the new requirements would gradually be phased in. A key deadline would come in 2011, when federal authorities hope all states will be in compliance, and the regulations would not take full effect for all Americans until 2017. To make the plan more appealing to cost-conscious states, federal authorities drastically reduced the expected cost from $14.6 billion to $3.9 billion, a 73 percent decline, said Homeland Security officials familiar with the plan. By 2014, anyone seeking to board an airplane or enter a federal building would have to present a REAL ID-compliant card, with the notable exception of those older than 50, Homeland Security officials said. The over-50 exemption was created to give states more time to get everyone new licenses, and officials say the risk of someone in that age group being a terrorist, illegal immigrant or con artist is much less. By 2017, even those over 50 must have a REAL ID-compliant card to board a plane. Among other details of the REAL ID plan: _The traditional driver's license photograph would be taken at the beginning of the application instead of the end so that if someone is rejected for failure to prove identity and citizenship, the applicant's photo would be kept on file and checked if that person tried to con the system again. _The cards will have three layers of security measures but will not contain microchips as some had expected. States will be able to choose from a menu which security measures they will put in their cards. _After Social Security and immigration status checks become nationwide practice, officials plan to move on to more expansive security checks. State DMV offices would be required to verify birth certificates; check with other states to ensure an applicant doesn't have more than one license; and check with the State Department to verify applicants who use passports to get a driver's license. --- On the Net: Homeland Security Department: http://www.dhs.gov/ ACLU Web site opposing REAL ID: http://www.realnightmare.org From rforno at infowarrior.org Sat Jan 12 03:47:27 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 11 Jan 2008 22:47:27 -0500 Subject: [Infowarrior] - =?iso-8859-1?q?OT=3A_Bill_Gates_=B9_Last_Day_of_W?= =?iso-8859-1?q?ork?= Message-ID: Bill Gates? Last Day of Work January 7, 2008 ? 5:00 pm, By COED Staff This is a video spoof shown during the CES 2008 keynote by Bill Gates describing what his last day at Microsoft will be like. Quite a few impressive cameos for a little video spoof. < - > http://www.coedmagazine.com/tech/4679 From rforno at infowarrior.org Sat Jan 12 14:05:35 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 12 Jan 2008 09:05:35 -0500 Subject: [Infowarrior] - FBI Agent Goes Public With Counterterror Critique Message-ID: Spytalk: FBI Agent Goes Public With Counterterror Critique By Jeff Stein, CQ National Security Editor http://public.cq.com/docs/hs/hsnews110-000002654526.html Breaking silence and defying warnings from his FBI bosses, the agent whose internal protests revealed the bureau?s illegal use of secret national security letters was scheduled to go public this weekend at an American Library Association conference. Bassem Youssef, once the FBI?s top Arab-American Middle East expert, ?is expected to discuss a number of critical failures within the FBI?s counterterrorism program . . . ? the ALA said in a press release. FBI officials last week demanded that Youssef clear any prepared remarks for the association?s conclave in Philadelphia early Saturday morning, Jan. 12. In response, Youssef, whom the CIA honored with a National Intelligence Medal for his undercover work against Islamic terrorists in the early 1990s, scrapped plans for a speech in favor of responding to questions from the audience. ?I had nothing to do with the press release,? Youssef told me, before referring more questions on his remarks to his attorney. ?It was something that the ALA put out, and I think the one sentence that caught their attention was that ?Mr. Youssef will be speaking out on failures of the FBI?s counterterrorism division.?? His supervisor ?didn?t like that and basically said that you need to have that pre-cleared and that speech needs to be pre-approved.? Youssef said. His lawyer, Stephen M Kohn, characterized the FBI?s actions as a threat. ?They essentially have threatened Bassem. At first they granted the permission and then they turned around and threatened him with what he?s going to talk about,? Kohn said. ?So he is making no presentation whatsoever. It?s only going to be extemporaneous questions and answers that are all unprepared. The audience people can ask him a question and he?ll do his best to answer it, and that?s it. So there is no presentation anymore because the FBI has blocked that,? Kohn said. An FBI spokesman confirmed that Youssef had been warned not to give a speech without clearance. That process can take days, if not weeks. Saturday?s event marks the first time Youssef has talked publicly about FBI counterterrorism programs outside of remarks at closed law enforcement conferences and an interview with NBC News when he filed a discrimination suit against the bureau in 2003. He said he was nervous about facing such an audience. ?I am. It?s not something I look forward to,? he said. ?There are people that are public speakers ? that?s not where I?m coming from.? Victim of Retaliation The son of immigrant Christian Egyptians, Youssef grew up in Los Angeles and joined the FBI in 1982. At one point he coordinated the bureau?s investigation into the Islamic terrorists who carried out the first, 1993 bombing of the World Trade Center. Later he was put in charge of the FBI?s liaison with seven Middle East countries from the U.S. Embassy in Saudi Arabia, where his work also won lavish praise from his bosses, But on the eve of the Sept. 11 attacks, in what appears to be a bizarre case of mistaken identity, his superiors evidently confused him with one or more other Arab-American FBI agents who had received poor job performance evaluations and put him on the shelf. Youssef complained to his congressman, Rep. Frank R. Wolf, R-Va., who abruptly summoned FBI Director Robert S. Mueller III to his office to meet with Youssef. Mueller?s aides were incensed at Youssef?s temerity, they later admitted in depositions. Eventually the FBI?s Office of Professional Responsibility, which is responsible for reviewing misconduct allegations, found ?sufficient circumstantial evidence? that they had retaliated against him. But in the meantime, Youssef was relegated to jobs where his counterterrorism expertise, Arabic fluency and undercover experience went unused, At the same time, the FBI was struggling to find such skills to defend against new al Qaeda attacks. In 2005, Kohn got several high FBI officials to admit in his now infamous videotaped depositions that they didn?t know the most basic facts about Islamic terrorism, including the difference between Sunnis and Shiites. Youssef?s discrimination case is pending in U.S. District Court. Youssef was eventually assigned to the FBI Headquarters? Communications Analysis Unit, which also boomeranged. He quickly discovered that supervisors were routinely, and falsely, claiming ?emergencies? to obtain the telephone, financial, Internet and even library records of thousands of U.S. citizens via National Security Letters, or office warrants that supervisors could write for themselves without court approval. The Justice Department?s Inspector General would later find that the letters ?contained factual misstatements,? such as claims that the FBI had submitted subpoena requests to a U.S. attorney?s office when, in fact, it hadn?t. The IG also found the letters were often issued when there was no emergency. Youssef promptly complained to the FBI General Counsel?s office, according to a letter his lawyer, Kohn, sent to Sen. Charles E. Grassley, R-Iowa, a longtime critic of the FBI on the Judiciary Committee. ?At all times, the [National Security Law Branch] and the FBI [Office of the General Counsel] knew that the field offices and operational units were non-compliant in obtaining the legal documentation,? Kohn wrote. ALA vs. FBI National security letters, or NSLs, had long nettled the American Library Association, which in 2003 passed a resolution condemning their use. Librarians were forbidden to tell patrons that their records had been reviewed by the FBI. Kohn suggested that Youssef would draw a direct line on Saturday between the NSL excesses and a lack of terrorism expertise in the ranks of the FBI, for his audience of librarians. ?They?re a strong civil liberties group, so what they need to understand is that the incompetence and lack of subject matter expertise in counterterrorism not only hurts the terrorism investigations but also impacts civil liberties,? Kohn said. ?For example, if a case agent can?t understand the nature of a threat and classifies a benign incident as an emergency and gets a wiretap of some sort, or does an NSL search [of personal records] when there was no real reason to do it, you?re violating privacy.? The FBI takes strenuous exception to charges that it lacks terrorism expertise and language capabilities. ?The FBI uses a combination of Special Agents, Language Analysts, and Contract Linguists to address its foreign language translation requirements, all with tested foreign language proficiency as determined by the Interagency Language Roundtable,? FBI spokesman Richard Kolko said. The number of FBI Special Agents who could speak at least some Arabic had increased from 29 to 46 since Sept. 11, 2001, he said. The number of Contract Linguists and Language Analysts ?who meet FBI Arabic language test standards? has ballooned from 70 to 285 in the same period. ?The FBI also has access to the National Virtual Translation Center, which serves as the clearinghouse to provide timely and accurate translation of foreign intelligence for Intelligence Community agencies,? Kolko added. ?Although we always look to increase the numbers through our recruiting efforts, we have the tools available to do our job.? BACKCHANNEL CHATTER My Dec. 20 column warning that ?Libya is close to getting off the hook? for millions of dollars due families who suffered the loss of loved ones in the PanAm 103 and LaBelle discotheque bombings drew plenty of heat. Some suggested that I had somehow taken Libya?s side by merely reporting on the conclusion of a Scottish criminal commission that a ?miscarriage of justice? might have occurred in the Pan Am trial. Critics who support that view point to the early suspicions of U.S. intelligence that an Iranian-back terrorist group, the Popular Front for the Liberation of Palestine-General Command, had really downed the airliner (in response to the accidental downing of an Iranian passenger jet by a U.S. Navy ship six months earlier). Critics also denounced my reporting that at least two informants had received million-dollar rewards for providing evidence against the Libyans. One of those who wrote me was the FBI agent in charge of the U.S. side of the PanAm 103 case, retired Special Agent Richard Marquise. After several e-mail exchanges, I invited him to write a critique for publication here. It is reproduced in its entirety below: ?We initially speculated it was the PFLP-GC based on events which had occurred in Germany in late 1988. We went with that premise until the painstaking evidence collection in Scotland (done by police officers not having any political agenda) turned the investigation in a different direction. ?By this time, we had reached an agreement with the CIA and other intelligence agencies to completely share information. With their assistance and the meticulous police investigation, this led to the eventual indictments. ?You quote several sources but Vince Cannistraro [the CIA official in charge of the agency?s investigation of PanAm 103] retired before the evidence began to lead to Libya. ?Your quote ?more sinister factors were at work in the investigation? which was attributed to Professor Black and other ?authoritative sources close to the case? is taken from people who only know what they believe but have no inside information. ?I can promise you as a 31-year FBI veteran who was proud of my service to America; no sinister forces were ever involved. If you (or anyone) were to speak with Stuart Henderson (the Scottish Senior Investigating Officer) or myself, we would tell you we followed the evidence, the way we were trained and no political or sinister forces were involved. Libya was implicated because of the evidence, not because we wanted to blame someone other than Syrian-backed terrorists. ?Edwin Bollier, the Swiss businessman who made the timer which blew up Pan Am Flight 103, seems to forget he went to a US Embassy in January 1989 after reading in the news that the ?evidence? pointed to the PFLP-GC cell in Germany (and therefore to Syria). He left an unsigned note implicating Libya ? long before we knew anything about the timer, MEBO or Bollier, as that evidence was not developed until nearly two years would pass. ?Since 1992, Bollier?s story has changed. I would prefer to believe what he told a Swiss magistrate, the FBI and Scottish investigators in 1990 and 1991, not what he is now saying. I was the FBI official who met with Mr. Bollier in Washington, and I can assure you no one offered him (or any other witness for that matter) anything to implicate the Libyan Government.? Source: CQ Homeland Security ? 2008 Congressional Quarterly Inc. All Rights Reserved. From rforno at infowarrior.org Sat Jan 12 14:09:41 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 12 Jan 2008 09:09:41 -0500 Subject: [Infowarrior] - Bipartisan REALID Objections Cite Security, Costs and Privacy Message-ID: ID Plan Is Broadly Criticized Bipartisan Objections Cite Security, Costs and Privacy http://www.washingtonpost.com/wp-dyn/content/article/2008/01/11/AR2008011103 410_pf.html By Dafna Linzer Washington Post Staff Writer Saturday, January 12, 2008; A02 A new Bush administration plan to create national standards for driver's licenses drew heavy criticism yesterday from civil liberties groups, some Republican and Democratic lawmakers, governors, and the travel industry. The critics said the new licenses anticipated under the plan, which is aimed at screening out potential terrorists and uncovering illegal immigrants, could still be forged. They also complained that the program, known as Real ID, would be costly for states to implement, potentially restrict summer travel, and allow private companies access to the personal data of most U.S. citizens. But they also welcomed yesterday's official announcement that states have until May 2011 before they need to begin issuing licenses that meet the department's new guidelines, and until December 2014 to begin replacing current licenses. Drivers over the age of 50 will not have to obtain new licenses until the end of 2017. The deadline extensions give both Congress and future presidents time to reconsider what opponents have depicted as a national identification system that will infringe on privacy rights and leave room for large-scale identity theft. "DHS has kicked the can down the road to the next administration, and conceivably the next two or three administrations," said Barry Steinhardt, a lawyer with the American Civil Liberties Union. Already, 17 states have said they would either refuse to issue the new licenses or have asked Congress to repeal a 2005 law that required states to collect and store additional data on driver's license applicants, such as birth certificates, Social Security numbers and home addresses. Under Real ID, all new licenses would be machine-readable and contain personal information that could be scanned by governments and potentially by corporations. At a news conference yesterday, Homeland Security Secretary Michael Chertoff said the guidelines represent a balance between security and privacy in accordance with the Real ID Act. He warned that residents in states such as Georgia and Washington, which have refused to comply with the program, may be subject to additional security checks or prevented from boarding flights once the program begins this spring. He urged those states to seek waivers to allow their residents to continue flying as of May 11, when the regulations begin to take effect. The ACLU called Chertoff's warning an empty threat designed to pressure states to join the program. "The airline industry is not going to allow the federal government to prevent citizens of noncompliant states from getting on airplanes," said Timothy Sparapani, the group's senior legislative counsel, who added that "1.8 million people fly everyday and a sizable number leave from airports like Atlanta's Hartsfield Airport, which is one of the busiest in the country." The Travel Industry Association of America welcomed "flexibility" from DHS on the program's implementation schedule but said "no American should be denied the right to travel because of disagreements between federal and state lawmakers." State and local officials also expressed concerns. In a joint statement, the National Governors Association, the National Conference of State Legislatures and the American Association of Motor Vehicle Administrators said they need time "to determine whether the act can be implemented in a cost-effective and feasible manner." DHS estimated that the program will cost states $3.9 billion to implement, a significant decrease from earlier estimates as high as $14 billion. But many state officials have said the financial burden is still too great. Sen. Olympia J. Snowe (R-Maine), whose state is among those resisting the program, said it is "unrealistic to expect our state to conform" when "the federal government has only provided a mere 3 percent of the funds needed for implementation." Rep. F. James Sensenbrenner Jr. (R-Wis.), who originally sponsored the Real ID Act, said he, too, is disappointed, saying the program was conceived as a way to prevent potential terrorists from obtaining driver's licenses, as some of the Sept. 11, 2001, hijackers did. "While this phased-in enrollment of the law may save states some operational funds, it is important to realize that by pushing back the original 3-year deadline till 2017, a full 12 years after the law was enacted, DHS is weakening the intent of the law," Sensenbrenner said in a statement. "A lot can happen in the next 9 years, and I hope our nation does not encounter a situation in that time that will cause us to regret this delay." From rforno at infowarrior.org Sat Jan 12 14:14:01 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 12 Jan 2008 09:14:01 -0500 Subject: [Infowarrior] - Windows Vista, Office 2007 Expelled From British Schools Message-ID: Windows Vista, Office 2007 Expelled From British Schools A British educational report suggests the upgrade would increase costs and create software compatibility problems while providing little benefit. By Paul McDougall, InformationWeek Jan. 11, 2008 URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=205602879 The agency that governs educational technology in the United Kingdom has advised schools in the country to keep Microsoft's Windows Vista operating system and its Office 2007 software out of the classroom and administrative offices. "Upgrading existing ICT systems to Microsoft Vista or Office 2007 is not recommended," said the British Educational Communications and Technology Agency, also known as Becta, in a report issued this week. Becta officials said a study the group commissioned found that upgrading school systems from Windows XP to Vista and Office 2007 would increase costs and create software compatibility problems while providing little benefit. "Our advice is to be sure there is a strong business case for upgrading to these products as the costs are significant and the benefits remain unclear," said Stephen Lucy, Becta's executive director of strategic technologies, in a statement. Becta also singled out for criticism Microsoft's failure to support the Open Document Format -- which is recognized by the International Organization for Standardization -- in Office 2007. Instead, the software uses a new Microsoft format called Office Open XML. "Microsoft should provide native support for the ODF file format increasingly used in competitor products and those that are free to use," Becta said in its report. The agency said U.K. schools can consider using Vista or Office 2007 software only when they are buying new batches of PCs. Even then, however, they're advised to take a long looked at alternatives based on Linux and other open source products, such as the OpenOffice.org desktop package. "Schools and colleges should make pupils, teachers and parents aware of the range of free-to-use products (such as office productivity suites) that are available, and how to use them," Becta said. The report's conclusions could end up costing Microsoft millions of dollars in lost sales in the U.K. public-sector market. Becta's advisory mirrors similar moves taken by public agencies in the United States. Last year, the Department of Transportation placed a ban on the use of Windows Vista, Office 2007, and Internet Explorer 7 because of cost and compatibility concerns. Copyright ? 2007 CMP Media LLC From rforno at infowarrior.org Sat Jan 12 14:15:31 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 12 Jan 2008 09:15:31 -0500 Subject: [Infowarrior] - Open-source security moves to next step Message-ID: Open-source security moves to next step By Peter Judge http://www.news.com/Open-source-security-moves-to-next-step/2100-1002_3-6225 700.html Story last modified Fri Jan 11 09:35:10 PST 2008 Source code analysis expert Coverity has found and helped fix more than 7,500 security flaws in open-source software, and published a list of the 11 open-source projects working fastest to sort them out. The work is part of a U.S. government-backed project to harden open-source code. "We applaud the developers responsible for the 11 open-source projects that have advanced to the second rung of code security and quality," said David Maxwell, open-source strategist for Coverity. The Open Source Hardening Project, sponsored by the U.S. Department of Homeland Security, uses Coverity's Scan, which grades projects on a "ladder" according to their progress at fixing and preventing flaws. Eleven projects have been awarded the newly announced status of Rung 2, including those known as Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL. According to Coverity, this new development means users will be able to "select these open-source applications with even greater confidence." Several other projects are expected to advance to Rung 2 over the next few months. The Open Source Hardening Project began in January 2006 and was expanded early in 2007 to cover a list of 150 projects. Coverity uses static source-code analysis to spot errors in code, such as open brackets. Projects on Rung 2 will move on to use the company's "satisfiability" techniques, which use a bit-accurate representation of a software system, translating every relevant software operation into Boolean values (true and false) and Boolean operators (such as and, not, or). Coverity claims this type of analysis is a first in commercial programming and is able to spot hundreds more bugs than the tools available on Rung 1. Although the project is clearly improving the security of open-source software, some have expressed concern that coverage of its results may produce bad publicity in the form of headlines about security flaws in open-source software. Peter Judge of ZDNet UK reported from London. Copyright ?1995-2008 CNET Networks, Inc. All rights reserved. From rforno at infowarrior.org Sat Jan 12 15:12:55 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 12 Jan 2008 10:12:55 -0500 Subject: [Infowarrior] - FW: mifare insecurity In-Reply-To: <200801121121.10334.starbug@berlin.ccc.de> Message-ID: For those following RFID security issues, this has the potential to undermine many enterprise and national-level initiatives (ie, RFID passports) that mandate proven-vulnerable RFID implementations.....yet I doubt such revelations will do anything to force a revisit of the underlying architecture -- no, that'd make too much sense, right? --rf ------ Forwarded Message From: Jan Krissler Organization: Chaos Computer Club Date: Sat, 12 Jan 2008 11:20:45 +0100 Hi. Maybe some of you are using Mifare based RFID systems for payment or access controll. you should start to migrate soon. As shown on the 24th chaos communication congress http://berlin.ccc.de/~24c3_torrents/24c3-2378-en-mifare_security.mkv.torrent the proprietary crypto algorithm used in mifare is not a secret anymore. We havnt disclosed it yet but we will as soon as a practical implemetation is done. Bye you should also have a look at the other talk from the 24c3 http://berlin.ccc.de/~24c3_torrents/ From rforno at infowarrior.org Sun Jan 13 04:28:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 12 Jan 2008 23:28:46 -0500 Subject: [Infowarrior] - Report: Infosec at TSA's Traveller Redress website Message-ID: Friday, January 11, 2008 Defense and Security Chairman Waxman Releases Report on Information Security Breach at TSA's Traveler Redress Website http://oversight.house.gov/story.asp?ID=1680 In October 2006, the Transportation Security Administration launched a website to help travelers whose names were erroneously listed on airline watch lists. This redress website had multiple security vulnerabilities: it was not hosted on a government domain; its homepage was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. These deficiencies exposed thousands of American travelers to potential identity theft. After an internet blogger identified these security vulnerabilities in February 2007, the website was taken offline and replaced by a website hosted on a Department of Homeland Security domain. At the request of Chairman Henry Waxman, Committee staff have been investigating how TSA could have launched a website that violated basic operating standards of web security and failed to protect travelers? sensitive personal information. As this report describes, these security breaches can be traced to TSA?s poor acquisition practices, conflicts of interest, and inadequate oversight. The report finds: o TSA awarded the website contract without competition. TSA gave a small, Virginia-based contractor called Desyne Web Services a no-bid contract to design and operate the redress website. According to an internal TSA investigation, the ?Statement of Work? for the contract was ?written such that Desyne Web was the only vendor that could meet program requirements.? o The TSA official in charge of the project was a former employee of the contractor. The TSA official who was the ?Technical Lead? on the website project and acted as the point of contact with the contractor had an apparent conflict of interest. He was a former employee of Desyne Web Services and regularly socialized with Desyne?s owner. o TSA did not detect the website's security weaknesses for months. The redress website was launched on October 6, 2006, and was not taken down until after February 13, 2007, when an internet blogger exposed the security vulnerabilities. During this period, TSA Administrator Hawley testified before Congress that the agency had assured ?the privacy of users and the security of the system? before its launch. Thousands of individuals used the insecure website, including at least 247 travelers who submitted large amounts of personal information through an insecure webpage. o TSA did not provide sufficient oversight of the website and the contractor. The internal TSA investigation found that there were problems with the ?planning, development, and operation? of the website and that the program managers were ?overly reliant on contractors for information technology expertise? and had failed to properly oversee the contractor, which as a result, ?made TSA vulnerable to non-performance and poor quality work by the contractor.? Neither Desyne nor the Technical Lead on the traveler redress website has been sanctioned by TSA for their roles in the deployment of an insecure website. TSA continues to pay Desyne to host and maintain two major web-based information systems: TSA?s claims management system and a governmentwide traveler redress program. TSA has taken no steps to discipline the Technical Lead, who still holds a senior program management position at TSA. From rforno at infowarrior.org Sun Jan 13 20:38:53 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 13 Jan 2008 15:38:53 -0500 Subject: [Infowarrior] - Drug Ads Raise Legislators' Blood Pressure Message-ID: I'm all for investigation and the hopeful reduction of such ads that are soley designed to get people to ask their doctor if DRUG$ "is right for you" -- watching TV these days it's absurd the number of drug ads you see, and the number of times you hear the litnany of side-effects they rattle off........besides it's amusing how a drug to cure one male problem suddenly gets marketed as a curative if you've got a ton of other common conditions as well.....I say enough! -- rf Drug Ads Raise Legislators' Blood Pressure http://www.prwatch.org/node/6886 The U.S. Congress is investigating "the pharmaceutical industry's use of celebrity endorsements in direct-to-consumer (DTC) advertisements." First up are ads for Pfizer's cholesterol drug Lipitor, which feature the inventor of the artificial heart, Dr. Robert Jarvik. In the ads, Jarvik says, "Just because I'm a doctor doesn't mean I don't worry about my cholesterol." Representative John Dingell noted, "Dr. Jarvik appears to be giving medical advice, but apparently, he has never obtained a license to practice or prescribe medicine." Dingell is leading the investigation, along with Representative Bart Stupak. The lawmakers are asking Pfizer for "all of its records -- including contracts, e-mails and correspondence -- related to the advertising campaign, as well as all records related to Jarvik's financial association with the firm" and "materials detailing Jarvik's professional qualifications, his own use of Lipitor, and Pfizer's rationale for featuring him in the campaign." Other celebrity drug endorsers include former Senator Bob Dole and athletes Magic Johnson and Cal Ripken. From rforno at infowarrior.org Sun Jan 13 20:50:05 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 13 Jan 2008 15:50:05 -0500 Subject: [Infowarrior] - Army looking for "Celebrity Rock Band" Message-ID: Professional Celebrity Rock Music Band, group not to exceed seven people for tour of FOB's in Kuwait and Afghanistan for February 4-13 2008. The band should be an active rock band, with a music genre consisting of Southern Rock, Pop Rock, Post-Grunge and Hard Rock. At least one member of the band should be recognizable as a professional celebrity. Protective military equipment, such as kevlar, body armour, eye and ear protection will be provided when the group is travelling on military rotary or fixed wing aircraft. < - > http://www1.fbo.gov/spg/USA/DABN/DABN03/W912PE08T0064/SynopsisP.html From rforno at infowarrior.org Mon Jan 14 18:34:52 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 14 Jan 2008 13:34:52 -0500 Subject: [Infowarrior] - "DYSFUNCTIONAL" INFORMATION RESTRICTIONS Message-ID: (c/o SecrecyNews) AN INSIDE VIEW OF "DYSFUNCTIONAL" INFORMATION RESTRICTIONS Much of the criticism directed at government secrecy is predicated on the idea that secrecy impedes government accountability and degrades public participation in the deliberative process. But the secrecy system is also subject to growing internal criticism on altogether different grounds: namely, that it "has become dysfunctional in the face of current needs of national security." "The philosophy behind the policies for secrecy needs to move into the 21st Century and away from the WWII model which was deny to the enemy, grant to as few as possible," said M.E. Bowman, a former FBI intelligence official who returned to government last year in a senior counterintelligence capacity. "Today, in an information sharing environment USG [U.S. Government] personnel are just about always going to be in violation of one executive order (classification or access) or another (sharing). I truly believe that the USG would be better served with a different philosophy behind classification and access," he told Secrecy News. "I have never lost a court case on protecting secrecy, but that is because the criteria permitted me to win. In fact, a lot of the seminal FOIA law is argument that I developed in litigation. [But] I think the time is long past when we need to amend the criteria." Mr. Bowman elaborated his critique of the existing information security regime in an article that appeared last year in Intelligencer, the journal of the Association of Former Intelligence Officers. See "Dysfunctional Information Restrictions" by M.E. Bowman, Intelligencer, Fall/Winter 2006-2007, posted with the permission of the Association of Former Intelligence Officers (www.afio.com): http://www.fas.org/sgp/eprint/bowman.pdf "Despite the obvious difficulties, the need is real and of such a magnitude that changes to our heritage of information restrictions simply cannot be placed in the 'too hard' box," he wrote. "We must update our philosophies of access and control, [and] change the guidelines that proceed from those philosophies." From rforno at infowarrior.org Tue Jan 15 03:57:13 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 14 Jan 2008 22:57:13 -0500 Subject: [Infowarrior] - New US plan for Internet surveillance in the works Message-ID: (I'll have more salient comments later this week as I learn more, but from what I've seen here and been briefed on elsewhere, this is a disaster for all involved on a variety of issues from privacy to implementation to network survivability...........rf) US drafting plan to allow government access to any email or Web search RAW STORY Published: Monday January 14, 2008 http://rawstory.com/news/2007/US_drafting_plan_to_allow_government_0114.html National Intelligence Director Mike McConnell is drawing up plans for cyberspace spying that would make the current debate on warrantless wiretaps look like a "walk in the park," according to an interview published in the New Yorker's print edition today. Debate on the Foreign Intelligence Surveillance Act ?will be a walk in the park compared to this,? McConnell said. ?this is going to be a goat rope on the Hill. My prediction is that we?re going to screw around with this until something horrendous happens.? The article, which profiles the 65-year-old former admiral appointed by President George W. Bush in January 2007 to oversee all of America's intelligence agencies, was not published on the New Yorker's Web site. McConnell is developing a Cyber-Security Policy, still in the draft stage, which will closely police Internet activity. "Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the autority to examine the content of any e-mail, file transfer or Web search," author Lawrence Wright pens. ?Google has records that could help in a cyber-investigation, he said," Wright adds. "Giorgio warned me, 'We have a saying in this business: ?Privacy and security are a zero-sum game.'" A zero-sum game is one in which gains by one side come at the expense of the other. In other words -- McConnell's aide believes greater security can only come at privacy's expense. McConnell has been an advocate for computer-network defense, which has previously not been the province of any intelligence agency. According to a 2007 conversation in the Oval Office, McConnell told President Bush, ?If the 9/11 perpetrators had focused on a single US bank through cyber-attack and it had been successful, it would have an order of magnitude greater impact on the US economy.? Bush turned to Treasury Secretary Henry Paulson, asking him if it was true; Paulson said that it was. Bush then asked to McConnell to come up with a network security strategy. "One proposal of McConnell?s Cyber-Security Policy, which is still in the draft stage, is to reduce the access points between government computers and the Internet from two thousand to fifty," Wright notes. "He claimed that cyber-theft account for as much as a hundred billion dollars in annual losses to the American economy. 'The real problem is the perpetrator who doesn?t care about stealing?he just wants to destroy.'" The infrastructure to tap into Americans' email and web search history may already be in place. In November, a former technician at AT&T alleged that the telecom forwarded virtually all of its Internet traffic into a "secret room" to facilitate government spying. Whistleblower Mark Klein said that a copy of all Internet traffic passing over AT&T lines was copied into a locked room at the company's San Francisco office -- to which only employees with National Security Agency clearance had access -- via a cable splitting device. "My job was to connect circuits into the splitter device which was hard-wired to the secret room," Klein. said "And effectively, the splitter copied the entire data stream of those Internet cables into the secret room -- and we're talking about phone conversations, email web browsing, everything that goes across the Internet." "As a technician, I had the engineering wiring documents, which told me how the splitter was wired to the secret room," Klein continued. "And so I know that whatever went across those cables was copied and the entire data stream was copied." According to Klein, that information included Internet activity about Americans. "We're talking about domestic traffic as well as international traffic," Klein said. Previous Bush administration claims that only international communications were being intercepted aren't accurate, he added. "I know the physical equipment, and I know that statement is not true," he added. "It involves millions of communications, a lot of it domestic communications that they're copying wholesale." From rforno at infowarrior.org Tue Jan 15 03:58:54 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 14 Jan 2008 22:58:54 -0500 Subject: [Infowarrior] - FBI wants instant access to British identity data Message-ID: FBI wants instant access to British identity data Americans seek international database to carry iris, palm and finger prints Owen Bowcott Tuesday January 15, 2008 The Guardian http://www.guardian.co.uk/humanrights/story/0,,2241005,00.html Senior British police officials are talking to the FBI about an international database to hunt for major criminals and terrorists. The US-initiated programme, "Server in the Sky", would take cooperation between the police forces way beyond the current faxing of fingerprints across the Atlantic. Allies in the "war against terror" - the US, UK, Australia, Canada and New Zealand - have formed a working group, the International Information Consortium, to plan their strategy. Biometric measurements, irises or palm prints as well as fingerprints, and other personal information are likely to be exchanged across the network. One section will feature the world's most wanted suspects. The database could hold details of millions of criminals and suspects. The FBI is keen for the police forces of American allies to sign up to improve international security. The Home Office yesterday confirmed it was aware of Server in the Sky, as did the Metropolitan police. The plan will make groups anxious to safeguard personal privacy question how much access to UK databases is granted to foreign law enforcement agencies. There will also be concern over security, particularly after embarrassing data losses within the UK, and accuracy: in one case, an arrest for a terror offence by US investigators used what turned out to be misidentified fingerprint matches. Britain's National Policing Improvement Agency has been the lead body for the FBI project because it is responsible for IDENT1, the UK database holding 7m sets of fingerprints and other biometric details used by police forces to search for matches from scenes of crimes. Many of the prints are either from a person with no criminal record, or have yet to be matched to a named individual. IDENT1 was built by the computer technology arm of the US defence company Northrop Grumman. In future it is expected to hold palm prints, facial images and video sequences. A company spokeswoman confirmed that Northrop Grumman had spoken to the FBI about Server in the Sky. "It can run independently but if existing systems are connected up to it then the intelligence agencies would have to approve," she said. The FBI told the Guardian: "Server in the Sky is an FBI initiative designed to foster the advanced search and exchange of biometric information on a global scale. While it is currently in the concept and design stages, once complete it will provide a technical forum for member nations to submit biometric search requests to other nations. It will maintain a core holding of the world's 'worst of the worst' individuals. Any identifications of these people will be sent as a priority message to the requesting nation." In London, the NPIA confirmed it was aware of Server in the Sky but said it was "too early to comment on what our active participation might be". The FBI is proposing to establish three categories of suspects in the shared system: "internationally recognised terrorists and felons", those who are "major felons and suspected terrorists", and finally those who the subjects of terrorist investigations or criminals with international links. Tom Bush, assistant director at the FBI's criminal justice information service, has said he hopes to see a pilot project for the programme up and running by the middle of the year. Although each participating country would manage and secure its own data, the sharing of personal data between countries is becoming an increasingly controversial area of police practice. There is political concern at Westminster about the public transparency of such cooperation. A similar proposal has emerged from the EU for closer security cooperation between the security services and police forces of member states, including allowing countries to search each other's databases. Under what is known as the Prum treaty, there are plans to open up access to DNA profiles, fingerprints and vehicle registration numbers. From rforno at infowarrior.org Tue Jan 15 03:59:58 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 14 Jan 2008 22:59:58 -0500 Subject: [Infowarrior] - Google can bid in wireless auction: regulators Message-ID: Google can bid in wireless auction: regulators Mon Jan 14, 2008 6:36pm EST By Peter Kaplan http://www.reuters.com/article/businessNews/idUSN1447941620080114?feedType=R SS&feedName=businessNews&rpc=23&sp=true WASHINGTON (Reuters) - Communications regulators have cleared Google Inc (GOOG.O: Quote, Profile, Research) to bid in an upcoming auction of coveted wireless airwaves, according to auction documents released by the Federal Communications Commission on Monday. Google was among a list of potential bidders released by the FCC that have made a required up-front payment and have been cleared to take part in the high-stakes 700 megahertz wireless auction. The auction is scheduled to begin on January 24 and expected to raise at least $10 billion for the U.S. government from airwaves being returned by television broadcasters as they move to digital from analog signals in early 2009. As expected, the list of qualified bidders also included U.S. wireless providers AT&T Inc (T.N: Quote, Profile, Research) and Verizon Wireless, a joint venture of Verizon Communications Inc (VZ.N: Quote, Profile, Research) and Vodafone Group Plc (VOD.L: Quote, Profile, Research), as well as ventures involving EchoStar Communications Corp (DISH.O: Quote, Profile, Research), Cablevision Systems Corp (CVC.N: Quote, Profile, Research), Qualcomm Inc (QCOM.O: Quote, Profile, Research) and Microsoft Corp (MSFT.O: Quote, Profile, Research) co-founder Paul Allen. On a separate list of potential bidders that did not qualify for the auction was a venture affiliated with Frontline Wireless, a start-up that had proposed to build a national network using a block of spectrum to be shared with public safety agencies. A Frontline official said last week that Frontline was "closed at this time" and declined further comment. The 700-megahertz signals are valuable because they can go long distances and penetrate thick walls. The spectrum is to be auctioned off in several different blocks, ranging from smaller regional blocks to large, nationwide ones. Up-front payments for the spectrum licenses can range from several thousand dollars to more than $100 million, depending on the size of the license a company is seeking. The auction is seen as a last opportunity for a new player to enter the wireless market. Google and other Silicon Valley leaders see the wireless spectrum as a way to create more open competition for mobile services and devices than those available on existing networks. (Editing by Andre Grenon) ? Reuters 2008 All rights reserved From rforno at infowarrior.org Tue Jan 15 04:02:58 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 14 Jan 2008 23:02:58 -0500 Subject: [Infowarrior] - More on US Internet spy plan (PDF link) Message-ID: The PDF of the full New Yorker article mentioned in my earlier post..... http://shining.celebi.googlepages.com/WashWire.pdf From rforno at infowarrior.org Tue Jan 15 04:35:50 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 14 Jan 2008 23:35:50 -0500 Subject: [Infowarrior] - CO's First Responder PKI Initiative raises questions Message-ID: Here's some information regarding what is described to me as Colorado "backdooring" the REAL ID Act while it moves to develop a PKI system for the issuance of identifying credentials for its many first reponders. While I have included a few of the more salient issues below, you can find the full documents and referenced State policies at the following location: http://www.infowarrior.org/stuff/RFID/. Of those documents - many of which are background references - perhaps the most important one is "Questions for State of CO for First Responder Identity Credentials (COFRAC v.3 Standard) and RFP PVR?00012?08." IMHO there's some pretty serious allegations on a wide range of items presented that should be responded to quickly and publicly given the many political, technical, and privacy issues associated with such programs. That said, I wonder how many other states' activities with ramifications for REAL ID are being run in a similar fashion? -rick < - > Source: Anonymous CO HJR 1047 specifically opposes any portion of the REAL ID Act that violates the rights and liberties guaranteed under the Colorado Constitution or the US Constitution, including the Bill of Rights, yet the Identity Management Director in Governor Ritter?s OIT is ramrodding this so called Best Practice Standard through with an RFP posted on the COBIDS system (state Procurement). Under the auspices of preparing the Colorado First Responders for the Democratic National Convention to be held in Denver in August, the standards and the RFP are being promoted in an extremely short timeframe. Why were meetings to develop Best Practice Standards held in secret? Also these meetings appear to be in direct violation of the CO Sunshine Law? Why was there no public comment period before this policy was released to RFP? Who will be doing the State of Colorado Independent Verification and Validation process to insure the citizens and first responders identities will be safe in this planned database of identities to ensure the security, confidentiality, and Integrity of their Personal identifying Information? ... And most importantly from a pure privacy view.... This policy has serious privacy implications, especially since the implementing system would be classified as a ?system of record?. a) Privacy Impact Assessment (PIA) mentioned in the acronyms section, and is a ?lofty principle? that is ?more responsive to privacy needs? on Page 10, but HOW to achieve this is not spelled out anywhere. i) No provisions for user notification on usage of the information ii) No choice for opt-in or ability to opt-out iii) Usage policy not specified and how data can be utilized iv) Ability to correct errors by data owner or redress mechanism not in place v) Security of the backend database not specified b) The barcode technology was turned down according to Gov. Ritter as being insecure and Colorado Law was put in place against the Real ID Act yet this proposed policy has those same technologies in it. Are our First Responders Identities LESS IMPORTANT?? From rforno at infowarrior.org Tue Jan 15 04:44:51 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 14 Jan 2008 23:44:51 -0500 Subject: [Infowarrior] - EFF's 17th birthday bash: Jan 15 Message-ID: EFF's 17th birthday bash: Jan 15, San Francisco http://www.boingboing.net/2008/01/07/effs-17th-birthday-b.html If you find yourself anywhere near San Francisco next Tuesday, hit the Electronic Frontier Foundation's birthday bash: The birthday bash will be on January 15, 7-11 PM, at 111 Minna Gallery in San Francisco. Headliners Adrian & the Mysterious D (A+D), the DJ duo that founded the seminal mashup party "Bootie," will be dropping a shameless, genre-smashing blend of tracks, backed up by DJ sets from Bay Area copyfighters Ripley, Kid Kameleon and EFF's own J Tones and Qubitsu. The EFF party will also feature an exclusive chocolate sampling with TCHO, "a new chocolate company for a new generation of chocolate enthusiasts." Founded by Wired co-founder Louis Rossetto and legendary chocolatier Timothy Childs, himself a former technologist, TCHO will be bringing a "beta release" of its best dark chocolate to the party table. Attendees are invited to vote for their favorite TCHO beta chocolate flavors at the party -- feedback that will help define TCHO's next steps as they gear up for a national release. January 15, 7-10 PM 111 Minna Gallery 111 Minna Street San Francisco, CA From rforno at infowarrior.org Tue Jan 15 13:04:43 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 Jan 2008 08:04:43 -0500 Subject: [Infowarrior] - Myspace Safety & Security Statement Message-ID: From: http://online.wsj.com/article/SB120032570019988591.html?mod=googlenews_wsj Text of MySpace Statement January 14, 2008 10:57 a.m. Attorneys General Praise MySpace Safety Efforts and Call for Broad Adoption; Endeavor to Include New Protections for Teens and Tools for Parents NEW YORK---January 14, 2008-- In a joint effort to increase the safety of teens online, MySpace and Attorneys General in the Multi-State Working Group on Social Networking representing 49 states and the District of Columbia today unveiled a Joint Statement on Key Principles of Social Networking Sites Safety designed for industry-wide adoption. This common set of Principles relates to online safety tools, technology, education and law enforcement cooperation. The Attorneys General praised MySpace for its efforts to date, the progress it has made in improving online safety and its continued efforts to make specific improvements over the coming months. The Joint Statement on Key Principles of Social Networking Sites Safety recognizes that an ongoing industry effort is required to keep up with the latest technological developments and to find additional ways to protect teens. The Attorneys General called on other social networking sites and Internet providers with community features to adopt the Principles and bring their sites up to par with MySpace in terms of safety. The Joint Statement on Key Principles of Social Networking Sites Safety was announced in New York City by Attorneys General Richard Blumenthal of Connecticut, Roy Cooper of North Carolina and Hemanshu Nigam, Chief Security Officer for MySpace and Fox Interactive Media. They were joined by Attorneys General Marc Dann of Ohio and Tom Corbett of Pennsylvania, members of the Executive Committee of the Multi-State who participated in the development and adoption of the Principles. Attorney General Anne Milgram of New Jersey and a representative of New York Attorney General Andrew Cuomo were also present to endorse the Principles. On behalf of MySpace, Chief Security Officer Hemanshu Nigam said, "We thank the Attorneys General for a thoughtful and constructive conversation on Internet safety. This is an industry-wide challenge and we must all work together to create a safer Internet. The Principles we have adopted set forth what the industry needs to strive towards to provide a safer online experience for teens and we look forward to sharing our ongoing safety innovations with other companies." The Principles of Social Networking fall into four categories: -- Site Design and Functionality. The Principles incorporate safety initiatives that MySpace has already implemented (Appendix A attached) and initiatives it will work to implement in the coming months (Appendix B attached). Examples of safety features MySpace has in place include reviewing every image and video uploaded to the site, reviewing the content of Groups, making the profiles of 14 and 15 year old users automatically private and protecting them from being contacted by adults that they don't already know in the physical world, and deleting registered sex offenders from MySpace. Examples of improvements MySpace will make include defaulting 16 and 17 year old users' profiles to private and strengthening the technology that enforces the site's minimum age of 14. -- Education and Tools for Parents, Educators and Children. The Principles acknowledge that MySpace has already been devoting meaningful resources to Internet safety education including a new online safety public service announcement targeted at parents and free parental software that is under development. MySpace will explore the establishment of a children's email registry that will empower parents to prevent their children from having access to MySpace or any other social networking site. In addition, under the Principles MySpace will increase its communications with consumers who report a complaint about inappropriate content or activity on the site. -- Law Enforcement Cooperation. The Attorneys General view MySpace's cooperation with law enforcement, which includes a 24- hour hotline, to be a model for the industry. The parties will continue to work together to enhance the ability of law enforcement officials to investigate and prosecute Internet crimes. -- Online Safety Task Force. As part of the Principles, MySpace will organize, with the support of the Attorneys General, an industry-wide Internet Safety Technical Task Force to develop online safety tools, including a review of identity authentication tools. While existing age verification and identity products are not an effective safety tool for social networking sites, the Task Force will explore all new technologies that can help make users more safe and secure including age verification. The Task Force will include Internet businesses, identity authentication experts, non-profit organizations, academics and technology companies. Ernie Allen, President and Chief Executive of the National Center for Missing and Exploited Children, has agreed that his organization will serve on the new Internet Safety Technical Task Force. Said Allen, "Today millions of teens use social networking sites. MySpace has taken significant steps to be more secure and private and to identify those who attempt to do harm on their site. The collaborative effort between MySpace and the Attorneys General is a major step that will make using social networking sites much safer for teens." About MySpace MySpace, a unit of Fox Interactive Media Inc., is the premier lifestyle portal for connecting with friends, discovering popular culture, and making a positive impact on the world. By integrating web profiles, blogs, instant messaging, e-mail, music streaming, music videos, photo galleries, classified listings, events, groups, college communities, and member forums, MySpace has created a connected community. As the first ranked web domain in terms of page views(1), MySpace is the most widely-used and highly regarded site of its kind and is committed to providing the highest quality member experience. MySpace will continue to innovate with new features that allow its members to express their creativity and share their lives, both online and off. MySpace's international network includes more than 20 localized community sites in the United States, Canada, Latin America, Mexico, Australia, Finland, Germany, Italy, Norway, Sweden, Switzerland, UK, Denmark, France, Ireland, Netherl ands, Spain, Austria, Japan, New Zealand and Brazil. Fox Interactive Media is a division of News Corp. (NYSE:NWS) (NYSE:NWS.A) (ASX:NWS) (ASX:NWSLV). (1) Among the top 2000 domains comScore Media Metrix, November 2007. For more information on comScore Networks, please go to http://www.comscore.com. From rforno at infowarrior.org Wed Jan 16 03:15:25 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 Jan 2008 22:15:25 -0500 Subject: [Infowarrior] - Microsoft seeks patent for office 'spy' software Message-ID: >From The Times January 15, 2008 Microsoft seeks patent for office 'spy' software Alexi Mostrous and David Brown http://technology.timesonline.co.uk/tol/news/tech_and_web/article3193480.ece Microsoft is developing Big Brother-style software capable of remotely monitoring a worker?s productivity, physical wellbeing and competence. The Times has seen a patent application filed by the company for a computer system that links workers to their computers via wireless sensors that measure their metabolism. The system would allow managers to monitor employees? performance by measuring their heart rate, body temperature, movement, facial expression and blood pressure. Unions said they fear that employees could be dismissed on the basis of a computer?s assessment of their physiological state. Technology allowing constant monitoring of workers was previously limited to pilots, firefighters and Nasa astronauts. This is believed to be the first time a company has proposed developing such software for mainstream workplaces. Microsoft submitted a patent application in the US for a ?unique monitoring system? that could link workers to their computers. Wireless sensors could read ?heart rate, galvanic skin response, EMG, brain signals, respiration rate, body temperature, movement facial movements, facial expressions and blood pressure?, the application states. Related Links * How computer spy will monitor everything * Even bosses need to look over their shoulder * Film rental service puts MacWorld in a spin The system could also ?automatically detect frustration or stress in the user? and ?offer and provide assistance accordingly?. Physical changes to an employee would be matched to an individual psychological profile based on a worker?s weight, age and health. If the system picked up an increase in heart rate or facial expressions suggestive of stress or frustration, it would tell management that he needed help. The Information Commissioner, civil liberties groups and privacy lawyers strongly criticised the potential of the system for ?taking the idea of monitoring people at work to a new level?. Hugh Tomlinson, QC, an expert on data protection law at Matrix Chambers, told The Times: ?This system involves intrusion into every single aspect of the lives of the employees. It raises very serious privacy issues.? Peter Skyte, a national officer for the union Unite, said: ?This system takes the idea of monitoring people at work to a new level with a new level of invasiveness but in a very old-fashioned way because it monitors what is going in rather than the results.? The Information Commissioner?s Office said: ?Imposing this level of intrusion on employees could only be justified in exceptional circumstances.? The US Patent Office confirmed last night that the application was published last month, 18 months after being filed. Patent lawyers said that it could be granted within a year. Microsoft last night refused to comment on the application, but said: ?We have over 7,000 patents worldwide and we are proud of the quality of these patents and the innovations they represent. As a general practice, we do not typically comment on pending patent applications because claims made in the application may be modified through the approval process.? From rforno at infowarrior.org Wed Jan 16 13:17:36 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 16 Jan 2008 08:17:36 -0500 Subject: [Infowarrior] - Booz Allen in Talks to Sell Government Unit to Carlyle Message-ID: Booz Allen Is in Talks to Sell Government Unit to Carlyle Defense Consultant Expected to Draw Price of $2 Billion By MATTHEW KARNITSCHNIG and AUGUST COLE January 16, 2008; Page C5 http://online.wsj.com/article/SB120044699286092979.html?mod=googlenews_wsj Booz Allen Hamilton Inc. is in discussions to sell its government-consulting business to private-equity firm Carlyle Group, according to people familiar with the situation. The deal would be centered on Booz Allen's influence in defense and intelligence contracting. If an agreement is reached, the sale price will likely be around $2 billion, the people say. Booz Allen has held talks with other private-equity firms as part of a debate about the McLean, Va., company's future. For Carlyle, a deal would complement the Washington firm's extensive holdings in aerospace and defense. Any deal would be significant for the Pentagon, the intelligence community and lawmakers, as well as the biggest firms in the defense sector. Booz Allen, once primarily a management consultant to corporations, now plays a major role in some of the costliest and most complex defense projects. The company has extensive government contracts -- totaling more than $2 billion a year -- with the Pentagon, intelligence services and various civilian agencies, including the Department of Homeland Security. Booz Allen's executives have debated how to take advantage of the booming growth in its defense-consulting business. The government business now accounts for more than 50% of the company's $4 billion in revenue. The firm's past three chief executive officers have come from the government side of the firm. Booz Allen has more than 300 senior executives and 20,000 employees world-wide. A Booz spokeswoman yesterday declined to comment about possible buyers for the government-services group. The size and influence of Booz Allen's government-consulting practice has been on the rise since the Sept. 11, 2001, terrorist attacks, as the government has sought more outside help for projects such as setting up the Department of Homeland Security's management to engineering and integration work for advanced Air Force satellites. Booz Allen employs numerous retired military officers and former intelligence-agency chiefs. Retired Navy Admiral J. Michael McConnell, former head of the National Security Agency, was a Booz Allen executive until President Bush named him director of national intelligence in 2007. James Woolsey, former head of the Central Intelligence Agency, is another high-profile executive. The move comes at a time when the defense industry has been under fire for having too much control of government contracts. Lockheed Martin Corp., Northrop Grumman Corp. and Boeing Co. have taken the lead overseeing development of big military programs. That has alarmed critics in Congress and watchdogs worried about government ceding too much authority. Legislation in the 2008 Defense Authorization Act will end the practice of awarding contractors such overarching roles within a few years. The industry contends that the government lacks the expertise to handle complex projects. --Joann S. Lublin contributed to this article. Write to Matthew Karnitschnig at matthew.karnitschnig at wsj.com and August Cole at august.cole at dowjones.com From rforno at infowarrior.org Wed Jan 16 13:37:44 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 16 Jan 2008 08:37:44 -0500 Subject: [Infowarrior] - US Seeks to Force Suspect to Reveal Password to Computer Files Message-ID: In Child Porn Case, a Digital Dilemma U.S. Seeks to Force Suspect to Reveal Password to Computer Files By Ellen Nakashima Washington Post Staff Writer Wednesday, January 16, 2008; A01 http://www.washingtonpost.com/wp-dyn/content/article/2008/01/15/AR2008011503 663_pf.html The federal government is asking a U.S. District Court in Vermont to order a man to type a password that would unlock files on his computer, despite his claim that doing so would constitute self-incrimination. The case, believed to be the first of its kind to reach this level, raises a uniquely digital-age question about how to balance privacy and civil liberties against the government's responsibility to protect the public. The case, which involves suspected possession of child pornography, comes as more Americans turn to encryption to protect the privacy and security of files on their laptops and thumb drives. FBI and Justice Department officials, meanwhile, have said that encryption is allowing terrorists and criminals to communicate their plots covertly. Criminals and terrorists are using "relatively inexpensive, off-the-shelf encryption products," said John Miller, the FBI's assistant director of public affairs. "When the intent . . . is purely to hide evidence of a crime . . . there needs to be a logical and constitutionally sound way for the courts" to allow law enforcement access to the evidence, he said. On Nov. 29, Magistrate Judge Jerome J. Niedermeier ruled that compelling Sebastien Boucher, a 30-year-old drywall installer who lives in Vermont, to enter his password into his laptop would violate his Fifth Amendment right against self-incrimination. "If Boucher does know the password, he would be faced with the forbidden trilemma: incriminate himself, lie under oath, or find himself in contempt of court," the judge said. The government has appealed, and the case is being investigated by a grand jury, said Boucher's attorney, James Boudreau of Boston. He said it would be "inappropriate" to comment while the case is pending. Justice Department officials also declined to comment. But the ruling has caused controversy. "The consequence of this decision being upheld is that the government would have to find other methods to get this information," said Marc Rotenberg, executive director of the Electronic Privacy Information Center. "But that's as it should be. That's what the Fifth Amendment is intended to protect." Mark D. Rasch, a privacy and technology expert with FTI Consulting and a former federal prosecutor, said the ruling was "dangerous" for law enforcement. "If it stands, it means that if you encrypt your documents, the government cannot force you to decrypt them," he said. "So you're going to see drug dealers and pedophiles encrypting their documents, secure in the knowledge that the police can't get at them." The case began Dec. 17, 2006, when Boucher, a Canadian citizen with legal residency in the United States, was driving from Canada into Vermont when he was stopped at the border by a U.S. Customs and Border Protection inspector. The inspector searched Boucher's car and found a laptop in the back seat, according to an affidavit filed with the court by Mark Curtis, a special agent with Immigration and Customs Enforcement who was called in by the inspector. Boucher said the laptop was his, according to the affidavit. When the inspector saw files with titles such as "Two-year-old being raped during diaper change," he asked Boucher if the laptop contained child pornography. Boucher said he did not know because he was not able to check his temporary Internet files, according to the affidavit. Curtis asked Boucher "to use the computer" to show him the files he downloads. Curtis reviewed the video files, observing one that appeared to be a preteen undressing and performing a sexual act, among other graphic images, the affidavit says. Boucher was arrested and charged with transportation of child pornography in interstate or foreign commerce, which can carry a sentence of up to 20 years in prison for a first offense. The agents seized the laptop, and a Vermont Department of Corrections investigator copied its contents. But the investigator could not get access to the drive Z content because it was protected by Pretty Good Privacy, a form of encryption software used by intelligence agencies in the United States and around the world that is widely available online. PGP, like all encryption algorithms, requires a password for decryption. For more than a year, the government has been unable to view drive Z. A government computer forensics expert testified that it is "nearly impossible" to access the files without the password, the judge wrote. "There are no 'back doors' or secret entrances to access the files," he wrote. "The only way to get access without the password is to use an automated system which repeatedly guesses passwords. According to the government, the process to unlock drive Z could take years . . . " In his ruling, Niedermeier said forcing Boucher to enter his password would be like asking him to reveal the combination to a safe. The government can force a person to give up the key to a safe because a key is physical, not in a person's mind. But a person cannot be compelled to give up a safe combination because that would "convey the contents of one's mind,'' which is a "testimonial" act protected by the Fifth Amendment, Niedermeier said . In a phone interview, Boucher said that he likes to download Japanese cartoons and occasionally adult pornography, but that he does not seek to view child porn. He sometimes inadvertently receives images of child pornography when he downloads the other material, but reviews what he downloads to "clean out" the child porn, he said. It is not illegal to possess animated child porn. He said that he agreed to show the agents where he downloaded his files "because I was sure that there was nothing bad in those files." He also said that he felt coerced: "I felt like they really want to force me to do it, like I have no choice." Asked whether he typed in a password to unlock the drive so the agents could view it, he replied: "I prefer not to answer that one." Boucher added the encryption software to protect the rest of his computer from viruses that might accompany the downloaded files, he said. Orin S. Kerr, an expert in computer crime law at George Washington University, said that Boucher lost his Fifth Amendment privilege when he admitted that it was his computer and that he stored images in the encrypted part of the hard drive. "If you admit something to the government, you give up the right against self-incrimination later on," said Kerr, a former federal prosecutor. Lee Tien, senior staff attorney at the Electronic Frontier Foundation, a civil liberties group, said encryption is one of the few ways people can protect what they write, read and watch online. "The last line of defense really is you holding your own password," he said. "That's what's at stake here." Staff researcher Magda Jean-Louis contributed to this report. From rforno at infowarrior.org Wed Jan 16 14:46:28 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 16 Jan 2008 09:46:28 -0500 Subject: [Infowarrior] - IO: How the Pentagon Planted a False Story In-Reply-To: Message-ID: http://ipsnews.net/news.asp?idnews=40801 January 16, 2008 How the Pentagon Planted a False Story by Gareth Porter Senior Pentagon officials, evidently reflecting a broader administration policy decision, used an off-the-record Pentagon briefing to turn the January 6 U.S.-Iranian incident in the Strait of Hormuz into a sensational story demonstrating Iran's military aggressiveness, a reconstruction of the events following the incident shows. The initial press stories on the incident, all of which can be traced to a briefing by deputy assistant secretary of defense for public affairs in charge of media operations Bryan Whitman, contained similar information that has since been repudiated by the Navy itself. Then the Navy disseminated a short video into which was spliced the audio of a phone call warning that U.S. warships would "explode" in "a few seconds." Although it was ostensibly a Navy production, IPS has learned that the ultimate decision on its content was made by top officials of the Defense Department. The encounter between five small and apparently unarmed speedboats, each carrying a crew of two to four men, and the three U.S. warships occurred very early on Saturday January 6, Washington time. But no information was released to the public about the incident for more than 24 hours, indicating that it was not viewed initially as being very urgent. The reason for that absence of public information on the incident for more than a full day is that it was not that different from many others in the Gulf over more than a decade. A Pentagon consultant who asked not to be identified told IPS that he had spoken with officers who had experienced similar encounters with small Iranian boats throughout the 1990s, and that such incidents are "just not a major threat to the U.S. Navy by any stretch of the imagination." Just two weeks earlier, on December 19, the USS Whidbey Island, an amphibious warship, had fired warning shots after a small Iranian boat allegedly approached it at high speed. But that incident had gone without public notice. With the reports from 5th Fleet commander Vice-Adm. Kevin Cosgriff in hand early that morning, top Pentagon officials had all day Sunday, January 6, to discuss what to do about the encounter in the Strait of Hormuz. The result was a decision to play it up as a major incident. The decision came just as President George W. Bush was about to leave on a Middle East trip aimed in part at rallying Arab states to join the United States in an anti-Iran coalition. That decision in Washington was followed by a news release by the commander of the 5th Fleet on the incident at about 4:00 a.m. Washington time Jan. 7. It was the first time the 5th Fleet had ever issued a news release on an incident with small Iranian boats. The release reported that the Iranian "small boats" had "maneuvered aggressively in close proximity of [sic] the Hopper [the lead ship of the three-ship convoy]." But it did not suggest that the Iranian boats had threatened the boats or that it had nearly resulted in firing on the Iranian boats. On the contrary, the release made the U.S. warships handling of the incident sound almost routine. "Following standard procedures," the release said, "Hopper issued warnings, attempted to establish communications with the small boats, and conducted evasive maneuvering." The release did not refer to a U.S. ship being close to firing on the Iranian boats, or to a call threatening that U.S. ships would "explode in a few minutes," as later stories would report, or to the dropping of objects into the path of a U.S. ship as a potential danger. That press release was ignored by the news media, however, because later that Monday morning, the Pentagon provided correspondents with a very different account of the episode. At 9 a.m., Barbara Starr of CNN reported that "military officials" had told her that the Iranian boats had not only carried out "threatening maneuvers," but had transmitted a message by radio that "I am coming at you" and "you will explode." She reported the dramatic news that the commander of one boat was "in the process of giving the order to shoot when they moved away." CBS News broadcast a similar story, adding the detail that the Iranian boats "dropped boxes that could have been filled with explosives into the water." Other news outlets carried almost identical accounts of the incident. The source of this spate of stories can now be identified as Bryan Whitman, the top Pentagon official in charge of media relations, who gave a press briefing for Pentagon correspondents that morning. Although Whitman did offer a few remarks on the record, most of the Whitman briefing was off the record, meaning that he could not be cited as the source. In an apparent slip-up, however, an Associated Press story that morning cited Whitman as the source for the statement that U.S. ships were about to fire when the Iranian boats turned and moved away ? a part of the story that other correspondents had attributed to an unnamed Pentagon official. On Jan. 9, the U.S. Navy released excerpts of a video of the incident in which a strange voice ? one that was clearly very different from the voice of the Iranian officer who calls the U.S. ship in the Iranian video ? appears to threaten the U.S. warships. A separate audio recording of that voice, which came across the VHF channel open to anyone with access to it, was spliced into a video on which the voice apparently could not be heard. That was a political decision, and Lt. Col. Mark Ballesteros of the Pentagon's Public Affairs Office told IPS the decision on what to include in the video was "a collaborative effort of leadership here, the Central Command, and Navy leadership in the field." "Leadership here," of course, refers to the secretary of defense and other top policymakers at the department. An official in the U.S. Navy Office of Information in Washington, who asked not to be identified because of the sensitivity of the issue, said that decision was made in the office of the secretary of defense That decision involved a high risk of getting caught in an obvious attempt to mislead. As an official at 5th Fleet headquarters in Bahrain told IPS, it is common knowledge among officers there that hecklers ? often referred to as "Filipino Monkey" ? frequently intervene on the VHF ship-to-ship channel to make threats or rude comments. One of the popular threats made by such hecklers, according to British journalist Lewis Page, who had transited the Strait with the Royal Navy is, "Look out, I am going to hit [collide with] you." By Jan. 11, Pentagon spokesman Geoff Morrell was already disavowing the story that Whitman had been instrumental in creating only four days earlier. "No one in the military has said that the transmission emanated from those boats," said Morrell. The other elements of the story given to Pentagon correspondents were also discredited. The commanding officer of the guided missile cruiser Port Royal, Capt. David Adler, dismissed the Pentagon's story that he had felt threatened by the dropping of white boxes in the water. Meeting with reporters on Monday, Adler said, "I saw them float by. They didn't look threatening to me." The naval commanders seemed most determined, however, to scotch the idea that they had been close to firing on the Iranians. Vice-Adm. Kevin Cosgriff, the commander of the 5th Fleet, denied the story in a press briefing on Jan. 7. A week later, Cmdr. Jeffery James, commander of the destroyer Hopper, told reporters that the Iranians had moved away "before we got to the point where we needed to open fire." The decision to treat the Jan. 6 incident as evidence of an Iranian threat reveals a chasm between the interests of political officials in Washington and Navy officials in the Gulf. Asked whether the Navy's reporting of the episode was distorted by Pentagon officials, Cmdr. Robertson of 5th Fleet Public Affairs would not comment directly. But she said, "There is a different perspective over there." From rforno at infowarrior.org Thu Jan 17 13:58:50 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 17 Jan 2008 08:58:50 -0500 Subject: [Infowarrior] - TW Cable Links Broadband Prices With Usage Message-ID: Time Warner Links Web Prices With Usage Thursday January 17, 7:42 am ET Time Warner Cable Will Do Trial on Setting High-Speed Internet Charges Based on Usage http://biz.yahoo.com/ap/080117/time_warner_cable_internet.html?.v=2 NEW YORK (AP) -- Time Warner Cable will experiment with a new pricing structure for high-speed Internet access later this year, charging customers based on how much data they download, a company spokesman said Wednesday. The company, the second-largest cable provider in the United States, will start a trial in Beaumont, Texas, in which it will sell new Internet customers tiered levels of service based on how much data they download per month, rather than the usual fixed-price packages with unlimited downloads. Company spokesman Alex Dudley said the trial was aimed at improving the network performance by making it more costly for heavy users of large downloads. Dudley said that a small group of super-heavy users of downloads, around 5 percent of the customer base, can account for up to 50 percent of network capacity. Dudley said he did not know what the pricing tiers would be nor the download limits. He said the heavy users were likely using the network to download large amounts of video, most likely in high definition. It was not clear when exactly the trial would begin, but Dudley said it would likely be around the second quarter. The tiered pricing would only affect new customers in Beaumont, not existing ones. Time Warner Cable is a subsidiary of Time Warner Inc., the world's largest media company. From rforno at infowarrior.org Thu Jan 17 14:01:42 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 17 Jan 2008 09:01:42 -0500 Subject: [Infowarrior] - Has AT&T Lost Its Mind? Message-ID: Has AT&T Lost Its Mind? A baffling proposal to filter the Internet. By Tim Wu Posted Wednesday, Jan. 16, 2008, at 10:15 AM ET http://www.slate.com/id/2182152/ Chances are that as you read this article, it is passing over part of AT&T's network. That matters, because last week AT&T announced that it is seriously considering plans to examine all the traffic it carries for potential violations of U.S. intellectual property laws. The prospect of AT&T, already accused of spying on our telephone calls, now scanning every e-mail and download for outlawed content is way too totalitarian for my tastes. But the bizarre twist is that the proposal is such a bad idea that it would be not just a disservice to the public but probably a disaster for AT&T itself. If I were a shareholder, I'd want to know one thing: Has AT&T, after 122 years in business, simply lost its mind? No one knows exactly what AT&T is proposing to build. But if the company means what it says, we're looking at the beginnings of a private police state. That may sound like hyperbole, but what else do you call a system designed to monitor millions of people's Internet consumption? That's not just Orwellian; that's Orwell. The puzzle is how AT&T thinks that its proposal is anything other than corporate seppuku. First, should these proposals be adopted, my heart goes out to AT&T's customer relations staff. Exactly what counts as copyright infringement can be a tough question for a Supreme Court justice, let alone whatever program AT&T writes to detect copyright infringement. Inevitably, AT&T will block legitimate materials (say, home videos it mistakes for Hollywood) and let some piracy through. Its filters will also inescapably degrade network performance. The filter AT&T will really need will be the one that blocks the giant flood of complaints and termination-of-service notices coming its way. But the most serious problems for AT&T may be legal. Since the beginnings of the phone system, carriers have always wanted to avoid liability for what happens on their lines, be it a bank robbery or someone's divorce. Hence the grand bargain of common carriage: The Bell company carried all conversations equally, and in exchange bore no liability for what people used the phone for. Fair deal. AT&T's new strategy reverses that position and exposes it to so much potential liability that adopting it would arguably violate AT&T's fiduciary duty to its shareholders. Today, in its daily Internet operations, AT&T is shielded by a federal law that provides a powerful immunity to copyright infringement. The Bells know the law well: They wrote and pushed it through Congress in 1998, collectively spending six years and millions of dollars in lobbying fees to make sure there would be no liability for "Transitory Digital Network Communications"?content AT&T carries over the Internet. And that's why the recording industry sued Napster and Grokster, not AT&T or Verizon, when the great music wars began in the early 2000s. Here's the kicker: To maintain that immunity, AT&T must transmit data "without selection of the material by the service provider" and "without modification of its content." Once AT&T gets in the business of picking and choosing what content travels over its network, while the law is not entirely clear, it runs a serious risk of losing its all-important immunity. An Internet provider voluntarily giving up copyright immunity is like an astronaut on the moon taking off his space suit. As the world's largest gatekeeper, AT&T would immediately become the world's largest target for copyright infringement lawsuits. On the technical side, if I were an AT&T engineer asked to implement this plan, I would resign immediately and look for work at Verizon. AT&T's engineers are already trying to manage the feat of getting trillions of packets around the world at light speed. To begin examining those packets for illegal pictures of Britney Spears would be a nuisance, at best, and a threat to the whole Internet, at worst. Imagine if FedEx were forced to examine every parcel for drug paraphernalia: Next-day delivery would soon go up in smoke. Even China's Internet, whose performance suffers greatly from its filtering, doesn't go as far as what AT&T is proposing. If this idea looks amazingly bad for AT&T, does the firm have an ingenious rationale for blocking content? "It's about," said AT&T last week, "making more content available to more people in more ways going forward." Huh? That's like saying that the goal of a mousetrap is producing more mice. If the quote makes any sense it all, perhaps it means that AT&T, the phone company, has aspirations to itself provide Internet content. Could it really be that AT&T's master strategy is to try and become more like AOL circa 1996? A different theory is that AT&T hopes that filtering out infringing material will help free up bandwidth on its network. What is so strange about this argument is that it suggests that AT&T wants people to use its product less. That's like Exxon-Mobil complaining that SUVs are just buying up too much gas. It suggests that perhaps AT&T should try to improve its network to handle and charge for consumer demand, rather than spending money trying to control its consumers. I just don't get the business aspect, so perhaps the only explanation that makes any sense is a political one. It may be that AT&T so hates being under the current network neutrality mandate that it sees fighting piracy as a way to begin treating some content differently than others?discriminating?in a politically acceptable way. Or maybe AT&T thinks its new friends in the content industry will let them into Hollywood parties if they help fight piracy. Whatever the explanation, AT&T is choosing a scary, expensive, and risky way to make a point. It is also, so far, alone on this one among Internet service providers; the cable industry is probably licking its chops in anticipation of new customers. That's why if this plan goes any further, and I were an AT&T shareholder, I'd have just one thought: SELL. From rforno at infowarrior.org Fri Jan 18 01:49:08 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 17 Jan 2008 20:49:08 -0500 Subject: [Infowarrior] - DOD tackles controls on unclassified info Message-ID: (c/o SecrecyNews) PENTAGON TACKLES CONTROLS ON UNCLASSIFIED INFORMATION In a small step that could nevertheless have far-reaching consequences for government information policy, the Department of Defense is preparing to eliminate various markings such as "For Official Use Only" and "Limited Distribution" that regulate disclosure of unclassified documents and will replace them with a new standardized marking. The DoD move anticipates near-term Presidential approval of a new government-wide policy on so-called Sensitive But Unclassified information that would streamline and rationalize controls on unclassified information. It could also potentially lead to the public release of a vast amount of currently controlled information. President Bush called for development of the new policy in a December 16, 2005 memorandum intended to promote information sharing. In response to the Presidential memorandum, officials soon discovered that "there are at least 107 unique markings" for unclassified information "and more than 131 different labeling or handling processes," according to testimony last April by Amb. Thomas E. McNamara, Program Manager of the ODNI Information Sharing Environment. http://www.fas.org/irp/congress/2007_hr/042607mcnamara.pdf In some cases the very same markings are used to refer to different control systems, Mr. McNamara explained. Thus, SSI usually means "Sensitive Security Information," but sometimes it stands for "Source Selection Information." Likewise, some agencies use ECI to designate "Export Controlled Information," while others use it to mean "Enforcement Confidential Information," each of which entail "very different safeguarding and dissemination controls." In short, the handling of unclassified information within government has become chaotic and counterproductive. More than two years after the President's directive, a new policy that replaces many of the existing information control categories with a new "Controlled Unclassified Information" (CUI) category is said to be close to final approval. Last month, the Department of Defense established a CUI Task Force to oversee implementation of the impending new policy, according to a memo from the DoD Deputy Chief Information Officer. "The new policy will replace all of the markings currently used for CUI within DoD (e.g. FOUO, FOUO-LES, LIMITED DISTRIBUTION) with [the] new standardized marking," the memo stated. "We anticipate White House approval of the new policy shortly." The DoD memo was first reported this week by Sebastian Sprenger in InsideDefense.com. See "Transition to New Markings for Controlled Unclassified Information (CUI)," memorandum from David M. Wennergren, December 28, 2007: http://www.fas.org/sgp/othergov/dod/cui122807.pdf At a minimum, the new policy should facilitate information sharing within the government. But it might possibly do much more than that. While many existing control categories are expected to merely be consolidated and replaced by the new CUI marking, other controls may be eliminated outright, according to Amb. McNamara, the Information Sharing Environment Program Manager who led development of the CUI policy. "The great majority of the information which is now controlled can be put in a simple unclassified, uncontrolled category, it seems to me," he told Congress in 2006. If controls on "the great majority" of unclassified but restricted information are truly going to be removed, that would imply an unprecedented avalanche of disclosure of controlled government records. The recent DoD memo contains no hint of such an outcome. Yet "that is the system that we are trying to put together," Amb. McNamara said, "a rational limited set of categories that... can be applied to controllable information, but leave most of it as fully unclassified." See "Building the Information Sharing Environment," hearing before the House Homeland Security Committee, May 10, 2006 (at p. 17): http://www.fas.org/irp/congress/2006_hr/ise.pdf From rforno at infowarrior.org Fri Jan 18 20:26:18 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 18 Jan 2008 15:26:18 -0500 Subject: [Infowarrior] - TSA Travellers' Redress website security breach report out In-Reply-To: <0E6E608443A703489B63435E45E642711F1334BB57@EXVMBX016-3.exch016.msoutlookonline.net> Message-ID: (c/o IP list) ------ Forwarded Message ________________________________________ From: Paul Waxman's report was just released -- the full report is mirrored at http://www.emergencyemail.org/20080111092648.pdf . And summary below. http://www.emergencyemail.org/newsemergency/anmviewer.asp?a=278&z=1 Security Breach at TSA puts thousands of American travelers at risk - Blogger points out breach to government - Report on findings comes out a year later Jan 08, Committee on Oversight and Government Reform Chairman Waxman Releases Report on Information Security Breach at TSA's Traveler Redress Website. In October 2006, the Transportation Security Administration launched a website to help travelers whose names were erroneously listed on airline watch lists. This redress website had multiple security vulnerabilities: it was not hosted on a government domain; its homepage was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. These deficiencies exposed thousands of American travelers to potential identity theft. After an internet blogger identified these security vulnerabilities, the website was taken offline and replaced by a website hosted on a Department of Homeland Security domain. At the request of Chairman Henry Waxman, Committee staff have been investigating how TSA could have launched a website that violated basic operating standards of web security and failed to protect travelers' sensitive personal information. As this report describes, these security breaches can be traced to TSA's poor acquisition practices, conflicts of interest, and inadequate oversight. Report findings... * TSA did not detect the website's security weaknesses for months. The redress website was launched on October 6, 2006, and was not taken down until after February 13, 2007, when an internet blogger exposed the security vulnerabilities. During this period, TSA Administrator Hawley testified before Congress that the agency had assured "the privacy of users and the security of the system" before its launch. Thousands of individuals used the insecure website, including at least 247 travelers who submitted large amounts of personal information through an insecure webpage. * TSA did not provide sufficient oversight of the website and the contractor. The internal TSA investigation found that there were problems with the "planning, development, and operation" of the website and that the program managers were " overly reliant on contractors for information technology expertise" and had failed to properly oversee the contractor, which as a result, "made TSA vulnerable to non-performance and poor quality work by the contractor." * TSA awarded the website contract without competition. TSA gave a small, Virginia-based contractor called Desyne Web Services a no-bid contract to design and operate the redress website. According to an internal TSA investigation, the "Statement of Work" for the contract was "written such that Desyne Web was the only vendor that could meet program requirements." * The TSA official in charge of the project was a former employee of the contractor. The TSA official who was the "Technical Lead" on the website project and acted as the point of contact with the contractor had an apparent conflict of interest. He was a former employee of Desyne Web Services and regularly socialized with Desyne's owner. From rforno at infowarrior.org Sat Jan 19 00:02:58 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 18 Jan 2008 19:02:58 -0500 Subject: [Infowarrior] - CIA: Hackers to Blame for Power Outages In-Reply-To: <1A80CDC44C7B6C428AB0959813EF546F03B75682@KTCXMB01.ap.org> Message-ID: CIA: Hackers to Blame for Power Outages http://ap.google.com/article/ALeqM5jSw3W7MyNAF7rq8RTxcvoz76WIiwD8U8GN7O0 WASHINGTON (AP) - Hackers literally turned out the lights in multiple cities after breaking into electrical utilities and demanding extortion payments before disrupting the power, a senior CIA analyst told utility engineers at a trade conference. All the break-ins occurred outside the United States, said senior CIA analyst Tom Donahue. The U.S. government believes some of the hackers had inside knowledge to cause the outages. Donahue did not specify what countries were affected, when the outages occurred or how long the outages lasted. He said they happened in "several regions outside the United States." "In at least one case, the disruption caused a power outage affecting multiple cities," Donahue said in a statement. "We do not know who executed these attacks or why, but all involved intrusions through the Internet." A CIA spokesman Friday declined to provide further details. "The information that could be shared in a public setting was shared," said spokesman George Little. "These comments were simply designed to highlight to the audience the challenges posed by potential cyber intrusions." Donahue spoke earlier this week at the Process Control Security Summit in New Orleans, a gathering of engineers and security managers for energy and water utilities. The Bush administration is increasingly worried about the little-understood risks from hackers to the specialized electronic equipment that operates power, water and chemical plants. In a test last year, the Homeland Security Department produced a video showing commands quietly triggered by simulated hackers having such a violent reaction that an enormous generator shudders as it flies apart and belches black-and-white smoke. The recorded demonstration, called the "Aurora Generator Test," was conducted in March by government researchers investigating a dangerous vulnerability in computers at U.S. utility companies known as supervisory control and data acquisition systems. The programming flaw was fixed, and equipment makers urged utilities to take protective measures. From rforno at infowarrior.org Sat Jan 19 03:56:28 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 18 Jan 2008 22:56:28 -0500 Subject: [Infowarrior] - DHS to Replace 'Duplicative' Anti-Terrorism Data Network Message-ID: DHS to Replace 'Duplicative' Anti-Terrorism Data Network $90 Million System Aimed to Aid State, Local Agencies By Spencer S. Hsu and Robert O'Harrow Jr. Washington Post Staff Writers Friday, January 18, 2008; A03 http://www.washingtonpost.com/wp-dyn/content/article/2008/01/17/AR2008011703 279_pf.html The Homeland Security Department spent more than $90 million to create a network for sharing sensitive anti-terrorism information with state and local governments that it has decided to replace, according to an internal department document. The decision was made late last year but was not announced. It was outlined in an Oct. 27 memorandum that listed the network's flaws and asserted that DHS's counterterrorism, immigration enforcement and disaster management missions were hampered by the proliferation of more than 100 Web "portals" that provide poorly coordinated information. "Most are duplicative in capabilities" and lack innovation, noted the memo by DHS Undersecretary for Management Paul A. Schneider. He said that as a result, the department "will replace" the current system, known as the Homeland Security Information Network. The decision underscores recurring criticism about the department's effectiveness at meeting the core need to better share information with government and private partners involved in counterterrorism efforts five years after it was formed, according to lawmakers and independent experts. The department also has repeatedly rushed crucial technology initiatives, leading to delays and millions of dollars in additional costs. The network is the department's primary communications application for sensitive but unclassified information. It is a Web-based system designed to be used for chat and instant messaging, as well as a conduit for suspicious activity reports and analysis of terrorist threats. But the department's information-sharing efforts, meant to fulfill a key security priority since the Sept. 11, 2001, terrorist attacks, have faltered from the beginning. Two years ago, the Government Accountability Office listed the network as a "high-risk area." The GAO gave the program the same designation last year. Among the key problems, according to an April 2007 review: The department rushed to deploy the system without consulting users. Other government agencies have struggled with technology initiatives. Congressional auditors in 2006 said that the FBI had spent nearly $600 million over five years without successfully developing a new case-management system. Developed by the Defense Intelligence Agency and transferred to DHS in 2003, the information network has been criticized by law enforcement users for being difficult to use, providing little added value, and duplicating existing law enforcement networks operated by the Justice Department. A June 2006 report by the department's inspector general found that only 2 to 6 percent of authorized users had signed on to the Web-based network daily during the previous December. But DHS officials have said publicly that the system was rapidly improving. That prompted Democratic and Republican leaders of the House Homeland Security Committee and its intelligence subcommittee to express anger in a letter to Schneider yesterday that they were not told in advance of the department's plan. They said that on Oct. 26, a day before Schneider's memo was dated, DHS officials told lawmakers that the department had made "significant progress" in upgrading the network. "It is unacceptable that the Department would brief the Congress on the status of the program on one day and dramatically alter that program the next," wrote Chairman Bennie Thompson (D-Miss.) and Reps. Peter T. King (R-N.Y.) , Jane Harman (D-Calif.) and Dave Reichert (R-Wash.). The lawmakers gave Schneider until Feb. 14 to answer 18 questions about the possible impact on the system and its users, its projected cost savings, which contractors are involved, and whether DHS has consulted with states and the Office of the Director of National Intelligence, which is in charge of creating a nationwide information-sharing environment. In his memo, Schneider ordered all DHS agency heads to "stop any new development or enhancements" to existing Web portal systems unless approved by DHS leadership. DHS declined a request to interview Schneider, but department spokesman Russ Knocke said the network is being upgraded, not replaced. "We're not departing from or discontinuing" the network, he said in an e-mail reply to questions. "Those allegations could not be more false. We'll be upgrading our systems over the next year, the same way that Microsoft puts out a new software version each year." Knocke later said that many of the network's features "are going to be integrated into a broader, more advanced platform." Knocke said DHS briefers told the panel in October of desired upgrades and said then that they would update the committee in January. That meeting is scheduled for next week. The current version of the network was developed by the Navy on behalf of DHS. BAE Systems was selected as the lead vendor, Knocke said. BAE spokesman John Measell acknowledged that they are one of several contractors, and he said the company is working on the network's infrastructure, operations and maintenance. But he said officials have not seen the Schneider memo. The system is split into dozens of Web portals used by DHS constituents, including state and local law enforcement, emergency management, counterterrorism agencies and critical private sector industries. Classified data-sharing systems that also are part of the network are not addressed by Schneider's memo, Knocke said. A prime concern is whether the system is less useful than other, existing federal information-sharing networks, such as Law Enforcement Online (LEO) and the Regional Information Sharing Systems (Rissnet). From rforno at infowarrior.org Sat Jan 19 15:16:27 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 19 Jan 2008 10:16:27 -0500 Subject: [Infowarrior] - Shareholders To Comcast: Fire The CEO In-Reply-To: <49E681C7-C11A-4B49-90FB-D3A73634FE71@jessekornblum.com> Message-ID: (c/o KJ) Great new term for the Comcast CEO -- a "Comcastrophe!" http://consumerist.com/346708/shareholders-to-comcast-fire-the-ceo From rforno at infowarrior.org Sat Jan 19 20:56:09 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 19 Jan 2008 15:56:09 -0500 Subject: [Infowarrior] - The hard side of Mister Softie Message-ID: The hard side of Mister Softie By Josh Quittner http://techland.blogs.fortune.cnn.com/2008/01/18/the-hard-side-of-mister-sof tie/ Ah, Microsoft. Nothing gets the knickers of Silicon Valley startup guys more twisted than signs that the world?s largest software company is over-reaching again. The latest outrage? Some of my friends at the Valley?s best-known social networks and Web 2.0 companies are privately grousing that emissaries from Redmond are trying to ?strong-arm? (their term) startups into giving special treatment to Messenger, Microsoft?s (MSFT) answer to AIM and other instant messaging programs. The problem typically arises when a social network, say, offers its users the ability to import the list of contacts they?ve accumulated on Microsoft Hotmail. Since the summer, my friends tell me, Mister Softie has been sending cease-and-desist letters to startups that try to do this. These nastygrams are typically followed up by a meeting with Microsoft reps, who then try a couple different approaches to get the startup to integrate Messenger into their service. If the company wants to offer other IM services (from Yahoo, Google or AOL, say), Messenger must get top billing. And if the startup wants to offer any other IM service, it must pay Microsoft 25 cents a user per year for a site license. If, however, the startup decides to use Messenger exclusively, the licensing ?fee will be discounted 100 percent.? Such a deal! Or not. The standard Microsoft term sheet being shown around the Valley also instructs startups that if they want to offer search at any point in the future, they must agree ?to negotiate in good faith for a period of sixty days exclusively with Microsoft on the terms under which Microsoft may provide such search service functionality?? Naturally?and no one is complaining this is unfair?Microsoft also demands reciprocity of contacts. They say, in effect, we?ll show you our Hotmail contacts, but you have to let your users share theirs when they sign up for Microsoft?s Windows Live services. None of the folks I spoke to agreed to talk on the record for fear of reprisals. So I will refrain from blind quoting some of their more incendiary remarks. Well, all but one: ?This is a great example of why Google is the leader in the Net ecosystem and Microsoft is not,? an angry entrepreneur (who does not work for Google) told me. ?Microsoft is the anti-data-portability company.? Google (GOOG) and Yahoo (YHOO) routinely allow users to take their contacts with them when they join new social networks. So why doesn?t Microsoft? Just who owns that data anyway? We put the question to Brian Hall, general manager for Windows Live. ?We want the user to be in control of their stuff,? he told me. ?We believe strongly that it?s the user?s data, it?s the user?s choice.? Hall said he was unaware of any Messenger tie-in being a part of a signed contract, but didn?t rule out the possibility. ?I don?t know of any contract we?ve signed that has those terms,? he said, pointing out that the term sheets that are being passed around merely represent what Microsoft wants?not what it will ultimately get in each instance. Aside, that is, from the social network Bebo, which in August announced an alliance with Microsoft that would bring Messenger in house for its users. In exchange, Bebo and Windows Live users are now able to exchange contact information to invite their friends to their respective services. (Hmmm, will Facebook?in which Microsoft is a minority investor?be next to make Messenger it?s official IM client?) Hall did say that in situations where Microsoft was dealing with a tiny company with few users, Redmond might be looking for a more favorable deal simply because the exchange of contact lists was so lopsided. ?Let?s say you are a startup and we offer to do a reciprocity deal where you can access contacts for our 410 million [Hotmail] users and I have access to your zero users,? he said, noting that it took Microsoft 12 years to amass its enormous user database. Why should it simply allow that data to flow in one direction, without getting a little something back? But wait a second. If I?m a Hotmail user, aren?t all the contacts I amass mine? Can?t I take my friends with me? Hall said that Microsoft?s main concern, and the reason it sent out Big Foot letters in the first place, was security. ?If you look at what a number of sites are doing, they?re asking for your Hotmail login info, They?re storing your identity, which is not a best practices [approach] for anyone?s data from a security standpoint. We want to make sure our data is kept between our users and our servers.? The thrust of the term sheets, he said, was to create a process whereby Hotmail and other Windows Live data could be shared securely with third parties. Added Hall: ?There are models for federation where you can trust other services?and that?s what we?re trying to do with our partners.? Thats what doesn?t make sense to me. If this is such a security problem, why do Google and Yahoo let their users take their contacts with them? Disclosure: Time Warner (TWX) is the parent company of Fortune and AOL, which competes with Microsoft via its AIM messenger service and other services. From rforno at infowarrior.org Sat Jan 19 20:57:39 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 19 Jan 2008 15:57:39 -0500 Subject: [Infowarrior] - Idiot lawyer trademarks "cyberlaw" term, chases "infringers" Message-ID: Cyberlaw and cyberlawgs Posted by Corynne McSherry http://www.eff.org/deeplinks/2008/01/cyberlaw-and-cyberlawgs Eric Menhart may call himself a cyberlawyer, but we think he has a lot of learn about cyberlaw -- and common sense. Menhart is the author of a blog about cyberlaw issues called, logically if not innovatively, "Cyberlawg." (As he says in the top right corner, ?Cyberlawg = Cyberlaw + blog.?) And he is "principal attorney" in a firm called "CyberLaw P.C." OK, OK, we get it, he practices technology law. Based on this, he?s applied for a trademark on the use of the term ?cyberlaw? in connection with the practice of, um, cyberlaw. That's like a soda company claiming a trademark in the use of the word soda in connection with the sale of soda. Or an apple farmer claiming a trademark in the use of the term apple in connection with the sale of apples. Or ... well, you get the picture. What is worse, he's threatening other lawyers with legal action based on this silly "mark." Menhart has demanded that attorney Michael Grossman change the title of his blog about technology law, "CyberBlawg." Presumably Stanford's Center for Internet and Society, with its Cyberlaw Clinic, as well as the Berkman's Center for Internet and Society, and Elliot Zimmerman's blog, CyberLaw.info, are in Menhart?s sights as well. I wish I could say I was surprised by this one, but such overreaching invocations of IP rights are all too common -- even where, as in this case, there are no actual "rights" to speak of. But an IP lawyer should know that courts (and trademark examiners, and many tech companies that might be potential clients) don't look kindly on efforts to abuse trademark law to control everyday language. Here's hoping Menhart figures that out fast. From rforno at infowarrior.org Sun Jan 20 04:16:13 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 19 Jan 2008 23:16:13 -0500 Subject: [Infowarrior] - Military industrial complex aims to revamp email Message-ID: Military industrial complex aims to revamp email Trust but verify By John Leyden ? More by this author Published Tuesday 15th January 2008 11:34 GMT http://www.theregister.co.uk/2008/01/15/secure_email_spec/ A consortium of British and US military agencies and defense and aerospace firms have agreed a new standard for secure email. Security experts are watching the developments closely, but are unsure how much of the specification will make it into public use or commercial email security products. The secure email specification from the The Transglobal Secure Collaboration Program (TSCP) aims to address email's inherent identity and data transmission security flaws. The specification covers a method for authenticating users that creates a Public Key Infrastucture system that could act as the backbone for other forms of electronic collaboration. The requirements were defined and endorsed by the members of the TSCP: the US Department of Defense (DoD), UK Ministry of Defence (MoD), BAE Systems, Boeing, EADS, Lockheed Martin, Northrop Grumman, Raytheon, and Rolls-Royce. The US Defence Department intends to use the specification to protect "controlled but unclassified information". The MoD also expects to deploy the capability enterprise-wide in 2008 for classifications up to "UK Restricted". The TSCP implementation is based on TSCP-defined publicly available specifications which organisations must follow to assign vetted identity information to all email senders and recipients. The current implementation was constructed with commercial-off-the-shelf (COTS) products, open source software, and a commercial trusted third-party service, CertiPath. The resulting digital certificate-based system ensures that information only travels to and from trusted parties. The framework plugs into either Lotus Notes or Outlook clients. PKI has long been touted as the next big thing in information security. But the difficulty of putting in such systems and integrating them with other platfors has made the technology complicated and costly. Even though most aspects of the TSCP approach are public, it's unclear how much impact the approach will have in the wider world outside military organisations and their contractors. "I don't know how much of this will end up public. Certainly I'm interested. And certainly email could use a major security overhaul," security guru Bruce Schneier told El Reg. "People are abandoning the medium in favour of others that are less spam-filled." ? From rforno at infowarrior.org Sun Jan 20 16:29:17 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 20 Jan 2008 11:29:17 -0500 Subject: [Infowarrior] - Social Networks, from the 80s to the 00s Message-ID: Social Networks, from the 80s to the 00s Guest Column, Sunday, January 20, 2008 at 12:00 AM PT Comments (3) http://gigaom.com/2008/01/20/social-networks-from-the-80s-to-the-00s/ Written by Brian McConnell As Facebook enjoys its moment in the sun, we should take a moment to step back and look at the history of computers and social communication. Some historical perspective is in order, both to assess the real value of social networks as businesses, and to anticipate how they are likely to evolve in the future. I?ve been using the Internet since 1988, and have been using various commercial online services such as CompuServe, Prodigy and GEnie since I had my first computer. A lot of things that could be described as social networks have come and gone in that time. Bulletin Boards People have been using computers for social communication since the very beginning of the personal computer industry. Long before the Internet became accessible to the general public, people were hosting BBS systems, many of them focused on an interest group or local community. One particularly prescient invention was FidoNet, a network for BBSes that allowed systems to transfer data (messages, files, etc.) in bucket-brigade fashion to sites around the world. It grew to, at one point, cover much of the world, and was an entirely community-based effort. Since not everyone had a computer , the communities that emerged in the BBS world largely revolved around computers in some way. Some BBSes focused on DIY computer projects, others on games, and more than a few were devoted to pirating commercial software. Online Services Commercial online services reached their peak in the 1990s, first as destinations in of themselves, and later as a way to access the Internet. These services provided access to a broad range of services that are now mirrored on the web. News, travel reservations, shopping and social hubs were all part of the package; much of what we see today on the web existed in some form on these sites. Social communication was one of the big draws for online services, as a major source of their revenue was derived from billing for usage on a per-minute basis. AOL in particular recognized this and allowed users to create communities about just about any topic. Just as online services were reaching their peak, the web became accessible to ordinary users, turning the Internet into a mainstream phenomenon. Online services, in turn, gradually morphed from destinations to a means of accessing the Internet. Throughout this period, the population of computer users expanded rapidly. AOL, for all of its faults, deserves a lot of credit for introducing millions of people to the Internet. As the user community grew, online services began to build communities around more diverse interest groups, most having nothing to do with computers. The community focus shifted from computers to people who happened to use computers to do something. Web 1.0 >From the mid-90s to 2000, there was an explosion of activity as companies rushed to reproduce existing online services on the web. There were many social services created during this period, notably GeoCities and theGlobe.com. One thing the web did was to eliminate the walled garden problem that plagued AOL and their brethren. This promoted the development of niche communities, such as PlanetOut/Gay.com, that may have otherwise been stifled by corporate censorship in controlled environments. While none of these services advertised themselves as a social network per se, they had many of the same characteristics. Friendster Friendster deserves special mention because it was the first popular web site that contained all of the features we expect from social networks today ? especially the notion of using a social graph to track relationships. But was an unfortunate example of being too early in a developing market. Everything I have seen since Friendster is highly influenced by it, and generally offers the same basic features, just in a different package. The Future While I think commercial social networks will continue to be popular, it is dangerous to project future growth from past trends. There are several important trends already underway that, while they are good for social networking as a whole, will undermine proprietary commercial services. Commercial social networks today are a lot like online services in the mid-90s ? they?re popular because they make something easier to do (maintain a social graph, keep track of friends, search for new people). It was not that long ago when getting online was difficult for novice users. Large businesses (EarthLink, Netcom, AOL) were built around making the Internet easy to use. They became superfluous as broadband became standard and devices with built-in Net access were shipped. I think the same thing is likely to happen to social networks, so let?s look at what a social network really does, and think about how that can be implemented on the open web. Profiles Social networks make it easy for people to create profiles using standard templates. This makes sense, but this is really no different than a web page. I like what Chris Messina and co. are doing with their distributed social networking project, which uses blogs as a basic building block, and microformats to embed metadata in pages. Separating profiles from other functions, like search and discovery, makes a lot of sense because then you can have one page or site that is visible via many different search tools. Search (and the Social Graph) The social graph is a function that can easily be added to search engines. Once web sites, blogs, etc. are tagged to indicate that they are profiles, search engines can crawl them to pick up metadata, links to friends, etc. Search engines are already good at indexing the web, so adding a vertical search for people and social information is not a daunting task. Expect the search engines to add social/people search features. While the conventional wisdom holds that this task will naturally fall to Google, I think this is an area where AOL or Yahoo could score an unexpected win, as both companies are much more people- and community-focused. Updates One of the reasons Facebook is so addictive is because it is a convenient way to track the status of friends. This, too, is something that can be moved onto the open web. Anyone who wants to can publish updates, events, etc. via standard formats like RSS and iCal. Anyone who wants to monitor their friend?s updates can do so, via a feed reader, or via custom applications that have yet to be built. If this becomes standard practice, there will be many opportunities for software developers to create new and better ways to track and display this information. Follow The Money To many, social networking is a winner-takes-all market. But I don?t think that?s the case. With the three pieces above, you can recreate what any social network does using open standards and the web. At the moment, this requires more effort, so people use commercial services, but in the long run, open standards usually win. I would bet on a company like WordPress or perhaps Tumblr to come out with a simple tool that makes publishing profiles and updates easy, and that is designed with social search in mind. Maybe this will be an open-source tool, maybe it will be a commercial service supported by monthly fees or advertising. My guess is that many companies will get into this category, and that ? just as there is diversity among blogging and personal publishing tools ? there will not be one clear winner. Blog authoring and hosting companies are logical entrants, as they already do the majority of what?s needed for an open social network. Search will be an important component of this, and I would expect that Google and other search vendors will play a dominant role here. There should also be opportunities for companies that specialize in people and social search. They?ll make money, as they already do, by mixing targeted ads with their social search tools. The good news for users is that this will be an open market, an ecosystem, with no lock in. Users will be able to choose among many profile and update publishing tools. They?ll also be able to use whatever search tool they prefer. Most importantly, users (a.k.a. publishers) will own their data, and will be able to control how it is presented to the outside world. The bad news for social networking companies is that this is not a winner-takes-all market, with winner-takes-all valuations. Blog authoring tools are a good comparison. This is certainly not a bad business to be in, but it is not a get-rich-quick business, either. The barriers to entry will also disappear as the network effect of having a large user community becomes irrelevant when every participant is equally searchable via multiple services. I also think that the general paranoia about big companies using personal data inappropriately will be an incentive for people to switch to other tools that provide more control over the use and presentation of their data. If I had to pick a category to start a company in, I?d pick authoring tools. There?s real long-term value there, as people tend to pick a publishing tool and stick with it ? and they?ll more for higher-end tools. If I were Facebook, I?d be thinking about how to participate in this trend ? in other words, deal with change before it deals with you. From rforno at infowarrior.org Sun Jan 20 17:50:48 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 20 Jan 2008 12:50:48 -0500 Subject: [Infowarrior] - SANS' Alan Paller tells a whopper In-Reply-To: Message-ID: ------ Forwarded Message From: Rob Rosenberger Date: Sun, 20 Jan 2008 12:38:30 -0500 Want to know how urban legends get started? Speaking breathlessly to the survivors of Hurricane Katrina, Alan Paller of the SANS Institute "confirmed" that (1) cities have suffered blackouts and (2) some people tried to profiteer from it. And he absolutely knows this for a fact because (3) the CIA told him absolutely nothing... This whopper is truly ironic -- because just last October, Paller himself advised people to stop telling whoppers. The Register hasn't yet chimed in. In the meantime, I dared to ask Paller the questions no reporter has yet asked... http://Vmyths.com/column/1/2008/1/20 Rob ------ End of Forwarded Message From rforno at infowarrior.org Mon Jan 21 02:12:29 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 20 Jan 2008 21:12:29 -0500 Subject: [Infowarrior] - RIAA web site hacked In-Reply-To: Message-ID: (c/o Lyger) Apparently the RIAA is so busy suing consumers that they forgot to hire a decent programmer. With a simple SQL injection, all their propaganda has been successfully wiped from the site. http://torrentfreak.com/riaa-website-hacked-080120/ From rforno at infowarrior.org Mon Jan 21 14:49:55 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 21 Jan 2008 09:49:55 -0500 Subject: [Infowarrior] - Copyright Lobbies Threaten Federal College Funding Message-ID: Troubling "Digital Theft Prevention" Requirements Remain in Higher Education Bill Last November, we reported on H.R. 4137, the College Opportunity and Affordability Act of 2007, which includes misguided anti-piracy requirements for universities. For the most part, the massive, nearly 800-page bill refreshes existing legislation about federal financial aid. But the bill also includes a section with a title that sounds as if it were dreamt up by an entertainment industry lobbyist: "Campus-based Digital Theft Prevention." < - > http://www.eff.org/deeplinks/2008/01/digital-theft-prevention-requirements-r emain-higher-education-bill From rforno at infowarrior.org Tue Jan 22 15:37:20 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Jan 2008 10:37:20 -0500 Subject: [Infowarrior] - Americans Abroad Can Now Vote Online In-Reply-To: <47960699.908@inetassoc.com> Message-ID: From: Duane Schell Has anyone reviewed the security of "Everyone Counts, Inc."? ------ Forwarded Message http://apnews.myway.com/article/20080121/D8UA8VGG0.html Jan 21, 7:25 AM (ET) By JESSICA BERNSTEIN-WAX MEXICO CITY (AP) - This year, for the first time, expatriate Democrats can cast their ballots on the Internet in a presidential primary for people living outside the United States. Democrats Abroad, an official branch of the party representing overseas voters, will hold its first global presidential preference primary from Feb. 5 to 12, with ex-pats selecting the candidate of their choice by Internet as well as fax, mail and in-person at polling places in more than 100 countries. Democrats Abroad is particularly proud of the online voting option - which provides a new alternative to the usual process of voting from overseas, a system made difficult by complicated voter registration paperwork, early deadlines and unreliable foreign mail service. "The online system is incredibly secure: That was one of our biggest goals," said Lindsey Reynolds, executive director of Democrats Abroad. "And it does allow access to folks who ordinarily wouldn't get to participate." U.S. citizens wanting to vote online must join Democrats Abroad before Feb. 1 and indicate their preference to vote by Internet instead of in the local primaries wherever they last lived in the United States. They must promise not to vote twice for president, but can still participate in non-presidential local elections. Members get a personal identification number from Everyone Counts Inc., the San Diego-based company running the online election. They can then use the number to log in and cast their ballots. Their votes will be represented at the August Democratic National Convention by 22 delegates, who according to party rules get half a vote each for a total of 11. That's more than U.S. territories get, but fewer than the least populous states, Wyoming and Alaska, which get 18 delegate votes each. Everyone Counts has been building elections software for a decade, running the British Labor Party's online voting since 2000 and other British elections since 2003, chief executive officer Lori Steele said. Online voting may give absentee voters more assurance that their ballots are being counted, since confirmation is not available in some counties. The Everyone Counts software even lets voters print out a receipt, unlike most electronic voting machines now in use in many states. "We've had no security breaches. We do constant monitoring," Steele said. Online voting "provides really a higher standard of security than is available in any other kind of system, including paper." Steele said a number of U.S. states had contacted her company to inquire about online voting for the 2008 presidential election. "There are many, many states in the U.S. that would like to be offering this to their expatriate voters, their military voters and their disabled voters," Steele said. But online voting has been slowed by a lack of funding for pilot programs. In a floor speech this month, Sen. Evan Bayh, D-Ind., pushed for the distribution of money already approved under the Help America Vote Act so that states can improve ex-pat voting before the general election. Some 6 million Americans living abroad are eligible to vote in U.S. elections, but only a fraction do so. Until recently, the only option was to mail absentee ballot request forms to the last U.S. county of residence, then wait in hopes that shaky mail systems would deliver the ballots in time to vote. The system is so unreliable that of 992,034 ballots requested from overseas for the 2006 general election, only 330,000 were cast or counted, and 70 percent of those not counted were returned to elections officials as undeliverable, the U.S. Election Assistance Commission found. In 2004, Juliet Lambert took her Oregon ballot to the U.S. Embassy in Mexico City, where drop service is available because of Mexico's notoriously undependable mail. "I had to go through security to drop off my ballot, and I remember thinking I really must want to vote," said Lambert, a 37-year-old caterer who works with Democrats Abroad in Mexico. "I think it can be really daunting for people." This year, Lambert is voting by Internet, "because it's easier, and I'm always online anyway." Republicans Abroad has operated independently of the Republican Party since 2003, and therefore can't hold in-person or Internet votes abroad. But it is organizing to get more overseas Republicans registered back home before the primaries, Executive Director Cynthia Dillon said. Republican votes from overseas could be more decisive because even small margins can make a difference in their winner-take-all state primaries. The Democrats divide primary votes proportionally, assigning delegates according to each leading candidate's share. "In the Republican primary, the overseas vote could actually have a bigger impact: That vote could be the tipping vote, so to speak, that decides an election in a close race," said Steven Hill, an elections expert who directs the New America Foundation's Political Reform Program. With so many states having moved up their primary dates, overseas voters should hurry up and register no matter how they plan on voting, Hill said. "These compressed timetables really make it difficult." From rforno at infowarrior.org Tue Jan 22 18:00:28 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Jan 2008 13:00:28 -0500 Subject: [Infowarrior] - Repress U Message-ID: his article can be found on the web at http://www.thenation.com/doc/20080128/gould-wartofsky Repress U by MICHAEL GOULD-WARTOFSKY [from the January 28, 2008 issue] Free-speech zones. Taser guns. Hidden cameras. Data mining. A new security curriculum. Private security contractors. Welcome to the homeland security campus. >From Harvard to UCLA, the ivory tower is fast becoming the latest watchtower in Fortress America. The terror warriors, having turned their attention to "violent radicalization and homegrown terrorism prevention"--as it was recently dubbed in a House of Representatives bill of the same name--have set out to reconquer that traditional hotbed of radicalization, the university. Building a homeland security campus and bringing the university to heel is a seven-step mission: 1. Target dissidents. As the warfare state has triggered dissent, the campus has attracted increasing scrutiny--with student protesters in the cross hairs. The government's number-one target? Peace and justice organizations. >From 2003 to 2007 an unknown number of them made it into the Pentagon's Threat and Local Observation Notice system (TALON), a secretive domestic spying program ostensibly designed to track direct "potential terrorist threats" to the Defense Department itself. In 2006 the ACLU uncovered, via Freedom of Information Act requests, at least 186 specific TALON reports on "anti-military protests" in the United States--some listed as "credible threats"--from student groups at the University of California, Santa Cruz; State University of New York, Albany; Georgia State University; and New Mexico State University, among other campuses. At more than a dozen universities and colleges, police officers now double as full-time FBI agents, and according to the Campus Law Enforcement Journal, they serve on many of the nation's 100 Joint Terrorism Task Forces. These dual-purpose officer-agents have knocked on student activists' doors from North Carolina State to the University of Colorado and, in one case, interrogated an Iraqi-born professor at the University of Massachusetts about his antiwar views. FBI agents, or their campus stand-ins, don't have to do all the work. Administrators often do it for them, setting up "free-speech zones," which actually constrain speech, and punishing those who step outside them. Protests were typically forced into "free-assembly areas" at the University of Central Florida and Clemson University, while students at Hampton and Pace universities faced expulsion for handing out antiwar fliers, aka "unauthorized materials." 2. Lock and load. Many campus police departments are morphing into heavily armed garrisons, equipped with a wide array of weaponry, from Taser stun guns and pepper guns to shotguns and semiautomatic rifles. Lock-and-load policies that began in the 1990s under the rubric of the "war on crime" only escalated with the President's "war on terror." Each school shooting--most recently the massacre at Virginia Tech--adds fuel to the armament flames. Two-thirds of universities arm their police, according to the Justice Department. Many of the guns being purchased were previously in the province of military units and SWAT teams: for instance, AR-15 rifles (similar to M-16s) are in the arsenals of the University of Texas campus police. Last April City University of New York bought dozens of semiautomatic handguns. Some states, like Nevada, are even considering plans to allow university staff to pack heat in a "special reserve officer corps." Most of the force used on campuses these days, though, comes in less lethal form, such as the rubber bullets and pepper pellets increasingly used to contain student demonstrations. Then there is the ubiquitous Taser, the electroshock weapon recently ruled a "form of torture" by the United Nations. A Taser was used by UCLA police in November 2006 to deliver shock after shock to an Iranian-American student for failing to produce his ID at the Powell Library. A University of Florida student was Tased last September after asking pointed questions of Senator John Kerry at a public forum, his plea "Don't Tase me, bro!" becoming the stuff of pop folklore. 3. Keep an eye (or hundreds of them) focused on campus. Surveillance has become a boom industry nationally--one that now reaches deep into the heart of campuses. In fact, universities have witnessed explosive growth since 2001 in the electronic surveillance of students, faculty and campus workers. On ever more campuses, closed-circuit security cameras can track people's every move, often from hidden or undisclosed locations, sometimes even into classrooms. The International Association of Campus Law Enforcement Administrators reports that surveillance cameras have found their way onto at least half of all colleges, their numbers on any given campus doubling, tripling or, in a few cases, rising tenfold since September 11, 2001. Such cameras have proliferated by the hundreds on private campuses, in particular. The University of Pennsylvania, for instance, has more than 400 watching over it, while Harvard and Brown have about 200 each. Often it can be tricky to find out where the cameras are and just what they're meant to be viewing. The University of Texas battled student journalists over disclosure and ultimately kept its cameras hidden. Sometimes, though, the cameras' purpose seems obvious. Take the case of Hussein Hussein, a professor in the department of animal biotechnology at the University of Nevada, Reno. In January 2005 the widely respected professor found a hidden camera redirected to monitor his office. 4. Mine student records. Student records have in recent years been opened up to all manner of data mining for purposes of investigation, recruitment or just all-purpose tracking. From 2001 to 2006, in an operation code-named Project Strike Back, the Education Department teamed up with the FBI to scour the records of the 14 million students who applied for federal financial aid each year. The objective? "To identify potential people of interest," explained an FBI spokesperson cryptically, especially those linked to "potential terrorist activity." Strike Back was quietly discontinued in June 2006, days after students at Northwestern University blew its cover. But just one month later, the Education Department's Commission on the Future of Higher Education, in a much-criticized preliminary report, recommended the creation of a federal "unit records" database that would track the activities and studies of college students nationwide. The department's Institute of Education Sciences has developed a prototype for such a national database. It's not a secret that the Pentagon, for its part, hopes to turn campuses into recruitment centers for its overstretched, overstressed forces. The Defense Department has built its own database for just this purpose. Known as Joint Advertising Market Research and Studies, this program tracks 30 million young people, ages 16 to 25. According to a Pentagon spokesperson, the department has partnered with private marketing and data-mining firms, which in turn sell the government reams of information on students and other potential recruits. 5. Track foreign-born students; keep the undocumented out. Under the auspices of Immigration and Customs Enforcement (ICE), the Department of Homeland Security (DHS) has been keeping close tabs on foreign students and their dependents through the Student and Exchange Visitor Information System (SEVIS). As of October 2007, ICE reported that it was actively following 713,000 internationals on campuses, while keeping more than 4.7 million names in the database. The database aims to amass and record information on foreign students throughout their stay inside the United States. SEVIS requires thick files on the students from the sponsoring schools, constantly updated with all academic, biographical and employment records--all of which will be shared with other government agencies. If students fall out of "status" at school--or if the database thinks they have--the Compliance Enforcement Unit of ICE goes into action. ICE, of course, has done its part to keep the homeland security campus purified of those not born in the homeland. The American Immigration Law Foundation estimates that only one in twenty undocumented immigrants who graduate high school goes on to enroll in a college--many don't go because they cannot afford the tuition but also because they have good reason to be afraid: ICE has deported a number of those who did make it to college, some before they could graduate. 6. Take over the curriculum, the classroom and the laboratory. Needless to say, not every student is considered a homeland security threat. Quite the opposite. Many students and faculty members are seen as potential assets. To exploit these assets, DHS has launched its own curriculum under its Office of University Programs (OUP), intended, it says, to "foster a homeland security culture within the academic community." The record so far is impressive: DHS has doled out 439 federal fellowships and scholarships since 2003, providing full tuition to students who fit "within the homeland security research enterprise." Two hundred twenty-seven schools now offer degree or certificate programs in "homeland security," a curriculum that encompasses more than 1,800 courses. Along with OUP, some of the key players in creating the homeland security classroom are the US Northern Command and the Aerospace Defense Command, co-founders of the Homeland Security and Defense Education Consortium. OUP has also partnered with researchers and laboratories to "align scientific results with homeland security priorities." In fiscal year 2008 alone, $4.9 billion in federal funding will go to homeland-security-related research. Grants correspond to sixteen research topics selected by DHS, based on presidential directives, legislation and a smattering of scientific advice. But wait, there's more: DHS has founded and funded six of its very own "Centers of Excellence," research facilities that span dozens of universities from coast to coast. The latest is a Center of Excellence for the Study of Violent Radicalization and Homegrown Terrorism, the funding for which cleared the House in October. The center is mandated to assist a national commission in combating those "adopting or promoting an extremist belief system...to advance political, religious or social change." 7. Privatize, privatize, privatize. Of course, homeland security is not just a department, nor is it simply a new network of surveillance and data mining--it's big business. (According to USA Today, global homeland-security-style spending had already reached $59 billion a year in 2006, a sixfold increase over 2000.) Not surprisingly, then, universities have in recent years established unprecedented private-sector partnerships with the corporations that have the most to gain from their research. DHS's on-campus National Consortium for the Study of Terrorism and Responses to Terror (START), for instance, features Lockheed Martin on its advisory board. The Center for Food Protection and Defense relies on an industry working group that includes Wal-Mart and McDonald's offering "guidance and direction," according to its chair. While vast sums of money are flowing in from corporate sponsors, huge payments are also flowing out to "strategic contracts" with private contractors, as universities permanently outsource security operations to big corporations like Securitas and AlliedBarton. Little of this money actually goes to those guarding the properties, who are often among the most underpaid workers in the universities. Instead, it fills the corporate coffers of those with little accountability for conditions on campus. Meanwhile, some universities have developed intimate relationships with private-security outfits like the notorious Blackwater. Last May, for example, the University of Illinois and its police training institute cut a deal with the firm to share its facilities and training programs with Blackwater operatives. Local journalists later revealed that the director of the campus program at the time was on the Blackwater payroll. In the age of hired education, such collaboration is apparently par for the course. Following these seven steps over the past six years, the homeland security state and its constituents have come a long way in their drive to remake the American campus in the image of a compound on lockdown. Somewhere inside the growing homeland security state that is our country, the next seven steps in the process are undoubtedly already being planned. Still, the rise of Repress U is not inevitable. The new homeland security campus has proven itself unable to shut out public scrutiny or stamp out resistance to its latest Orwellian advances. Sometimes such opposition even yields a free-speech zone dismantled, or the Pentagon's TALON declawed, or a Project Strike Back struck down. A rising tide of student protest, led by groups like the new Students for a Democratic Society, has won free-speech victories and reined in repression from Pace and Hampton, where the university dropped its threat of expulsion, to UCLA, where Tasers will no longer be wielded against passive resisters. Yet if the tightening grip of the homeland security complex isn't loosened, the latest towers of higher education will be built not of ivory but of Kevlar for the over-armored, over-armed campuses of America. From rforno at infowarrior.org Wed Jan 23 00:35:10 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Jan 2008 19:35:10 -0500 Subject: [Infowarrior] - More on... Americans Abroad Can Now Vote Online In-Reply-To: <20080122204121.GA19620@gsp.org> Message-ID: ------ Forwarded Message From: Rich K On Tue, Jan 22, 2008 at 10:37:20AM -0500, Richard Forno wrote: > From: Duane > > Has anyone reviewed the security of "Everyone Counts, Inc."? In one regard, it doesn't matter how secure "Everyone Counts, Inc." is. It matters how secure the systems being used to cast the votes are. And if they're running Windows, we know that they fall into two categories: 1. Those that have already been compromised 2. Those that are very likely going to be compromised I won't rehash all over again the evidence which indicates that something on the order of 10e8 systems out there are known-compromised. (Vint Cerf, for example, has estimated 2.5 X 10e8.) Or why various asssesments (including passive OS fingerprinting of spam-sending SMTP clients and botnet-participating systems) indicate that -- with rare exceptions -- they're all running Windows. Or why there is ample reason to conclude that the number which are actually compromised greatly exceeds the number which can be confirmed as compromised. Instead, what I'll point out is that *nothing* a compromised system does can be trusted. Whether it's sending mail or casting a ballot, whatever it does from the point it's compromised forward is done at the pleasure of its new owner(s). So even if we stipulated that Everyone Counts, Inc. had impenetrable security, the best of intentions, and bug-free software, its tabulations are only as valid as the data provided to it -- and that data can't be trusted at all. From rforno at infowarrior.org Wed Jan 23 17:41:16 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 Jan 2008 12:41:16 -0500 Subject: [Infowarrior] - AT&T Looking at Internet Filtering Message-ID: AT&T Looking at Internet Filtering Wednesday January 23, 10:18 am ET http://biz.yahoo.com/ap/080123/world_forum_at_t.html?.v=2 AT&T Looking at How to Monitor Internet Traffic to Prevent Sharing of Copyrighted Content DAVOS, Switzerland (AP) -- AT&T Inc. is still evaluating whether to examine traffic on its Internet lines to stop illegal sharing of copyright material, its chief executive said Wednesday. CEO Randall Stephenson told a conference at the World Economic Forum that the company is looking at monitoring peer-to-peer file-sharing networks, one of the largest drivers of online traffic but also a common way to illegally exchange copyright files. "It's like being in a store and watching someone steal a DVD. Do you act?" Stephenson asked. AT&T has talked about such plans since last summer. They represent a break with the current practice of U.S. Internet service providers, who are shielded by law from liability if their subscribers trade copyright files like movies. Stephenson said he still sees value in peer-to-peer networks despite some problems. The networks are increasingly used for legally distributed files like movie trailers and software. Comcast Corp., the second largest U.S. Internet provider after AT&T, has chosen another way to deal with the congestion caused by file-sharers, by hampering some peer-to-peer traffic regardless of whether the content is legal. The U.S. Federal Communications Commission said earlier this month it would investigate complaints from consumer groups and legal scholars that Comcast's practice violates the open access principles of the Internet. From rforno at infowarrior.org Thu Jan 24 02:56:43 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 Jan 2008 21:56:43 -0500 Subject: [Infowarrior] - Hackers v. Scientology Message-ID: War Breaks Out Between Hackers and Scientology -- There Can Be Only One By Ryan Singel EmailJanuary 23, 2008 | 2:16:38 PMCategories: Hacks and Cracks A loose confederation of online troublemakers who call themselves Anonymous have declared war on the Church of Scientology by flooding its servers with fake data requests, describing the attacks as punishment for the Church's alleged abuse of copyright laws and alleged brainwashing of its members. Anonymous congregates on the net at various hangouts such as 711chan.org (NSFW) and partyvan.info and sundry IRC channels. The group usually amuses itself by stealing passwords to downloading sites and finding ways to harass online communities that its members disdain. They were last seen on THREAT LEVEL when a Los Angeles Fox News affiliate ran a story that hilariously implied the group's arsenal included exploding vans. The attack on Scientology, which Anonymous has dubbed Project Chanology, started in recent days, set off by the Church's most recent attempt to censor the internet by forcing sites to remove a creepy Tom Cruise Scientology video. A wiki set up for the project directs Anonymous members to download and use denial of service software, make prank calls, host Scientology documents the Church considers proprietary, and fax endless loops of black pages to the Church's fax machines to waste ink. < - > http://blog.wired.com/27bstroke6/2008/01/anonymous-attac.html From rforno at infowarrior.org Thu Jan 24 02:58:59 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 23 Jan 2008 21:58:59 -0500 Subject: [Infowarrior] - Rummy Resurfaces, Calls for U.S. Propaganda Agency Message-ID: Rummy Resurfaces, Calls for U.S. Propaganda Agency By Sharon Weinberger EmailJanuary 23, 2008 | 4:11:26 PMCategories: Info War, Strategery Rumsfeld One of the many things I love about Donald Rumsfeld is that he's totally unrepentant. Back in 2001, the Pentagon under his leadership created the controversial Office of Strategic Influence, which was closed down just a few months later after its existence became public. Rightly or wrongly, the Pentagon was accused of creating a propaganda office. Now, the former defense secretary has a bigger vision: he is advocating a "21st century agency for global communications." This was one of the major themes in one of Rumsfeld's first post-Pentagon public comments at a conference today on network centric warfare sponsored by the Institute for Defense and Government Advancement. According to Rumsfeld, the United States is losing the war of ideas in the Muslim world, and the answer to that, in part, is through the creation of this new government agency. During the the Q&A after the speech, I asked Rumsfeld what this new agency might entail (he was pretty clear it wouldn't be a resurrected U.S. Information Agency, which was merged into State Department in 1999), and why, when there is an abundance of media available in the private sector, the government needs to get involved. < - > http://blog.wired.com/defense/2008/01/rummy-wants-pro.html From rforno at infowarrior.org Thu Jan 24 14:13:42 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 Jan 2008 09:13:42 -0500 Subject: [Infowarrior] - Dodd again promises fillibuster over telecom immunity Message-ID: Senator Dodd renews call against telecom immunity Diane Sweet Published: Wednesday January 23, 2008 http://rawstory.com/news/2007/Senator_Dodd_renews_call_against_Telecom_0123. html Senator Dodd threatened to filibuster a bill that would give immunity to the Telecommunications companies that broke FISA wiretap laws. Continuing his battle against retroactive immunity for telecommunication companies, Senator Dodd gave an impassioned speech against what he referred to as a "5-year concerted effort contrary to the law of the land." Pointing out that not all telecoms complied with the request from the Bush administration to listen in on private conversation of American citizens unless they were given a court order to do so, Dodd also questioned where such violations would end, and warned the notion of Americans giving up rights in order to be safe was a "false dichotomy that is dangerous." Senator Dodd also had high praise for the "brave whistleblower" who came forward with the wiretapping information, and said without that information the practice might have remained hidden. Dodd ended the session calling for his collegues to support him when he returns to the issue at 9:30am EST Thursday morning, when he promises to continue to fight against telcom immunity with every means at his disposal. This video is from C-SPAN 2, broadcast January 23, 2008. < - > http://rawstory.com/news/2007/Senator_Dodd_renews_call_against_Telecom_0123. html From rforno at infowarrior.org Thu Jan 24 17:17:35 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 Jan 2008 12:17:35 -0500 Subject: [Infowarrior] - VP Cheney makes strong pitch for telecom immunity Message-ID: VP Cheney makes strong pitch for telecom immunity By Ryan Paul | Published: January 24, 2008 - 08:18AM CT http://arstechnica.com/news.ars/post/20080124-vp-cheney-makes-strong-pitch-f or-telecom-immunity.html United States Vice President Dick Cheney gave a policy address yesterday to the Heritage Foundation, a prominent conservative think tank. During his speech, Cheney endorsed proposals to expand the scope of warrantless electronic surveillance, called for such programs to be made permanent, and advocated granting retroactive legal immunity to telecommunications service providers that were complicit in potentially illegal government wiretapping activities. Cheney's speech articulated the Bush administration's position on surveillance issues in anticipation of the imminent expiration of the Protect America Act, a temporary surveillance bill that was enacted in response to a ruling from the secretive Foreign Intelligence Surveillance Court (FISC) that reportedly reigned in intelligence-gathering activity. The Protect America Act broadly expanded federal surveillance power and eliminated many requirements for judicial oversight, making it possible for the executive branch and some of its direct subordinates to authorize warrantless interception of communications between people "reasonably believed to be outside the United States." Cheney framed this policy as an effort to modernize the FISA process and is calling for Congress to make permanent those provisions of the Protect America Act. Cheney also asserts that domestic telecommunications service providers who cooperate with government requests for information should be granted legal immunity for their potentially unlawful behavior. "First, our administration feels strongly that an updated FISA law should be made permanent, not merely extended again with another sunset provision. We can always revisit a law that's on the books?that's part of the job of the elected branches of government. But there is no sound reason to pass critical legislation like the Protect American Act and slap an expiration date on it. Fighting the war on terror is a long-term enterprise that requires long-term, institutional changes. The challenge to the country has not expired over the last six months. It won't expire any time soon?and we should not write laws that pretend otherwise," said Cheney during his speech. "Second, the law should uphold an important principle: that those who assist the government in tracking terrorists should not be punished with lawsuits. We're asking Congress to update FISA and especially to extend this protection to communications providers alleged to have given such assistance any time after September 11th, 2001. This is an important consideration, because some providers are facing dozens of lawsuits right now. Why? Because they are believed to have aided the U.S. government in the effort to intercept international communications of al Qaeda-related individuals." Critics of the government surveillance program note that telecom involvement in warrantless wiretapping likely violates section 222 of the Communications Act, which prohibits disclosure or provision of access to customer network information. The legality of the program, however, is in dispute because the FCC has declined to investigate, the telecom companies have refused to disclose information about the program to Congress, and the FISC ruling regarding the legality of the program is classified and remains a guarded secret. The Bush administration has demanded retroactive immunity grants for the telecom companies and has threatened to veto any surveillance bills that do not include said provisions. The telecoms themselves have also been vigorously lobbying for immunity. There are allegations that the telecom companies have attempted to use political leverage to obtain the immunity grants, but the veracity of those allegations cannot be evaluated yet because the DoJ has?in clear violation of the Freedom of Information Act?been stonewalling the EFF's formal requests for information regarding interaction between telecoms and politicians. Concerns have been expressed by critics that the kind of surveillance made possible by the Protect America Act is only the beginning and that basic privacy rights will be further eroded as the government continues to push the boundaries of law. Indeed, Cheney also passingly endorses a proposal made by intelligence chief Mick McConnell that reaches far beyond the current FISA dispute and would enable the government to intercept virtually all network traffic in the United States, an unprecedented level of surveillance. In light of consistent abuses of basic surveillance powers granted to federal law enforcement agencies, it's not a stretch to believe that more secretive surveillance programs would also be rife with abuse in the absence of more direct transparency and oversight. From rforno at infowarrior.org Thu Jan 24 20:13:17 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 Jan 2008 15:13:17 -0500 Subject: [Infowarrior] - Afghan journo sentenced to death for downloading Message-ID: Afghan 'blasphemy' death sentence http://news.bbc.co.uk/2/hi/south_asia/7204341.stm An Afghan journalist has been sentenced to death by a provincial court for distributing "blasphemous" material. Sayed Perwiz Kambakhsh, 23, was arrested in 2007 after downloading material from the internet relating to the role of women in Islamic societies. A primary court in Balkh province said that Kambakhsh had confessed to blasphemy and had to be punished. The court also threatened to arrest any reporters who protested against Kambakhsh's sentence. Kambakhsh, a student at Balkh University and a journalist for Jahan-e Naw (New World), was arrested in October 2007 after material he downloaded was deemed to be offensive to Islam. Shamsur Rahman, the head of the court, told Reuters news agency: "According to... the Islamic law, Sayed Perwiz is sentenced to death at the first court. "However, he will go through three more courts to declare his last punishment," he said. 'Deeply shocked' Balkh province's deputy attorney general, Hafizullah Khaliqyar, warned other journalists that they would be arrested if they attempted to support Kambakhsh. But Agence France-Presse reported that journalists were gathering outside the home of the condemned reporter. The sentence has been welcomed by conservative Islamic clerics in Afghanistan but criticised by international human rights groups. Global media watchdog Reporters Without Borders said it was "deeply shocked" by the trial and appealed to President Hamid Karzai to intervene "before it is too late". In a statement, the group said the trial was "carried out in haste and without any concern for the law or for free expression, which is protected by the constitution". "Kambakhsh did not do anything to justify his being detained or being given this sentence." Kambakhsh's brother, Sayed Yaqub Ibrahimi, said the verdict was "very unfair" and appealed for help from the international community, reported Reuters. Story from BBC NEWS: http://news.bbc.co.uk/go/pr/fr/-/2/hi/south_asia/7204341.stm Published: 2008/01/23 11:35:26 GMT From rforno at infowarrior.org Fri Jan 25 00:47:57 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 Jan 2008 19:47:57 -0500 Subject: [Infowarrior] - Kafka-esque security decision Message-ID: Granted if you don't know you're carrying a loaded firearm somewhere you might have other issues, but besides that ---- think about it: on one hand, you forgot to declare that you had a loaded gun at the airport. Then when you voluntarily go back to declare it and remedy your forgetfulness, you're arrested. Sure speaks volumes about individuals trying to "do the right thing" post 9/11, eh? -rf Loaded gun slips through airport security WASHINGTON (CNN) -- A passenger who went through an airport security checkpoint -- before remembering that he had a loaded gun -- is facing charges after going back to report his error, authorities said. Gregory Scott Hinkle, 53, of Davis, West Virginia, went through a Transportation Security Administration checkpoint at Ronald Reagan Washington National Airport about 7:30 a.m. Sunday, an airport spokeswoman said. After the traveler evidently recalled having the gun, he returned to the checkpoint and disclosed the weapon, authorities said. The TSA contacted airport police, who charged the man with possessing or transporting a firearm into an air carrier terminal where prohibited, a misdemeanor, and released him. He is scheduled to appear April 2 in Arlington County, Virginia, General District Court. Hinkle did not immediately return a phone call to his residence. A TSA spokesman said the agency reviewed airport surveillance camera videos of the incident and removed the screener from security duties while an investigation is under way. "Appropriate actions will be taken once the investigation is complete," spokesman Christopher White said. White said that 14 guns were discovered at checkpoints around the country last week. On average, screeners find two guns a day, he said. "We know this is not a systemic problem in that our testing indicates TSOs [Transportation Security Officers] have a very high success rate at finding firearms. Given the high degree of reliability that our TSOs can find even carefully concealed firearms, we are evaluating every aspect of this incident," White said. CNN's Mike M. Ahlers contributed to this report. Find this article at: http://www.cnn.com/2008/US/01/23/airport.gun/index.html From rforno at infowarrior.org Fri Jan 25 02:47:07 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 Jan 2008 21:47:07 -0500 Subject: [Infowarrior] - FISA Showdown immediately before SOTU Address Message-ID: Spying Showdown Pushed to Hours Before State of Union Address; No Civil Lib Amendments Allowed By Ryan Singel EmailJanuary 24, 2008 | 5:37:14 PMCategories: NSA http://blog.wired.com/27bstroke6/2008/01/spying-showdown.html Republican leadership in the Senate made their move early Thursday evening, successfully blocking any votes on amendments to the intelligence bill and forcing the Senate to vote only on the Administration-approved bill worked out by the Senate Intelligence committee. That vote will come on Monday at 4:30 just hours before the President delivers the State of the Union address from the Senate floor. The Intel committee bill expands the government's wiretapping authority and gives immunity to the telecoms that helped the government secretly spy on Americans without getting the warrants required by law. Senate Majority Leader Harry Reid (D-Nevada) railed and whined about the tactic and said he would vote against 'cloture' -- which would have limited the debate time and the possible amendments. His comments prompted a postponement of the cloture vote until Monday at 4:30. If the Republicans win that vote, the Senate will have until 6 pm Tuesday to debate the bill as it currently stands and then vote on it. In the meantime, the Senate will be open for business, but no amendments to the spying legislation will be voted on or introduced. The move also places the vote just four and a half hours before President Bush delivers the State of the Union address on Monday night at 9 p.m., when he is expected to forcefully argue for Congress to give him the spying powers. Reid castigated the Republicans for not allowing debate and discussion on amendments that would have required reports on the goverment's secret wiretapping program, re-affirmed that spying could only happen by following wiretap law, and strengthened bans on the government finding loopholes to target Americans for surveillance without getting warrants first. "We offered an extension of the current law for a month, several months, a year, 18 months," Reid said. "But the Republican leadership don't want to extend the program." "It is really not fair we be asked to accept hthis without being able to vote on a single amendment," Reid complained. The current law, known as the Protect America Act, expires on February 1. The measure gives the intelligence community wide powers to unilaterally order domestic communication companies to help the government spy, a power the Administration says it needs to snoop on foreign terrorists. Senate Minority Leader Mitch McConnell (R-Kentucky) countered that the Intelligence bill was the product of months of bipartisan work -- essentially a known quantity that could be ruined by amendments. "We do know the pres will sign the Rockefeller-Bond proposal before us," McConnell said, referring to the Senate Intelligence Committee's top Democrat and Republican respectively. Dick Durbin followed to second Reid's disappointment and to clarify that no amendments would be voted on in the meantime. "They want the president's version of the bill -- take it or leave it," Durbin railed of the Republican leadership. "They would run the risk of shutting down the program." The Center for Democracy and Technology's Greg Nojeim described the move for cloture as a way for the Administration to pass the measure without civil liberties amendments, many of which were being pulled piecemeal from the Judiciary committee version of the bill that was voted down earlier Thursday. Even if the Senate passes the Intel committee bill on Tuesday, it will need to work out a compromise with the House, before sending the bill to the president for signature. The House version, known as the Restore Act, doesn't include immunity for telecoms and severely constrains when the government can spy in America without warrants -- essentially blocking bulk collection activities allowed in the Protect American Act and the Senate Intel bill. One possible scenario: the House bows to pressure and quickly passes whatever the Senate passes, thus making a conference and re-votes on the compromise legislation unnecessary. From rforno at infowarrior.org Fri Jan 25 02:48:17 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 24 Jan 2008 21:48:17 -0500 Subject: [Infowarrior] - 'We Traced the Cyberwar -- It's Coming From Inside the Country!' Message-ID: 'We Traced the Cyberwar -- It's Coming From Inside the Country!' By Kevin Poulsen EmailJanuary 24, 2008 | 2:59:34 PMCategories: Cybarmageddon! A 20-year-old man named Dmitri Galushkevich is the first cyber solider to face justice for launching one of the attacks in last year's "cyber war" against Estonia, AFP reports. You'll recall that Estonia blamed the Russian government for last spring's DDoS attacks, and even considered invoking NATO Article 5 to marshal a multinational military counter attack against Russia -- a perfectly reasonable response to a bunch of websites being overloaded with unwanted traffic. Wired magazine sent a reporter to Russia to try and track down the culprits, but Vladimir Putin's ruthless cyber brigade proved elusive. And so it comes as quite a shock to THREAT LEVEL to learn that the attacker convicted today isn't a member of the Russian military, nor is he an embittered cyber warrior in Putin's secret service. He doesn't even live in Russia. He's an ethnic Russian who lives in Estonia, who was pissed off over that whole statue thing. The court fined him 17,500 kroons, or $1,620 dollars, and sent him on his way. http://blog.wired.com/27bstroke6/2008/01/we-traced-the-c.html From rforno at infowarrior.org Fri Jan 25 12:38:56 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 25 Jan 2008 07:38:56 -0500 Subject: [Infowarrior] - USAF Cyber Command, explained Message-ID: Noah hits this dead-on correctly!!! --rf Air Force's New Target: Phishing By Noah Shachtman EmailJanuary 25, 2008 http://blog.wired.com/defense/2008/01/air-forces-new.html In an interview with Network World, Lt. Gen. Robert Elder reveals some of the areas of the Air Force's new cyber command: > Phishing, for example, is a type of attack. We're arming airmen with the > skills to recognize a phishing attack. > > and > > People need to be careful about clicking on links . . . . Nothing like building a command around the need to defend against a decades-old problem and the laziness of end-users. Still, we should give credit where it is due: the first to the fight is usually the one who takes home the biggest purse of taxpayer funds. What is usually left out of discussions like this is the fact that all kinds of military efforts to defend networks have been in place for years. What has always been lacking, however, is the will to enforce existing information security policy. When your author was helping defend Defense Department networks the compliance rate in response to warnings about network flaws and patching procedures was just south of dismal. The solution has been not to hold people accountable and let the system work, but to build a larger bureaucracy and build more systems (surprise). < - > From rforno at infowarrior.org Fri Jan 25 12:40:33 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 25 Jan 2008 07:40:33 -0500 Subject: [Infowarrior] - =?iso-8859-1?q?The_Last_Cyber_Threat_Article_You_?= =?iso-8859-1?q?=B9_ll_Ever_Read?= Message-ID: (Disclaimer: I helped write this........rf) The Last Cyber Threat Article You?ll Ever Read http://haftofthespear.com/2008/01/the-last-cyber-threat-article/#more I?m tired of hearing about all the ?new? things going on in the cyber-war, cyber-terrorism, cyber-insert-your-term-here business. Nothing I?ve read on these issues in the last few years is any different from anything I read fifteen years ago. Issues that make headlines today were actually new when the IBM XT was a hot piece of hardware. So as a public service your author provides you with five factors to evaluate when deciding on whether or not to buy the next book or magazine with an article that suggests iDeath or e-horror is imminent. Take a pass if you detect any two in a scan of the dust jacket or lede. Nothing is New. Any time someone talks about how new a given cyber issue is, watch out for wet paint. Winn Schwartau?s 1994 book Information Warfare was essentially the tipping point for the cyberspace-is-a-dangerous-place genre. Years earlier Cliff Stoll?s The Cuckoo?s Egg laid out what evils were in store for the nascent Internet (contrary to popular opinion, Latvia is just the latest target upon which Russian?s have unleashed hackers). Phishing and man-in-the-middle attacks are just variations on a theme; Computer Capers (? 1978!) talks about how people were using computers to commit financial crimes back when a portable computer required a fork lift. More Metaphors = More B.S. Any story you read that has someone fusing a lot of physical-world terms with Internet-related terms should invoke one reaction: check your wallet. The military are particularly egregious abusers in this area. After years of studying the issues, the Pentagon still has few sound ideas about how to fight and win a battle in cyberspace. That hasn?t stopped the Air Force from setting up new cyber warfighting command (watch for the other Services to follow the money). Among the many unanswered questions: If we are about to launch an attack, do we have to get fly-over rights from Verizon? If an apparent foreign source takes out a purely commercial concern in the US, do we attack said foreign nation?s capitol? Since accurately identifying the source of a cyber attack is near impossible, how do we minimize friendly-fire or collateral damage? Scratch beneath the surface and you find no solid answers. Net-centricity is as dangerous as it is helpful. Data is not knowledge and being able to process a lot of data does not provide wisdom. Careless application of technology ? particularly in a military context, though you find parallels in business as well - threatens to send us into a retrograde spin to the days of the ?squad leader in the sky.? The phrase refers to the practice of some military commanders in Viet Nam who would fly above an operation and attempt to direct action on the ground (much to the dismay of those who were actually being shot at). Does having a lot of data on a dashboard fundamentally improve our ability to make decisions, or does it simply foster the illusion of situational awareness and operational control? More importantly, how wise is it to pursue such efforts given the fact that we can barely secure the networks we have now? The ?Expert? Probably Isn?t. Who do you see quoted in stories about cyber-Armageddon? Sometimes they?re white hat hackers, sometimes engineers, sometimes soldiers, but more often than not they?re people who know a lot of buzz-words and not a lot of details. I belong to a professional organization that addresses issues related to conflict in cyberspace, but there is no one in this diverse and august group who knows it all - and more importantly they would never pretend to. Being able to crack passwords doesn?t make you a digital soldier; an ex-pilot assigned to an INFOSEC job while awaiting retirement is no cyber-warrior; and a General who read Strategic Warfare in Cyberspace isn?t the information age?s Sun Tzu. The ?expert? who sounds like an evangelist on this stuff isn?t a holy man; he?s a con man. The World Doesn?t End if the Internet Goes Dark. Cyberwar breaks out tomorrow and then what? The sun will still come up and life will still go on. Everything will become more tedious and time-consuming, but for those raised in the analog age, life will seem very familiar indeed. This is not to say that there will not be economic and other implications that will hurt us as a nation, but we?re not facing life in a new dark ages or a war against the CHUDs. Coloradans dealt with the snow storm of 2007; New Englanders dealt with the ice storm of 1998; levels of individual preparedness vary, but the country doesn?t suddenly become one big post-Katrina New Orleans (especially since New Orleans post-Katrina wasn?t as bad as some made it out to be) just because connectivity drops off. Lector Caveo should be your watchwords every time you pick up a book or magazine that purports to tell you something you don?t already know with regards to the hazards of cyberspace. Variations on well-worn themes are as multitudinous as there are bits stored on a 40 TB RAID. There is nothing revolutionary about coming up with a new way to waste money on an old idea dolled up in lipstick and pancake makeup. Threats in cyberspace are real, but what is actually scary is the fact that we readily rush headlong to expose ourselves for convenience or merely for cachet. Done properly technology should enable us to do things effectively and safely, but since security is hard, people are lazy, and hope is cheap; we usually end up hoping for the best. We?re in our second decade of cyber threats being on the national security radar and we are still not dramatically better off today than we were when we started. For an issue that should be moving at Internet time, we are still clearly operating at the speed of government. === Thanks to Rick Forno, Bob Gourley, and Joel Harding for their help in putting this together. All the good parts are theirs; all the bad parts are mine. From rforno at infowarrior.org Fri Jan 25 12:50:03 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 25 Jan 2008 07:50:03 -0500 Subject: [Infowarrior] - $7.8B "insider" fraud at Societe Generale Message-ID: Not sure if this is negligence, gross negligence, plain stupidity, of if this guy is really the 'smart hacker-rogue-trader' that he's being made out to be in the media. Then again, there are conspiracy theories floating in the financial world suggesting that this guy really is taking a fall for the bank's exposure to global CDOs and SIVs rather than the bank accepting responsibility for them. Who knows? Whatever the cause, just sheeeesh! Security controls and auditing? Surely you jest...... -rf http://www.iht.com/articles/2008/01/24/business/socgen.php Soci?t? G?n?rale, one of the largest banks in Europe, was thrown into turmoil Thursday after it revealed that a rogue employee had executed a series of "elaborate, fictitious transactions" that cost the company more than $7 billion, the biggest loss ever recorded in the financial industry by a single trader. < - > Soci?t? G?n?rale said it had no indication whatsoever that the trader - who joined the company in 2000 and worked for several years in the bank's French risk-mangement office before being moved to its Delta One trading desk in Paris - "had taken massive fraudulent directional positions in 2007 and 2008 far beyond his limited authority." The bank added: "Aided by his in-depth knowledge of the control procedures resulting from his former employment in the middle-office, he managed to conceal these positions through a scheme of elaborate fictitious transactions." The trader - whom Noyer said "breached five levels of controls," and was "a computer genius" - continued the fraud until this past weekend, when auditors in the company's risk-management office detected a series of fictitious trades on its books, which it said was committed by an employee in charge of hedging the bank's trades in European stock index futures. When the fraud was unveiled, Bouton said, it was "imperative that the enormous position that he had built, and hidden, be closed out as rapidly as possible." The timing could hardly have been worse. Soci?t? G?n?rale was forced to begin unwinding the trades on Monday "under conditions of extreme market volatility," Bouton said, as global stock markets plunged amid mounting fears of an economic recession in the United States. From rforno at infowarrior.org Fri Jan 25 13:44:38 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 25 Jan 2008 08:44:38 -0500 Subject: [Infowarrior] - Odyssey of State Capitols and State Suspicion Message-ID: Odyssey of State Capitols and State Suspicion By KATHRYN SHATTUCK http://www.nytimes.com/2008/01/20/arts/design/20shat.html?pagewanted=print IN a recent morning interview in a Midtown Manhattan office Ramak Fazel came across as the quintessential world citizen: tall, slim and elegant, his English tinged with an untraceable accent and peppered here and there with an Italian phrase. He also exuded the weariness of a frequent flier, having arrived the afternoon before at Newark Liberty Airport, where he was delayed for nearly three hours while United States Customs and Border Protection agents questioned him about the purpose of his trip, searched his baggage and photocopied the pages of his personal agenda. That routine is something that Mr. Fazel, a 42-year-old freelance photographer who lives in Milan, Italy, has come to know well, and he takes pains to come across as favorably as possible. For starters, he makes sure his face is always immaculately cleanshaven. ?I have become the poster boy for Gillette,? he said, somewhat ruefully. Shaving was one of the last things on Mr. Fazel?s mind when, on Aug. 7, 2006, he set out on a photographic and philatelic odyssey from his mother?s home in Fort Wayne, Ind. His mission was to photograph each of the nation?s 50 state capitol buildings and dispatch a postcard from each city, using postage stamps from a childhood collection. Each postcard would be mailed to the next state on his journey, where he would pick it up, continuing until he had gone full circle back to Indiana. But there was a problem. On a flight from Sacramento, Calif., to Honolulu, Mr. Fazel described his project to a fellow passenger. He later discovered that she had reported him as suspicious ? perhaps to the pilot or the Transportation Security Administration ? and taken a picture of him as he slept. Maybe it was because he was vaguely foreign looking, he reasoned, and his photographic endeavor seemed menacing in a post-9/11 landscape. He also had a three-day growth of beard, he recalled. And, although Mr. Fazel grew up mostly in the United States and is an American citizen, there was his Iranian name. In his view that woman?s report began a chain reaction, turning him into a person of interest for officials from local law enforcement agencies on up to the F.B.I. On a stop in Annapolis, Md., for example, he was interrogated about his activities and read his Miranda rights. Today, he said, his name lingers on what he thinks of simply as the ?the list.? (He doesn?t know where it originated or who controls it.) He believes it has prevented him from receiving a visa to India and caused him be questioned at the border of Poland, both of which he had visited in the past. He said he has been interrogated the last four times he has entered the United States. That sense of stigmatization ? and the pursuit of life, liberty and art ? is a steady undercurrent in ?49 State Capitols,? an exhibition of postcards, photographs and ephemera from Mr. Fazel?s 2006 trip that is to open on Wednesday at the Storefront for Art and Architecture in SoHo. (He ran out of money before he made it to Alaska.) ?I wanted to learn about America,? Mr. Fazel said. ?Visiting the capitols ? I don?t want to say it?s a dream, but we?re led as children to believe that it?s kind of an obligation, that you need to see up close the country you call home. ?I may live abroad, but my sense of being an American, of loving my country, has never changed.? Mr. Fazel, who moved to Italy in 1994, conceived of the trip in 2006 while visiting his mother in Fort Wayne, where she called his attention to his stamp collection in the attic. ?Do something with these,? ? he remembered her saying. He went to a collector who offered him less than he believed his stamps were worth. ?I thought, what a shame to just sell these for $1,000,? Mr. Fazel said. ?I felt they needed to be released from that static state, needed to be released for their original purpose to be postage.? What specifically inspired his trip was a page of stamps of the flags of the 50 states, in the order of their admission to the union, issued for the nation?s bicentennial in 1976. That was the year he began collecting, shortly after moving to Fort Wayne, where the Fazels were the only Iranian family. Mr. Fazel was born in Iran but moved to the United States when he was 2 months old. His father, who was then working on his doctorate in psychology, and his mother, who eventually became a potter, settled in Logan, Utah, and then in Fort Wayne. In 1970 the family briefly moved back to Iran, where his father taught in a satellite campus of Harvard Business School in Tehran; in 1976 they returned to Fort Wayne. Mr. Fazel, feeling something of an outsider in a community divided into white and black, athletically gifted and not, turned to stamp collecting at his father?s urging. ?Through stamps I had the chance to learn about America and American culture,? he said. He collected enthusiastically, using money he earned from mowing lawns and shoveling snow. But with a driver?s license came adult freedom, and Mr. Fazel tucked his collection away. He earned a degree in mechanical engineering at Purdue University, then went to New York to study graphic design and photography. In 1994 he moved to Milan ? ?to enrich myself, invest in myself,? he said ? and to overcome a sense of his cultural limitations. He feels that he succeeded, he said, yet he never stopped pondering what it meant for him to be American. So in the spring of 2006, stamps in hand, he began to plot his road trip, researching the shortest distances from state capital to state capital and the locations of post offices and Y.M.C.A.?s (where he could shower and swim). He spent $1,500 on a used Chevy van in which he would live and another $2,000 to refurbish it. At night he would often seek out Wal-Mart parking lots, where security was tight, to park his van and sleep. In each capital Mr. Fazel would research the state?s history in a library and then design a 10-by-14-inch postcard on white stock, adorned with mosaics he concocted from stamps related to the state. The postcard he sent from Florida to Georgia honors space flight; the one from Hawaii to Arizona pays tribute to Pearl Harbor. The postcard sent from New York to Pennsylvania bears 11-cent stamps from 1965 that Mr. Fazel arranged in the shape of the twin towers ? one toppling over, the other being pierced by a commercial aviation stamp ? and with fire truck and ambulance stamps and a commemorative stamp of St. Vincent?s Hospital Manhattan. Mr. Fazel drove 17,345 miles in 78 days, mailing a postcard from each city and picking it up in the next one, with the speed of the mail dictating the pace of his trip. ?It was such a nice surprise to discover how reliable the postal system was,? he said, adding that some of the cards arrived within 12 hours. But in Jackson, Miss., his journey took its bizarre twist. One night, as he sat in his van, a beam of light pierced his reverie. He heard his name over a loudspeaker and a command to step out of the vehicle with his hands held high. Suddenly, Mr. Fazel said, he was forced to the ground, face to the concrete, and handcuffed by a city police officer. His vehicle was searched, and when the officers determined that nothing was amiss, Mr. Fazel was ordered to leave the parking lot and continue down the road. He said the officers told him that they had received a report that he was aiming an automatic weapon at passing traffic. Lee D. Vance, assistant chief of the Jackson city police, said he could not confirm the incident because it had not resulted in an arrest and because Mr. Fazel has not filed a complaint. As Mr. Fazel continued his travels, he slowly began to perceive that he was on some kind of watch list. In Atlanta he was prohibited from entering the Capitol, he said, even as others did. In Columbia, S.C., he was questioned on the grounds of the Capitol by a police officer who mentioned that he knew Mr. Fazel lived in Italy. On the morning of Oct. 3, he entered the Maryland Capitol in Annapolis, where he presented identification and signed his name on a visitors? sheet. A guard asked him to wait. Suddenly, Mr. Fazel said, he was handcuffed and rushed through corridors into a police station, where a man he later learned was a member of the Maryland Joint Terrorism Task Force with the F.B.I. started speaking to him in Farsi. As Mr. Fazel related it, the experience went as follows: ?I?m American,? Mr. Fazel said. ?I speak English.? Another officer asked, ?Where are you really from?? Mr. Fazel produced his Indiana driver?s license. ?I can tell by looking at you that you?re not from Fort Wayne,? the officer replied. After a four-hour encounter in which he was asked about a recent trip to Iran for an Italian design magazine and about who was financing his trip to state capitols, he was released without being charged. But he was also warned by an F.B.I. official that he was now in the system and would have troubles if he continued his trip. Richard Wolf, a media coordinator with the F.B.I. in Baltimore, said he had no knowledge of the incident. He added, ?We don?t normally respond or comment on any sort of leads we?ve conducted with the Joint Terrorism Task Force.? Asked whether Mr. Fazel was on the government?s terrorist watch list, Bill Carter, an F.B.I. spokesman in Washington, said that as a matter of policy, ?we can?t verify whether an individual is on a watch list or not.? After the incident in Maryland Mr. Fazel called Brett R. Fleitz, a lawyer in Indianapolis and a childhood friend. Mr. Fleitz said he immediately sought to reassure him. ?I implored him to continue because he was very, very doubtful about the prospects for going on and the dangers that might lie ahead,? Mr. Fleitz said. ?I said, ?Dude, you?re an American.? And Ramak said, ?No, I?m a naturalized American.? And I said: ?It doesn?t matter. There aren?t two tiers of citizenship here. You have nothing to hide.? ? He advised Mr. Fazel to greet law enforcement officers cheerfully and ?lay it all out,? as well as to ask for and photocopy the business cards of the authorities he encountered. Mr. Fazel forged toward the last half of his destinations with his camera, a 1964 Rolleiflex. Despite being questioned at or denied entrance to the remaining capitols, he got every one of his pictures: sometimes an image of gilded rotundas or historic murals, other times pictures of the everyday, the mundane. He photographed visitors in House chambers; a funeral procession for Ann Richards, a onetime Texas governor; a portrait of Arnold Schwarzenegger and his wife, Maria Shriver, in the waiting room of the California governor?s office. And as the mood of his trip changed from joy to disquiet, he photographed police officers at one capitol, and, at another, a ?caution? tape blocking an entrance. In Albany, Mr. Fazel was asked to wait at the entrance of the Capitol until investigators talked with him. One gave him a big slap on the back, Mr. Fazel recalled, and said, ?I know everything about you, and I know you?ve been getting a lot of attention.? Thomas M. Peters, a senior investigator with the New York State Police, confirmed that Mr. Fazel?s journey from capitol to capitol had raised suspicion. ?We were notified in advance that he was making his way up the East Coast from his stops at other capitols, where he was challenged by law enforcement agents,? he said. ?They indicated that at some times he seemed agitated and seemed to be giving evasive answers to their questions, but we don?t know for sure because we were basically getting this information thirdhand.? Mr. Peters added: ?He was fine with us. And if he was agitated, it was probably because he got tired of being questioned.? Looking back on his travels, Mr. Fazel said: ?Notwithstanding the intense scrutiny, the trip was a positive experience. I?m neither rancorous, nor do I feel offended.? Still, he said, he would like to see his name removed from ?the list,? or whatever it is that caused him to be repeatedly stopped and questioned. The journey ultimately left him wondering what it means to be American ? and, more fundamentally, who he really was. ?What I thought would be an exercise in self-betterment turned out to be something a little bigger,? he said dryly. From rforno at infowarrior.org Sat Jan 26 14:29:56 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 26 Jan 2008 09:29:56 -0500 Subject: [Infowarrior] - Bush Order Expands Network Monitoring Message-ID: Bush Order Expands Network Monitoring Intelligence Agencies to Track Intrusions http://www.washingtonpost.com/wp-dyn/content/article/2008/01/25/AR2008012503 261_pf.html By Ellen Nakashima Washington Post Staff Writer Saturday, January 26, 2008; A03 President Bush signed a directive this month that expands the intelligence community's role in monitoring Internet traffic to protect against a rising number of attacks on federal agencies' computer systems. The directive, whose content is classified, authorizes the intelligence agencies, in particular the National Security Agency, to monitor the computer networks of all federal agencies -- including ones they have not previously monitored. Until now, the government's efforts to protect itself from cyber-attacks -- which run the gamut from hackers to organized crime to foreign governments trying to steal sensitive data -- have been piecemeal. Under the new initiative, a task force headed by the Office of the Director of National Intelligence (ODNI) will coordinate efforts to identify the source of cyber-attacks against government computer systems. As part of that effort, the Department of Homeland Security will work to protect the systems and the Pentagon will devise strategies for counterattacks against the intruders. There has been a string of attacks on networks at the State, Commerce, Defense and Homeland Security departments in the past year and a half. U.S. officials and cyber-security experts have said Chinese Web sites were involved in several of the biggest attacks back to 2005, including some at the country's nuclear-energy labs and large defense contractors. The NSA has particular expertise in monitoring a vast, complex array of communications systems -- traditionally overseas. The prospect of aiming that power at domestic networks is raising concerns, just as the NSA's role in the government's warrantless domestic-surveillance program has been controversial. "Agencies designed to gather intelligence on foreign entities should not be in charge of monitoring our computer systems here at home," said Rep. Bennie Thompson (D-Miss.), chairman of the House Homeland Security Committee. Lawmakers with oversight of homeland security and intelligence matters say they have pressed the administration for months for details. The classified joint directive, signed Jan. 8 and called the National Security Presidential Directive 54/Homeland Security Presidential Directive 23, has not been previously disclosed. Plans to expand the NSA's role in cyber-security were reported in the Baltimore Sun in September. According to congressional aides and former White House officials with knowledge of the program, the directive outlines measures collectively referred to as the "cyber initiative," aimed at securing the government's computer systems against attacks by foreign adversaries and other intruders. It will cost billions of dollars, which the White House is expected to request in its fiscal 2009 budget. "The president's directive represents a continuation of our efforts to secure government networks, protect against constant intrusion attempts, address vulnerabilities and anticipate future threats," said White House spokesman Scott Stanzel. He would not discuss the initiative's details. The initiative foreshadows a policy debate over the proper role for government as the Internet becomes more dangerous. Supporters of cyber-security measures say the initiative falls short because it doesn't include the private sector -- power plants, refineries, banks -- where analysts say 90 percent of the threat exists. "If you don't include industry in the mix, you're keeping one of your eyes closed because the hacking techniques are likely the same across government and commercial organizations," said Alan Paller, research director at the SANS Institute, a Bethesda-based cyber-security group that assists companies that face attacks. "If you're looking for needles in the haystack, you need as much data as you can get because these are really tiny needles, and bad guys are trying to hide the needles." Under the initiative, the NSA, CIA and the FBI's Cyber Division will investigate intrusions by monitoring Internet activity and, in some cases, capturing data for analysis, sources said. The Pentagon can plan attacks on adversaries' networks if, for example, the NSA determines that a particular server in a foreign country needs to be taken down to disrupt an attack on an information system critical to the U.S. government. That could include responding to an attack against a private-sector network, such as the telecom industry's, sources said. Also, as part of its attempt to defend government computer systems, the Department of Homeland Security will collect and monitor data on intrusions, deploy technologies for preventing attacks and encrypt data. It will also oversee the effort to reduce Internet portals across government to 50 from 2,000, to make it easier to detect attacks. "The government has taken a solid step forward in trying to develop cyber-defenses," said Paul B. Kurtz, a security consultant and former special adviser to the president on critical infrastructure protection. Kurtz said the initiative's purpose is not to spy on Americans. "The thrust here is to protect networks." One of the key questions is whether it is necessary to read communications to investigate an intrusion. Ed Giorgio, a former NSA analyst who is now a security consultant for ODNI, said, "If you're looking inside a DoD system and you see data flows going to China, that ought to set off a red flag. You don't need to scan the content to determine that." But often, traffic analysis is not enough, some experts said. "Knowing the content -- that a communication is sensitive -- allows proof positive that something bad is going out of that computer," said one cyber-security expert who spoke on the condition of anonymity because of the initiative's sensitivity. Allowing a spy agency to monitor domestic networks is worrisome, said James X. Dempsey, policy director of the Center for Democracy and Technology. "We're concerned that the NSA is claiming such a large role over the security of unclassified systems," he said. "They are a spy agency as well as a communications security agency. They operate in total secrecy. That's not necessary and not the most effective way to protect unclassified systems." A proposal last year by the White House Homeland Security Council to put the Department of Homeland Security in charge of the initiative was resisted by national security agencies on the grounds that the department, established in 2003, lacked the necessary expertise and authority. The tug-of-war lasted weeks and was resolved only recently, several sources said. Staff researcher Richard Drezen contributed to this report. From rforno at infowarrior.org Sat Jan 26 17:08:29 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 26 Jan 2008 12:08:29 -0500 Subject: [Infowarrior] - Wikileaks: German Police Skype Trojan Message-ID: The pdf file obtained by Wikileaks and also released by the political party Piraten, contains two scanned documents relating to activities of the Bavarian police, Ministry of Justice and the Prosecution office in intercepting encrypted data submitted via SSL or Skype via the internet. The first one, presenting a communication on splitting cost between Bavarian police and the prosecutors offices, the second one presenting the related offer for the software by a German company called Digitask. The technology, in high-level explained in the offer of Digitask, works via a local installation of a malware on the clients computer. < - > http://wikileaks.org/wiki/Skype_and_the_Bavarian_trojan_in_the_middle From rforno at infowarrior.org Sat Jan 26 17:10:40 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 26 Jan 2008 12:10:40 -0500 Subject: [Infowarrior] - Court: You can copyright C&D notices Message-ID: http://www.prweb.com/releases/DozierInternetLaw/InternetLawyer/prweb650951.h tm US District Court decision threatens common practice reports Dozier Internet Law. Glen Allen, VA (PRWEB) January 24, 2008 -- The US District Court for the District of Idaho has found that copyright law protects a lawyer demand letter posted online by the recipient (Case No. MS-07-6236-EJL-MHW). The copyright decision, in pertinent part, has been made available by Dozier Internet Law, and is the first known court decision in the US to address the issue directly. The Final Judgment calls into serious question the practice of posting lawyer cease and desist letters online, a common tactic used and touted by First Amendment groups to attack legal efforts at resolving everything from defamation to intellectual property disputes. In September 2007, Dozier Internet Law, a law firm specializing exclusively in representing business interests on the web, was targeted online by "free speech" and "public participation" interests for asserting copyright ownership rights in a confidential cease and desist letter sent to a "scam reporting site". The issue generated online buzz in the US with commentators such as Google's lead copyright counsel and Ralph Nader's Public Citizen attacking the practice as unlawful, and Dozier Internet Law responding. Bloggers from around the world soon joined the debate, reeling at the thought of losing a valuable counter-attack tool. The Court, in its decision, found that a copyright had been adequately established in a lawyer's cease and desist letter. The unauthorized publication of the letter, therefore, can expose the publisher to liability. Statutory damages under the US Copyright Act can be as much as $150,000 per occurrence plus attorneys' fees that can average $750,000 through trial. The publisher of the letter raised First Amendment and "fair use" arguments without success. John W. Dozier, Jr., Esq., President of Dozier Internet Law, PC, was not surprised by the decision. "In today's world, anticipating how the Courts will view 'new age' arguments is not easy. Dozier Internet Law has been using copyright protected cease and desist letters for years with great success in protecting our business clients and preventing an escalation of a situation. The publication of cease and desist letters is an easy way for scofflaws to generate online 'mobosphere' support for illegal activity and, until today, many businesses have been hesitant to take action to address some of the lawlessness online because of possible retaliation and attacks." Dozier Internet Law specializes in protecting the intellectual property and reputations of online business. Mr. Dozier believes that the decision will return pre-litigation notices and negotiations to a state of normalcy and allow businesses to more effectively police their interests online. He noted that prior to the Internet, private legal disputes were handled between attorneys with a focus on avoiding costly legal battles and not burdening the judicial system with legal cases that should have been resolved without a lawsuit. Since the posting of cease and desist letters became a popular practice, fueled predominantly by guidance and legal advice from "free speech" organizations located in the US, businesses have either allowed theft and lawlessness to continue or immediately filed a lawsuit that can take many years to resolve. "It's a great day for businesses and a bad day for those conducting illegal activity online," Dozier said. Dozier Internet Law, PC is an AV rated, pre-eminent law firm specializing exclusively in the law of the Internet with offices in Virginia, New York, and California. The firm protects the online reputations and intellectual property of businesses. ### Post Comment: Trackback URL: http://www.prweb.com/pingpr.php/TWFnbi1TdW1tLUNyYXMtQ3Jhcy1Mb3ZlLVplcm8= Technorati Tags dozier internet law From rforno at infowarrior.org Sun Jan 27 04:12:09 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 26 Jan 2008 23:12:09 -0500 Subject: [Infowarrior] - =?iso-8859-1?q?Why_traditional_=8C_print_=B9__med?= =?iso-8859-1?q?ia_is_doomed?= Message-ID: Why traditional ?print? media is doomed http://blogs.smugmug.com/don/2008/01/24/why-traditional-print-media-is-doome d/ It?s their own fault. Recently, I had the pleasure of being interviewed for a front page story at the LA Times and a feature spread in BusinessWeek. I have a huge amount of respect for both publications, and was honored to be interviewed. And the interviews themselves didn?t disappoint - both reporters were extremely thorough, knowledgeable, and detailed. There were lots of follow-up calls, and both stories were then exhaustively fact checked and reviewed by an army of editors. Everything top-notch publications are supposed to do, they did, and then some. Blogging has become my go-to resource for up-to-the-minute news, but both these interviews really brought home for me why traditional media continues to be so much better at well-researched pieces. So great, right? They each have a business niche. Traditional media can focus on deeply researched articles and expos?s while bloggers cover all the timely news and commentary. Traditional media can still thrive - it?s not gonna die. Wrong. Where these august publications fell down was in their online presentation. Someone running these businesses hasn?t figured out that their online business model is advertising. They?ve made it impossible to link to their articles directly (ie, drive money-making traffic to them). On the LA Times? site, nearly every link you can find forces you to log in to view the content. Lots of people have told me, personally, that they couldn?t read the article because they weren?t going to sign in. Imagine how many people don?t know me or simply didn?t speak up and just walked away. And BusinessWeek is far, far worse. BusinessWeek actually asked us specifically *not* to link to the article. Yes, that?s right, an ad-driven publication doesn?t want us to drive traffic to them. They were kind enough to point us to their User Agreement where, sure enough, they prohibit deep linking. Talk about stupid. Ok, fine, so I?ll link to Google (who?s apparently allowed to deep-link?) and they?ll link you to the article for me. Like so - this link behaves like a deep-link, but in reality I?m linking to Google, who?s redirecting you to the article. (Ironically, this is nerfing BusinessWeek?s PageRank so they show up lower in Google than other publications that allow deep-linking). I can?t imagine what must be going through the minds of the stellar reporters and editors they have at the LA Times and BusinessWeek, but I?ll bet ?frustration? is only the very tip of the iceberg. To spend all of this time and energy on their articles, only to have the crazy business people make it impossible for people to read their work, must be incredibly trying. On a related note, try clicking the ?Digg This? icon at the end of the LA Times story. You?d think this would be a smart way to drive traffic, no? It would be, except they?re sending digg *Page 2* of the story - so even if it makes Digg?s homepage, people clicking through will start in the middle of the story, instead of the beginning. I?ll bet that makes the LA Times a lot of money. Not. After doing these stories, I?m more likely than ever before to trust stories from publications like the LA Times and BusinessWeek - but less likely to link to them. From rforno at infowarrior.org Mon Jan 28 03:35:37 2008 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 27 Jan 2008 22:35:37 -0500 Subject: [Infowarrior] - French Bank Says Trader Hacked Computers Message-ID: French Bank Says Trader Hacked Computers Jan 27, 4:59 PM (ET) By JENNY BARCHFIELD and JOHN LEICESTER http://apnews.myway.com/article/20080127/D8UEFUI00.html PARIS (AP) - Societe Generale said Sunday that a trader who evaded all its controls to bet $73.5 billion - more than the French bank's market worth - on European markets hacked computers and "combined several fraudulent methods" to cover his tracks, causing billions in losses. The bank says the trader, Jerome Kerviel, did not appear to have profited personally from the transactions and seemingly worked alone - a version reiterated Sunday by Jean-Pierre Mustier, chief executive of the bank's corporate and investment banking arm. But, in a conference call with reporters, Mustier added: "I cannot guarantee to you 100 percent that there was no complicity." Kerviel's lawyer said the accusations of wrongdoing against his client were being used to hide bad investments by the bank related to subprime mortgages in the United States. "He didn't steal anything, take anything, he didn't take any profit for himself," the lawyer, Christian Charriere-Bournazel, told The Associated Press by telephone. "The suspicion on Kerviel allows the considerable losses that the bank made on subprimes to be hidden." Officials said Kerviel was cooperating with police, who held him for a second day of questioning Sunday, seeking answers to what, if confirmed, would be the biggest-ever trading fraud by a single person. The questioning was "going very well and the investigation led by the specialists of the financial police is extremely fruitful," said Jean-Michel Aldebert, head of the financial section of the Paris prosecutor's office. Kerviel was giving "very interesting" explanations, Aldebert added. "From what he told me, he was fine psychologically." He refused to say whether Kerviel might face preliminary charges. Kerviel, 31, has not been seen in public since the bank's bombshell revelation Thursday that his unauthorized trades resulted in 4.9 billion euros ($7.1 billion) in losses. Even before his massive alleged fraud came to light, Kerviel had apparently triggered occasional alarms at Societe Generale - France's second-largest bank - with his trading, but not to a degree that led managers to investigate further. "Our controls basically identified from time to time problems with this trader's portfolio," Mustier said. But Kerviel explained away the red flags as trading mistakes, Mustier added. "The trade was canceled, there was no specific follow-up to do," he said. "From our understanding today, the number of mistakes was not higher than (for) any other trader, so from our understanding that was not a reason to ring a bell." Kerviel's lawyer said the trader made money for the bank through 2007 and has since been "thrown to the wolves of public opinion." "He made profits for the bank until Dec. 31. From Jan. 1, he took risky positions like all traders," said Charriere-Bournazel, who is also president of the Paris bar association. In a five-page statement Sunday, the bank said Kerviel used its money to build massive positions in futures contracts tied to the performance of baskets of stocks traded on exchanges in London, Paris, Frankfurt and other European markets. Since those bets greatly exceeded the amount of capital he was allowed to put at risk, Kerviel entered fictitious and offsetting trades in Societe Generale's computer system that appeared to minimize the odds of big losses, the bank said. The trades were purposely chosen to avoid detection because they did not require cash contributions and were not subject to margin calls, which would require putting up more money if the fictitious bet soured, it said. The bank said he plowed 30 billion euros ($44.1 billion) into the Eurostoxx index, another 18 billion euros ($26.5 billion) on the DAX in Germany and 2 billion euros ($2.9 billion) on the FTSE in London. The combined value of those positions, 50 billion euros ($73.5 billion), is far more than the bank's market capitalization of 35.9 billion euros ($52.6 billion), and close to the annual GDP of countries such as Slovakia, Qatar or Libya. Societe Generale took three days last week to sell or offset with hedges his contracts, which amounted to bets on whether market indexes would rise or fall. But the bank sought Sunday to counter suggestions that its sell-off had caused already falling markets to plummet further than they otherwise might have done. The bank said it unwound Kerviel's positions in "a controlled fashion." "Our impact on the market was quite minimal," Mustier said. Societe Generale said Kerviel misappropriated other people's computer access codes, falsified documents and employed other methods to cover his tracks - helped by his previous years of experience when he worked in other offices at the bank that monitor traders. Acquaintances described Kerviel as reserved and considerate, a young man who once taught children judo and held the door for elderly neighbors. Kerviel's downfall started in the days before Friday, Jan. 18, when Societe Generale tightened lending restrictions on one of its customers, an unnamed large bank. He had apparently used that bank's name for one or more of his fictitious trades, and it led to what Societe Generale described as having "additional controls" put in place. Kerviel's superiors in Societe Generale's equity trading division reviewed an e-mail that day from the large bank supposedly confirming trades he had booked. But they were suspicious about where the e-mail came from and launched an emergency investigation. A day later, Kerviel was called to Societe Generale to explain. In the meantime, bank investigators confirmed that the large bank did not know about the trades. After first not providing a clear explanation, Kerviel eventually confirmed that he had entered fictitious trades, the bank said. It then took a bank team throughout the night and into Sunday, Jan. 20, to identify all the exposure. Societe Generale's chief executive, Daniel Bouton, notified the governor of the Bank of France that day, and a decision was made to unwind the trades as quickly and as quietly as possible. A complicating factor was that the bank was finishing work that Sunday on details of a separate announcement about the size of the multi-billion-dollar charge it would take for bad bets on mortgage-related investments in the U.S. News of that misstep was delayed until Thursday, when along with the fraud losses, the bank said it would take a 2.05 billion euro ($2.99 billion) write-down. Societe Generale traders began unwinding Kerviel's losing bets at the beginning of European trading on Monday, just as Asian markets were in a free-fall and European shares were poised to plummet after a big drop in U.S. markets on the previous Friday. It took until Wednesday to finally close the books on Kerviel's adventures, the bank said. Kerviel's lawyer cast suspicion on the way Societe Generale unwound the position, saying it did so in "totally unusual conditions." "This decision was driven by other motives," he claimed, without elaborating. Some experts have suggested Societe Generale may have exacerbated the fall and indirectly led to the U.S. Federal Reserve's subsequent decision to cut rates. But in its explanatory note released on Sunday, the bank defended itself by saying the trades represented no more than 8.1 percent of the volume in futures trading each day on the Eurostoxx, DAX and FTSE. Mustier said Kerviel's motivations were still unclear. "We don't know, we don't understand" what drove him to do it, he said. "This event is a massive shock for us," he said. The bank said Kerviel built up two portfolios of investments - but that one of them consisted of "fictional operations," leaving the bank hugely exposed. "In order to ensure that these fictitious operations were not immediately identified, the trader used his years of experience in processing and controlling market operations to successively circumvent all the controls which allow the bank to check the characteristics of the operations carried out by its traders," the bank's statement said. "He had a very good understanding of all of Societe Generale's processing and control procedures." It was the bank's most detailed explanation yet of the debacle that has further rattled the banking industry, already reeling from the subprime mortgage crisis in the U.S. Some observers have said the crisis could also leave the bank vulnerable to a takeover. An aide to French President Nicolas Sarkozy suggested the state could step in to prevent any possible hostile bids. "I think the state will not stand idly by if any predator attempts to take advantage of the situation," Henri Guaino told RTL radio on Sunday. The situation has prompted calls for tighter regulation - 13 years after trader Nick Leeson, whose illegal speculation bankrupted British bank Barings, first highlighted the potential risks from rogue traders operating without proper oversight. --- Associated Press Writer Pierre-Antoine Souchard in Paris and AP Business Writer Chuck Hawkins in New York contributed to this report. sponsored links From rforno at infowarrior.org Mon Jan 28 12:47:05 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 28 Jan 2008 07:47:05 -0500 Subject: [Infowarrior] - Download another 25 million songs - legally Message-ID: >From The Times January 28, 2008 >From today, feel free to download another 25 million songs - legally Zune Adam Sherwin, Media Correspondent, in Cannes http://entertainment.timesonline.co.uk/tol/arts_and_entertainment/music/arti cle3261591.ece After a decade fighting to stop illegal file-sharing, the music industry will give fans today what they have always wanted: an unlimited supply of free and legal songs. With CD sales in free fall and legal downloads yet to fill the gap, the music industry has reluctantly embraced the file-sharing technology that threatened to destroy it. Qtrax, a digital service announced today, promises a catalogue of more than 25 million songs that users can download to keep, free and with no limit on the number of tracks. The service has been endorsed by the very same record companies - including EMI, Universal Music and Warner Music ? that have chased file-sharers through the courts in a doomed attempt to prevent piracy. The gamble is that fans will put up with a limited amount of advertising around the Qtrax website?s jukebox in return for authorised use of almost every song available. The service will use the ?peer-to-peer? network, which contains not just hit songs but rarities and live tracks from the world?s leading artists. Nor is a lack of compatibility with the iPod player expected to put fans off. Apple is unlikely to allow tracks downloaded from its rival to be compatible with iPods, but, while the iPod is the most popular music player, it has not succeeded in dominating the market: sales of the iPod account for 50 million out of 130 million total digital player sales. Qtrax has also spoken of an ?iPod solution?, to be announced in April. Qtrax files contain Digital Rights Management software, allowing the company to see how many times a song has been downloaded and played. Artists, record companies and publishers will be paid in proportion to the popularity of their music, while also taking a cut of advertising revenues. The Qtrax team, which spent five years working on the system, promised a ?game-changing? intervention in the declining recorded music market when the service was presented at the Midem music industry convention in Cannes. The singer James Blunt gave Qtrax a cautious welcome. ?I?m amazed that we now accept that people steal music,? he said. ?I was taught not to steal sweets from a sweet shop. But I want to learn how this service works, given the condition the music industry is in.? Qtrax, a subsidiary of Brilliant Technologies Corporation, has raised $30 million (?15 million) to set up the service, which is available in the US and Europe from today. Allan Klepfisz, president of Qtrax, said: ?Customers now expect music to be free but they do not want to use illegal sites. We believe this . . . has the support of the music industry and allows artists to get paid.? Ford, McDonald?s and Microsoft are among the advertisers signed up to support what is thought to be the world?s largest legal music store. The service says that adverts will be nonintrusive and will not appear each time a song is played. As with iTunes, customers will have to download Qtrax software. They will own the songs permanently but will be encouraged to ?dock? their player with the store every 30 days so it can gather information on which songs have been played. Jean-Bernard Levy, chief executive of Vivendi Universal, said the crisis in the music industry had been overstated despite EMI?s radical cost-cutting. He said: ?Look at Universal ? we have double-digit profit margins. But we would like strong competition from the other major record companies to help the industry grow.? Universal has poached the Rolling Stones from EMI and Mr Levy said that others could follow as thousands of staff and artists are made redundant. On the appearance of Qtrax, Mr Levy gave warning that the lack of compatibility between competing digital music players was as big a problem as file-sharing. And Paul McGuinness, the manager of U2, said that the sound quality of MP3 downloads was becoming an issue for bands and fans. ?There is a growing consumer revolt against online audio quality,? he said. From rforno at infowarrior.org Mon Jan 28 13:16:41 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 28 Jan 2008 08:16:41 -0500 Subject: [Infowarrior] - Metasploit 3.1 Released In-Reply-To: <200801271608.11305.vorspam@digitaloffense.net> Message-ID: Contact: H D Moore FOR IMMEDIATE RELEASE Email: hdm[at]metasploit.com METASPLOIT UNLEASHES VERSION 3.1 OF THE METASPLOIT FRAMEWORK New Version of Attack Framework Ready to Pwn Austin, Texas, January 28th, 2008 -- The Metasploit Project announced today the free, world-wide availability of version 3.1 of their exploit development and attack framework. The latest version features a graphical user interface, full support for the Windows platform, and over 450 modules, including 265 remote exploits. "Metasploit 3.1 consolidates a year of research and development, integrating ideas and code from some of the sharpest and most innovative folks in the security research community" said H D Moore, project manager. Moore is referring the numerous research projects that have lent code to the framework. These projects include the METASM pure-ruby assembler developed by Yoann Guillot and Julien Tinnes, the "Hacking the iPhone" effort outlined in the Metasploit Blog, the Windows kernel-land payload staging system developed by Matt Miller, the heapLib browser exploitation library written by Alexander Sotirov, the Lorcon 802.11 raw transmit library created by Joshua Wright and Mike Kershaw, Scruby, the Ruby port of Philippe Biondi's Scapy project, developed by Sylvain Sarmejeanne, and a contextual encoding system for Metasploit payloads. "Contextual encoding breaks most forms of shellcode analysis by encoding a payload with a target-specific key" said I)ruid, author of the Uninformed Journal (volume 9) article and developer of the contextual encoding system included with Metasploit 3.1. The graphical user interface is a major step forward for Metasploit users on the Windows platform. Development of this interface was driven by Fabrice Mourron and provides a wizard-based exploitation system, a graphical file and process browser for the Meterpreter payloads, and a multi-tab console interface. "The Metasploit GUI puts Windows users on the same footing as those running Unix by giving them access to a console interface to the framework" said H D Moore, who worked with Fabrice on the GUI project. The latest incarnation of the framework includes a bristling arsenal of exploit modules that are sure to put a smile on the face of every information warrior. Notable exploits in the 3.1 release include a remote, unpatched kernel-land exploit for Novell Netware, written by toto, a series of 802.11 fuzzing modules that can spray the local airspace with malformed frames, taking out a wide swath of wireless-enabled devices, and a battery of exploits targeted at Borland's InterBase product line. "I found so many holes that I just gave up releasing all of them", said Ramon de Carvalho, founder of RISE Security, and Metasploit contributor. The Metasploit Framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler. Metasploit runs on all modern operating systems, including Linux, Windows, Mac OS X, and most flavors of BSD. Metasploit has been used on a wide range of hardware platforms, from massive Unix mainframes to the tiny Nokia n800 handheld. Users can access Metasploit using the tab-completing console interface, the Gtk GUI, the command line scripting interface, or the AJAX-enabled web interface. The Windows version of Metasploit includes all software dependencies and a selection of useful networking tools. The latest version of the Metasploit Framework, as well as screen shots, video demonstrations, documentation and installation instructions for many platforms, can be found online at http://metasploit3.com/ If you'd like more information about this topic, or to schedule an interview with the developers, please email msfdev[at]metasploit.com From rforno at infowarrior.org Mon Jan 28 14:11:46 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 28 Jan 2008 09:11:46 -0500 Subject: [Infowarrior] - =?iso-8859-1?q?MPAA_=AD_Oops=2C_College_Students_?= =?iso-8859-1?q?Aren_=B9_t_So_Bad_After_All!?= Message-ID: MPAA?s Error ? Oops, College Students Aren?t So Bad After All! Related Issues Intellectual Property issue overview, blog posts Posted by Hugh DAndrade http://www.eff.org/deeplinks/2008/01/mpaa-s-error-oops-college-students-aren -t-so-bad-after-all When the MPAA began their campaign against piracy on college campuses, they waved a study that purported to show that 44% of the film industry?s losses were the direct result of illegal downloading and filesharing by college students on US campuses. The MPAA (and others like IPI and PFF) used that number to ramp up the pressure on Congress to pass legislation that would force colleges to eavesdrop on their networks and crack down on filesharing on campus. 44% is a pretty high number, and many were justifiably skeptical. Now, it seems the MPAA has been forced to admit that its numbers were not exactly, um, accurate. After diligently re-checking its math, it has admitted that the 44% figure was really more like 15%. But even that number doesn?t tell the full story. Only 20% of college students live on campus, which means that if college students are responsible for 15% of the movie studios? piracy-related losses (a number we still find dubious), then campus networks are responsible for something like 3%. So the MPAA is urging universities to install expensive, ubiquitous, and ultimately futile filters and surveillance equipment to solve 3% of their piracy problem. Makes you wonder if colleges and universities are really the best place to attack movie piracy, doesn?t it? These ?restated? MPAA numbers suggest that the MPAA is targeting universities not because college kids are a serious threat to the movie industry?s bottom line, but because the studios hope to set a precedent on campus that can be used to force filtering on larger commercial ISPs. It?s bad enough that the government is eavesdropping on our Internet activities, without having Hollywood joining in. From rforno at infowarrior.org Mon Jan 28 14:15:16 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 28 Jan 2008 09:15:16 -0500 Subject: [Infowarrior] - Democrats standing up to Bush on warrantless wiretap bill Message-ID: Democrats standing up to Bush on warrantless wiretap bill Nick Juliano Published: Monday January 28, 2008 http://rawstory.com/news/2007/Democrats_standing_up_to_Bush_on_0128.html In the shadow of the president's final State of the Union address, Senate Democrats are preparing for an 11th-hour showdown with George W. Bush and his Republican allies in Congress over controversial surveillance legislation. The Senate will vote Monday at 4:30 p.m. on a GOP proposal that would cement an expansion of the president's authority to spy on Americans and free from legal jeopardy any telephone or Internet service provider who helped the country's intelligence agencies to collect vast amount of data on US citizens without a warrant. Anti-immunity activists say they expect the GOP gambit to fail. Sen. Chris Dodd (D-CT) successfully led an effort to block immunity in December, just before Congress' holiday recess, and the Senate returned to the issue last week, considering dual proposals from the Intelligence and Judiciary committees. Last Thursday, Republicans and a dozen Democrats blocked Judiciary's proposal to update FISA without immunity, but the GOP then refused an agreement that would have required a mere 51-vote majority to pass further amendments. Republicans filed for an immediate cloture vote on the Intelligence bill, which would preclude any amendments from being made. This angered Democrats, and Reid, who encouraged his caucus to support a filibuster of the bill. Reid also filed a 30-day extension of the Protect America Act, which expires Feb. 1. Although the Judiciary proposal failed on a 60-34 vote, the Republicans' attempt to preclude any further amendments is expected to cost them support from some of the Democrats who joined them in that effort. Democratic presidential candidates Sens. Hillary Clinton (D-NY) and Barack Obama (D-IL) also have said they will vote against cloture. Assuming cloture fails, Reid is expected to move forward with a vote on a one-month extension to give the Senate more time to work out its differences. President Bush has promised to veto such a bill. After they were cowed last August into passing a temporary expansion of the Foreign Intelligence Surveillance Act that critics said did too much to concentrate power in the hands of the executive, Congressional Democrats have decided to hit back against the president. Senate Majority Leader Harry Reid (D-NV) turned the tables on Bush over the weekend, saying that blame for any gaps in the ability to collect intelligence resides at the White House. The Senate's debate over a long-term FISA expansion has come in fits and starts over the last few months, since passage of the Protect America Act. Several times the issue was scuttled after left-leaning Senators moved to block a proposal that would grant legal immunity to telecommunications companies that facilitated Bush's warrantless wiretapping program. Those companies, such as AT&T and Verizon, are plaintiffs in 40 or so lawsuits nationwide alleging they violated customers' privacy; administration critics say the lawsuits are the only means for oversight of the wiretapping scheme in the face of an ultra-secretive administration. Bush has promised to veto any temporary expansion of the PAA, and the administration hopes to use the pending deadline to force Congress into giving into telecom immunity. The House passed an immunity-free update months ago, and Reid has indicated he also will not budge, accusing Bush of "simply posturing" before his final State of the Union, according to the Politico. "There will be no terrorism intelligence collection gap," Reid said. "But if there is any problem, the blame will clearly and unequivocally fall where it belongs: on President Bush and his allies in Congress." From rforno at infowarrior.org Mon Jan 28 14:17:31 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 28 Jan 2008 09:17:31 -0500 Subject: [Infowarrior] - Collateral Damage: Surveillance Aimed at Terrorists Can Easily Go Awry Message-ID: CQ HOMELAND SECURITY Jan. 25, 2008 ? 6:46 p.m. Collateral Damage: Surveillance Aimed at Terrorists Can Easily Go Awry By Jeff Stein, National Security Editor, CQ Staff http://www.cqpolitics.com/wmspage.cfm?parm1=5&docID=hsnews-000002661145 U.S. intelligence tapped the telephone calls of Lawrence Wright, the Pulitzer Prize-winning author of The Looming Tower, starting in 2002. This may well be news to many people, even though Wright revealed the taps himself in a sprawling, 15,000-word article on electronic surveillance in the Jan. 21 edition of The New Yorker magazine. Perhaps because the article was not available online it lacked the link-juice to propel it into a frenzy over the ?domestic spying? on the Web, the cable news shows and leading American newspapers. As far as I can tell, only Pam Hess of the Associated Press picked up on Wright?s confrontation with spy chief Michael McConnell over the phone taps, and no major paper ran it. The version of her story that The Washington Post printed recounted McConnell?s telling Wright that water boarding would be ?torture? if it were done to him, but dropped the five paragraphs Hess wrote on the eavesdropping. The New York Times and Wall Street Journal skipped Wright?s wiretap account altogether. But The New Yorker?s Web site did feature an audio interview with Wright in which he described the visit of FBI agents to his Texas home in 2002 to quiz him about the telephone calls intercepted by U.S. intelligence. The encounter came, mind you, amid the constant assurances from the Bush administration that the U.S. has not, and is not, ?spying on Americans? or running a ?warrantless domestic spying program.? ?Totally untrue!? McConnell told Wright, insisting that the conversations of American citizens with no connections to terrorists would be immediately discarded. U.S. intelligence is after al Qaeda, McConnell and others have repeatedly pledged, not innocent Americans. ?I?m telling you,? the former Air Force general said, ?if you?re in the United States you have to have a warrant. Authorized by the court. Period!? But Wright then told McConnell he had a more-than-professional interest in electronic surveillance. ?Let me make a disclosure,? he told the spy boss. ?I have been monitored.? One of his intelligence sources had revealed to him that he had ?read a summary of a telephone conversation that I had from my home with a source in Egypt.? McConnell said the eavesdropping must have been triggered by getting a call ?from some telephone number that?s associated with some known outfit.? The journalist, however, had originated the call. What happened next bears repeating, not just because it has gone largely unreported, but because it?s the kind of encounter many more Americans can expect if they end up as a target of our distressingly sloppy ? some would say incompetent ? counterterrorism agencies, if Congress extends a law (PL 110-55) enacted last August, that expanded the government?s electronic surveillance authority. The law, which expires on Feb. 4, in effect turned U.S.-based Internet servers into a mail drop for U.S. intelligence. In 2002 Wright was visited by two FBI agents after placing calls in the course of researching The Looming Tower, his Pulitzer Prize-winning account of the rise of al Qaeda and U.S. responses to it, as well as an article on al Qaeda?s number two leader, Ayman al-Zawahiri. ?They were members of the Joint Terrorism Task Force,? he recounted. ?They wanted to know about phone calls made to a solicitor in England? who was upset that I was talking to some of her clients, who were jihadis, former members of Zawahiri?s terror organization in Egypt, and they wanted to know what we were talking about.? What startled him, however, was that the visiting gumshoes thought that his daughter, Caroline, had made the calls. ?Our understanding is that these calls were placed by Caroline Wright,? they said. But Wright?s daughter was off at college at the time. He now worries that ?she?s now on the link chart as an al Qaeda connection.? Now that we have a seamless web of databases, it wouldn?t be surprising if Caroline Wright finds herself blocked from getting on an airplane, entering the country or renewing her passport. Wright confronted McConnell with the FBI visit. ?Her name is not on any of our phones,? he said, ?so how did her name arise?? ?I don?t know,? the spy boss said. ?That troubles me,? Wright responded. ?It may be troublesome,? McConnell said. ?It may not be. You don?t know.? Neither the FBI nor the Office of the Directorate of National Intelligence would comment on the incidents Wright described. ?We don?t talk about who we are investigating and not investigating,? FBI spokesman Richard Kolko told me Friday. But U.S. intelligence officials insist they are not idly ?spying? on innocent Americans. And I tend to agree. What would be the point? No Substitute for Human Intelligence On the other hand, the incidents Wright describes, and the open-ended electronic surveillance authority the administration wants, are cause for worry ? just not for the reasons many people think. Yes, it troubles me that U.S. intelligence could so cavalierly gather and store names and information that they?re not supposed to have, without a warrant no less. There?s no guarantee that this or any future administration won?t use it. James V. Bamford, the acclaimed author of two exhaustive histories of the National Security Agency, respects the codebreakers so much that a critic once dissed him as ?the agency?s hagiographer.? But Bamford joined a class action suit last year against the NSA by the American Civil Liberties Union, with the explanation that the NSA, like teenagers, can get into mischief if they?re home alone. ?What greatly concerns me as someone who has written more about NSA than any other writer is that in the past, when NSA was allowed to operate in absolute secrecy, without oversight, it became a rogue agency,? he said. That?s why the administration cannot be allowed to skirt the FISA court, created by a 1978 law (PL 95-511) to screen secret warrant requests by the spy agencies ? and keep them honest. The fact is that, in the wake of the Patriot Act (PL 107-56, PL 109-177) and other procedural changes in the surveillance laws, there?s no legal red tape holding up time-sensitive counterterror operations, despite incidents McConnell has cited ? and which turned out to be completely unfounded, to put it politely. It?s just not true, no matter how many times administration officials say it, that critical operations to find the kidnappers of American soldiers in Iraq and an al Qaeda cell in Germany were held up by FISA regulations. McConnell himself said he was mistaken. But what really troubles me is that so many, many years after the first terrorist attack here (on the World Trade Center in 1993), our spying agencies apparently still haven?t found an effective way to pursue the real bad guys. The huge electronic wires they want to wrap us in are no substitute for good human intelligence work out there ? where the bad guys are. As former counterterror agent Michael Tanji put it on Wired magazine?s Danger Room blog: ?It?s bad enough that the Director of National Intelligence is trotting out a bogus threat so the government can snoop on all Internet traffic. What?s worse is that this kind of mass surveillance is a pretty lame way to catch the honest-to-God bad guys.? Tanji added, ?The fact that we are essentially attempting to gill-net bad guys is a fairly strong indicator that the intelligence community has yet to come up with an effective strategy against information-age threats.? Out There But hey, say the wiretapper wannabees, we can?t wait until the college kids we?ve recruited turn into good spies. The threat is now. I say: That?s an excuse. Hurry up. Every hour and dollar spent wiring up the home front is time, money and attention wasted on building real intelligence networks, the old-fashioned way ? out there. ?It is simply a case of, as the late Sam Kinison joked, going where the food is,? Tanji blogged. ?That our intelligence agencies can intercept adversary communications is largely a given. They just want to do it from the convenience of the homeland, not some remote switch in the darkest hinterlands.? America is a special place, if only for the restrictions we put on the snoopers? desire to intrude into our private conversations without warrants. You don?t like that? Move to France. Or Pakistan. At a conference in Paris a few years ago, I asked a top counterterrorism official if he needed special legislation or judicial warrants to plant spies in mosques or wiretap citizens. ?Mais non,? he replied, looking mystified. What?s the point of that? Is that the way we want to live? BACKCHANNEL CHATTER Last week?s column about Russian spying operations here and in Canada drew an underwhelming response. One widely read blogger, Wired?s Noah Shachtman, called my report on former Russian master spy Sergei Tretyakov?s allegations ?a great catch,? but except for another dozen pick-ups on the Web, it was ignored. Tretyakov?s story is told in a new book by former Washington Post reporter Pete Earley, ?Comrade J: The Untold Secrets of Russia?s Master Spy in America After the End of the Cold War.? Tretyakov relates in convincing detail how he and his comrades recruited and managed a dozen spies, including a Pakistani-born Canadian who, he writes, is today ?a U.N. senior verification expert,? who specializes in the clandestine weapons programs of Iran, Libya and his native Pakistan. I identified the official as Tariq Rauf, chief of verification and security-policy coordination at the International Atomic Energy Agency (IAEA). As I reported, Rauf had every chance to completely deny the allegations during my conversation with him, but declined. Only later did he e-mail a more emphatic denial that he had worked for Russian intelligence. The IAEA, which did not respond to my previous inquiries, apparently needed only an hour or so to thoroughly investigate my allegation and issue a denial. Whether the IAEA checked with Tretyakov ? or CIA and FBI officials, who vetted Tretyakov when he defected in 2001 ? could not be learned. But I doubt it. Maybe other media were afraid that naming Rauf as a Russian agent would undermine his boss, IAEA chief Mohamed ElBaradei, who has long been at odds with the Bush administration, first over Iraq, then Iran. Or maybe there?s just not enough hours in a day to chase down all the major national security stories breaking in any given news cycle. After all, there?s a war or two on. Or maybe, as one wag put it to me, the big story would be finding a U.N. diplomat who?s NOT on some spy agency?s payroll. Whatever, I find it mystifying that so few seem to be interested in whether a Russian agent is running nuclear inspections on Iran, which Russia wants to do business with. You, however, now can find more on this by listening to Tretyakov himself, interviewed on WNYC, New York, last week. Jeff Stein can be reached at jstein at cq.com. From rforno at infowarrior.org Mon Jan 28 18:13:24 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 28 Jan 2008 13:13:24 -0500 Subject: [Infowarrior] - OSVDB API and enhanced cross-referencing In-Reply-To: Message-ID: ---------- Forwarded message ---------- From: David Shettler Date: Mon, 28 Jan 2008 12:05:44 -0500 Subject: [OSVDB-announce] OSVDB API and enhanced cross-referencing We are pleased to announce the OSVDB API beta. Integration and cross-referencing with OSVDB just got a lot easier via the new application programming interface (API), which can provide multiple result formats to fit various needs. Queries can be run against any number of correlation factors, including CVE ID, Microsoft Bulletin ID, Bugtraq ID, and a host of other common reference points. The API is also under constant development, particularly during beta, and suggestions for improvements are quickly and easily implemented by the OSVDB development team. Some technical details about the API include: It is a RESTful interface to the OSVDB database It returns your choice of XML or CSV Allows OSVDB ID correlation to a growing list of other references and integrators products And importantly, it is free ? though donations are appreciated. See: http://osvdb.org/blog/?p=221 for full announcement, or http://osvdb.org/api/about for more information From rforno at infowarrior.org Tue Jan 29 03:32:50 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 28 Jan 2008 22:32:50 -0500 Subject: [Infowarrior] - Free music downloads site in chaos as record giants pull out Message-ID: The latest twist in the goofy tale of the Recording Industry on the Net --- for those interested in their efforts in this space as put to music, please visit: http://www.youtube.com/watch?v=rVS3QqrXhD8& :) -----rf Free music downloads site in chaos as record giants pull out Last updated at 00:52am on 29.01.08 http://www.thisislondon.co.uk/news/article-23434386-details/Free+music+downl oads+site+in+chaos+as+record+giants+pull+out/article.do iPod Music fans can download free songs without breaking the law Music fans around the world faced confusion today as it was announced they would be able to download unlimited, free songs without breaking the law. A revamped online file-sharing service had vowed to offer a catalogue of 30million free songs that are compatible with iPods, but record labels have denied they had granted permission to share the songs. Qtrax, which makes its debut today, is the latest online music venture counting on the lure of free songs to draw in music fans. The key to their revolutionary venture was thought to be advertising, which they hope will pay the bills, namely record company licensing fees. The New York-based service was among several peer-to-peer file-sharing applications that emerged following the shutdown of Napster, the pioneer service that enabled millions to illegally copy songs stored in other computers. But Warner Music said it had not authorised the use of its tracks by Qtrax - and later Universal Music Group and EMI followed suit, saying they did not have licensing deals with Qtrax and discussions were continuing. Justin Kazmark, a spokesman for New York-based Qtrax, has declined to comment. To take advantage of the free but legal service, the user will need to download the Qtrax software which displays adverts while the user is searching and downloading songs. The site was expected to feature special sections including one called "Last Night" where users can search for newly added tracks from live concerts that were recorded the night before. It will also feature music videos, artist documentaries, interviews, album reviews and biographies among other features. Qtrax, which makes its debut today, is the latest online music venture counting on the lure of free songs to draw in music fans Qtrax is not the first service to offer free songs for download with advertising support. Last September, SpiralFrog launched an ad-supported free service with music from just one of the major record companies Universal Music. It is still in talks with other labels. The latest version of Qtrax still lets users tap into file-sharing networks to search for music, but downloads come with copy-protection technology known as digital-rights management, or DRM, to prevent users from burning copies to a CD and calculate how to share out advertising sales with labels. Qtrax downloads can be stored indefinitely on PCs and transferred on to portable music players, however. The service, which boasts a selection of up to 30million tracks, also hopes that its music downloads will be playable on Apple's iPods and Macintosh computers as early as March. iPods only play back unrestricted MP3s files or tracks with Apple's proprietary version of DRM, dubbed FairPlay. CDs sales are falling and file-sharing companies are satisfying the demand for free music online "We've had a technical breakthrough which enables us to put songs on an iPod without any interference from FairPlay," said Allen Klepfisz, Qtrax's president and chief executive. Klepfisz declined to give specifics on how Qtrax will make its audio files compatible with Apple devices, but noted that "Apple has nothing to do with it". Qtrax downloads can be stored indefinitely on PCs and transferred onto portable music players. Apple has been resistant in the past to license FairPlay to other online music retailers. That stance has effectively limited iPod users to loading up their players with tracks purchased from Apple's iTunes Music Store, or MP3s ripped from CDs or bought from vendors such as eMusic or Amazon.com. Rob Enderle, technology analyst at the San Jose-based Enderle Group, said he expects Apple would take steps to block Qtrax files from working on iPods. It's thought Apple would be unlikely to allow tracks downloaded from its rival to be compatible with its players. Music fans can download free songs without breaking the law Music fans around the world faced confusion today as it was announced they would be able to download unlimited, free songs without breaking the law. A revamped online file-sharing service had vowed to offer a catalogue of 30million free songs that are compatible with iPods, but record labels have denied they had granted permission to share the songs. Qtrax, which makes its debut today, is the latest online music venture counting on the lure of free songs to draw in music fans. The key to their revolutionary venture was thought to be advertising, which they hope will pay the bills, namely record company licensing fees. The New York-based service was among several peer-to-peer file-sharing applications that emerged following the shutdown of Napster, the pioneer service that enabled millions to illegally copy songs stored in other computers. But Warner Music said it had not authorised the use of its tracks by Qtrax - and later Universal Music Group and EMI followed suit, saying they did not have licensing deals with Qtrax and discussions were continuing. Justin Kazmark, a spokesman for New York-based Qtrax, has declined to comment. To take advantage of the free but legal service, the user will need to download the Qtrax software which displays adverts while the user is searching and downloading songs. The site was expected to feature special sections including one called "Last Night" where users can search for newly added tracks from live concerts that were recorded the night before. It will also feature music videos, artist documentaries, interviews, album reviews and biographies among other features. Qtrax, which makes its debut today, is the latest online music venture counting on the lure of free songs to draw in music fans Qtrax is not the first service to offer free songs for download with advertising support. Last September, SpiralFrog launched an ad-supported free service with music from just one of the major record companies Universal Music. It is still in talks with other labels. The latest version of Qtrax still lets users tap into file-sharing networks to search for music, but downloads come with copy-protection technology known as digital-rights management, or DRM, to prevent users from burning copies to a CD and calculate how to share out advertising sales with labels. Qtrax downloads can be stored indefinitely on PCs and transferred on to portable music players, however. The service, which boasts a selection of up to 30million tracks, also hopes that its music downloads will be playable on Apple's iPods and Macintosh computers as early as March. iPods only play back unrestricted MP3s files or tracks with Apple's proprietary version of DRM, dubbed FairPlay. Scroll down for more ... CDs CDs sales are falling and file-sharing companies are satisfying the demand for free music online "We've had a technical breakthrough which enables us to put songs on an iPod without any interference from FairPlay," said Allen Klepfisz, Qtrax's president and chief executive. Klepfisz declined to give specifics on how Qtrax will make its audio files compatible with Apple devices, but noted that "Apple has nothing to do with it". Qtrax downloads can be stored indefinitely on PCs and transferred onto portable music players. Apple has been resistant in the past to license FairPlay to other online music retailers. That stance has effectively limited iPod users to loading up their players with tracks purchased from Apple's iTunes Music Store, or MP3s ripped from CDs or bought from vendors such as eMusic or Amazon.com. Rob Enderle, technology analyst at the San Jose-based Enderle Group, said he expects Apple would take steps to block Qtrax files from working on iPods. It's thought Apple would be unlikely to allow tracks downloaded from its rival to be compatible with its players. From rforno at infowarrior.org Tue Jan 29 12:06:09 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Jan 2008 07:06:09 -0500 Subject: [Infowarrior] - Schneier: Security and Privacy Aren't Opposites Message-ID: What Our Top Spy Doesn't Get: Security and Privacy Aren't Opposites Bruce Schneier http://www.wired.com/politics/security/commentary/securitymatters/2008/01/se curitymatters_0124?currentPage=all If there's a debate that sums up post-9/11 politics, it's security versus privacy. Which is more important? How much privacy are you willing to give up for security? Can we even afford privacy in this age of insecurity? Security versus privacy: It's the battle of the century, or at least its first decade. In a Jan. 21 New Yorker article, Director of National Intelligence Michael McConnell discusses a proposed plan to monitor all -- that's right, all -- internet communications for security purposes, an idea so extreme that the word "Orwellian" feels too mild. The article (not online) contains this passage: In order for cyberspace to be policed, internet activity will have to be closely monitored. Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the authority to examine the content of any e-mail, file transfer or Web search. "Google has records that could help in a cyber-investigation," he said. Giorgio warned me, "We have a saying in this business: 'Privacy and security are a zero-sum game.'" I'm sure they have that saying in their business. And it's precisely why, when people in their business are in charge of government, it becomes a police state. If privacy and security really were a zero-sum game, we would have seen mass immigration into the former East Germany and modern-day China. While it's true that police states like those have less street crime, no one argues that their citizens are fundamentally more secure. We've been told we have to trade off security and privacy so often -- in debates on security versus privacy, writing contests, polls, reasoned essays and political rhetoric -- that most of us don't even question the fundamental dichotomy. But it's a false one. Security and privacy are not opposite ends of a seesaw; you don't have to accept less of one to get more of the other. Think of a door lock, a burglar alarm and a tall fence. Think of guns, anti-counterfeiting measures on currency and that dumb liquid ban at airports. Security affects privacy only when it's based on identity, and there are limitations to that sort of approach. Since 9/11, two -- or maybe three -- things have potentially improved airline security: reinforcing the cockpit doors, passengers realizing they have to fight back and -- possibly -- sky marshals. Everything else -- all the security measures that affect privacy -- is just security theater and a waste of effort. By the same token, many of the anti-privacy "security" measures we're seeing -- national ID cards, warrantless eavesdropping, massive data mining and so on -- do little to improve, and in some cases harm, security. And government claims of their success are either wrong, or against fake threats. The debate isn't security versus privacy. It's liberty versus control. You can see it in comments by government officials: "Privacy no longer can mean anonymity," says Donald Kerr, principal deputy director of national intelligence. "Instead, it should mean that government and businesses properly safeguard people's private communications and financial information." Did you catch that? You're expected to give up control of your privacy to others, who -- presumably -- get to decide how much of it you deserve. That's what loss of liberty looks like. It should be no surprise that people choose security over privacy: 51 to 29 percent in a recent poll. Even if you don't subscribe to Maslow's hierarchy of needs, it's obvious that security is more important. Security is vital to survival, not just of people but of every living thing. Privacy is unique to humans, but it's a social need. It's vital to personal dignity, to family life, to society -- to what makes us uniquely human -- but not to survival. If you set up the false dichotomy, of course people will choose security over privacy -- especially if you scare them first. But it's still a false dichotomy. There is no security without privacy. And liberty requires both security and privacy. The famous quote attributed to Benjamin Franklin reads: "Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." It's also true that those who would give up privacy for security are likely to end up with neither. --- Bruce Schneier is CTO of BT Counterpane and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. You can read more of his writings on his website. From rforno at infowarrior.org Tue Jan 29 12:56:45 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Jan 2008 07:56:45 -0500 Subject: [Infowarrior] - Air Force Trains Warriors To Defend Cyberspace From Terror In-Reply-To: Message-ID: http://www.usatoday.com/tech/news/computersecurity/2008-01-28-cyber_N.htm USA Today January 29, 2008 Air Force Trains Warriors To Defend Cyberspace From Terror By Tom Vanden Brook, USA Today WASHINGTON-- Ready. Aim. Click. The military relies on computers and electronic communication to launch precision weapons, spy on its enemies and communicate with troops in combat. The Air Force is revamping its training to prepare its 320,000 airmen to protect its front lines in cyberspace, Air Force Brig. Gen. Mark Schissler said. The battlefield includes the Internet, cellphone calls and signals that trigger roadside bombs. "In cyber, the weapon of choice is going to be the computer that sits on your desk," said Schissler, the Air Force's director of cyberoperations. Every enlisted man and officer will be taught about cyberwarfare in basic training, the Air Force Academy or officer candidate school, Schissler said. About 100 students per year will receive more advanced instruction at the Undergraduate Network Warfare Training course at Hurlburt Field in Florida. Graduates of the six-month program will be able to operate a computer like "a weapon system" and will be known as cyberwarriors or cyberoperators, Schissler said. The first class graduated last month. The Air Force wants to build offensive and defensive capabilities in cyberspace. A presentation from the Center for Cyberspace Research at the Air Force Institute of Technology states the goal plainly: The Air Force "can drop a 2,000-pound bomb anywhere we want. ? We need to be able to do the same thing in cyberspace ? while denying that ability to any adversary!" Air Force Secretary Michael Wynne noted last year that terrorists exploit the Internet and need to be fought there. "These adversaries can communicate globally with their agents, spread propaganda, mobilize support worldwide, conduct training, detonate improvised explosive devices and can empty or create bank accounts to fund their causes," Wynne told an Air Force conference. Muslim extremists, Schissler said, run as many as 6,000 websites for recruiting. A cyberwarrior will monitor computers used by terrorists to learn of imminent attacks and help thwart them, Schissler said. Wynne wrote in an article in an Air Force professional journal that in cyberwarfare, airmen in Colorado can use satellites to program weapons on an F-16 to kill insurgents planting roadside bombs in Iraq. The Pentagon acknowledges that its computers are attacked hundreds of times each day. Most of the intrusions are thwarted, but an attack last June disrupted an unclassified e-mail system in the Defense secretary's office. Schissler said there's no ideal cyberwarrior. "You have to be quick to learn," he said. "That's the only real requirement." John Pike, a defense analyst and director of GlobalSecurity.org, questioned whether the Air Force program would overlap with responsibilities of the National Security Agency (NSA), which gathers and analyzes foreign communication. Jamming enemy air-defense radar and protecting computers from hackers have been part of traditional electronic warfare for the Air Force. "This thing sounds like they've set up their own operation separate from the NSA," Pike said. From rforno at infowarrior.org Tue Jan 29 13:03:11 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Jan 2008 08:03:11 -0500 Subject: [Infowarrior] - Blogger censored, detained by the FBI Message-ID: (c/o Anonymous) Yesterday, I mentioned the blog post I saw which was repeatedly censored by an IP address owned by the Department of Homeland security. This morning, I got an email from Rob, the author, saying that he?d been taken an involuntary trip to his local FBI building where he was held and interrogated for six hours < - > http://www.thenewfreedom.net/wp/2008/01/28/citizen-blogger-censored-detained -by-the-fbi/ From rforno at infowarrior.org Tue Jan 29 13:33:38 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Jan 2008 08:33:38 -0500 Subject: [Infowarrior] - UK gov to 'coerce' Brits into national id card Message-ID: (PDF document at the article site) http://www.boingboing.net/2008/01/29/leaked-uk-govt-doc-r.html Phil from the UK anti-ID-register group NO2ID sends in this nugget -- note the call to action there. We've got a sensitive government document revealing the British government's plan to trick us into a database state and we need as many copies as possible, as quickly as possible! If you mirror this document, please add a link to it in the comments for the post. UK campaigners NO2ID this morning enlisted the help of bloggers across the world to spread a leaked government document describing how the British government intends to go about "coercing" its citizens onto a National Identity Register. The 'ID card' is revealed as little more than a cover to create a official dossier and trackable ID for every UK resident - creating what NO2ID calls 'the database state'. NO2ID's national coordinator, Phil Booth, exhorted bloggers, freedom lovers and anyone who gives a damn about personal privacy to mirror the annotated document on their site. "The charade is over. While ministers try to bamboozle the British public with fairytales about fingerprints, officials are plotting how to dupe and bully the population into surrendering control of their own identities." "Biometric ID cards are a sham; a magician's flourish to cover the biggest identity fraud there has ever been." 1.2MB PDF Link From rforno at infowarrior.org Tue Jan 29 17:21:51 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Jan 2008 12:21:51 -0500 Subject: [Infowarrior] - Fraud charge dismissed against SG 'rogue' trader Message-ID: SocGen in disarray as judges throw out fraud charge against trader ? Bank admits it was warned on more than one occasion ? Shareholders go to court over alleged insider dealing * David Gow and Emilie Boyer King in Paris * The Guardian, * Tuesday January 29 2008 http://www.guardian.co.uk/business/2008/jan/29/europeanbanks.banking The Soci?t? G?n?rale affair descended deeper into the mire last night as investigating judges threw out the most serious accusation, attempted fraud, put forward by prosecutors against the trader behind the ?4.9bn losses, J?r?me Kerviel. They released him under judicial supervision, or bail, after two days of police questioning, leading his lawyers to claim a substantial victory. The surprise threatened to undermine the bank's increasingly fragile defence that he had used ingeniously fraudulent devices, including hacking into colleagues' internet codes, to hide his gambling on equity derivatives trading markets. Kerviel ran up an exposure of ?50bn, costing France's second-largest bank a record loss in banking history as it unwound his positions last week. The prosecutor's office, which wanted to charge him with fraud, said it would appeal against the release. He has been placed under formal investigation for lesser allegations of breach of trust, computer abuse, and falsification. "There is no fraud," said Christian Charriere-Bournazel, one of Kerviel's two lawyers, accusing Daniel Bouton, SocGen's chief executive, of "throwing him to the dogs" and "holding him up for public vilification." Earlier, a lawyer acting for 100 small shareholders sued the bank over insider trading and market manipulation, and minority investors accused it of issuing misleading information. And Kerviel, depicted by the bank as a "lone" rogue trader, also increased SocGen's woes by accusing his colleagues of having similarly traded beyond their limits. Prosecutors said the bank had been alerted by the Eurex derivatives market to the scale of his positions as long ago as November last year. Prosecutor Jean-Claude Marin said Kerviel had been able to fool his employer by producing a fake document to justify the risk cover - a comment seized upon by SocGen as it struggled to defend itself against charges its controls were so extraordinarily lax that Kerviel acted unapprehended for 15 months. Eurex said its controls "functioned correctly at all levels, also in this case", while Socgen admitted it had been warned by the Deutsche Boerse subsidiary more than once. "There were false trades picked up but he [Kerviel] explained them away, justified them, or fabricated covers." An enraged Colette Neuville, head of Adam, a minority shareholders' lobby, disclosed she had asked the AMF, the French financial services authority, for a formal inquiry into alleged insider trading by a director and/or others at the bank. She also wants the AMF to investigate whether the bank deliberately misled investors over its sub-prime losses in November when it put them at ?230m, only to announce a ?2.05bn hit two months later. She told the Guardian. "There are strong possibilities that the information given to shareholders was incorrect - misleading." The lawyer, Frederik-Karel Canoy, said he had begun legal action against SocGen over how it unwound billions of euros in allegedly fraudulent share deals last week. The bank said on Sunday it unwound Kerviel's positions, ?50bn, "in particularly unfavourable market conditions" between Monday and Wednesday last week after discovering them on January 18. Canoy, a thorn in the flesh of French companies, told Reuters the bank should have told markets about its pending losses before its huge three-day selling spree. SocGen says it unwound these positions in a controlled manner and within a volume limited to less than 10% to "respect the integrity of markets". It won support from Bank of France governor Christian Noyer: "The way Soci?t? G?n?rale has handled its affairs to unwind positions in a very short space of time, and without moving the markets, contrary to what has been said, because they remained within normal trading limits ... was very professional." Canoy also filed a complaint about the sale of 1m shares by SocGen director Robert Day on January 9 and 10, disclosed in AMF filings, shares worth ?85.7m in his own name, and ?8.63m and ?959,066 from two foundations "linked" to him. The bank said the sale had come "well before" it knew of any fraud, while sources, dismissing Canoy's move as a stunt, insisted that only a few senior officials, excluding Day, could have known of pending losses when he sold his shares. But Neuville, in a letter to the AMF, insisted that share sales had taken place just before Socgen shares started to slide on January 14 - or four days before Kerviel's fictitious and fraudulent dealings were first detected inside the bank on January 18. "There are people who had access to information that was not publicly known; there's a suspicion of insider trading, and there must be a formal inquiry." Kerviel has admitted hiding his activities but accused colleagues of trading beyond their limits, Marin said earlier. Prosecutors had sought charges against Kerviel for offences of forgery and fraud, with a sentence of up to seven years. Marin said the 31-year-old, who gave himself up on Saturday, had told investigators that his and other irregular deals had taken place since the end of 2005, a dagger at the heart of Socgen's defence that he was a one-off fraudster of genius. Marin said the investigation had shown Kerviel did indeed act alone - to prove himself a star trader and earn a bonus of ?300,000, rather than to harm the bank. The bank has so far dismissed two managers over the scandal: Luc Fran?ois, head of equity derivatives trading, and Jean-Pierre Lessage, Kerviel's direct manager. From rforno at infowarrior.org Tue Jan 29 17:24:19 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Jan 2008 12:24:19 -0500 Subject: [Infowarrior] - Bush Looks to Beef Up Protection Against Cyberattacks Message-ID: 29 January 2008 The Wall Street Journal, January 28, 2008 Bush Looks to Beef Up Protection Against Cyberattacks Estimated Cost Could Be $6 Billion; Democrats Are Wary By SIOBHAN GORMAN January 28, 2008; Page A8 http://cryptome.org/spy-beef.htm WASHINGTON -- President Bush has promised a frugal budget proposal next month, but one big-ticket item is stirring controversy: an estimated $6 billion to build a secretive system protecting U.S. communication networks from attacks by terrorists, spies and hackers. Administration officials and lawmakers say that the prospect of cyberterrorists hacking into a nuclear-power plant or paralyzing Wall Street is becoming possible, and that the U.S. isn't prepared. This is "one area where we have significant work to do," Homeland Security Secretary Michael Chertoff said in a recent interview. The White House's proposal has already dismayed lawmakers concerned about civil-liberties violations. Democratic lawmakers are also frustrated by what they see as the White House's refusal to provide details of the program, and say that could threaten the fate of the initiative. Protecting private computer systems would likely require the government to install sensors on private, company networks, officials familiar with the initiative said. Amid divisiveness about other government-surveillance programs, having the government monitor Internet traffic, even in the name of national security, will be a hard sell to Congress and the public. Cybersecurity specialists say the threat ranges from terrorists hacking into nuclear-power control systems, banks or subways, to foreign governments secretly implanting software to siphon off Pentagon secrets from the government and military contractors. Last week, a Central Intelligence Agency analyst reported that cyberattacks have disrupted power equipment in unspecified regions outside the U.S. In at least one case, he said, the attack knocked out power in multiple cities. The outages were followed with extortion demands. The U.S. government has been monitoring cyberattacks on U.S. systems under a program with the moniker Byzantine Hades. It has tracked, among other threats, continuing operations from China against U.S. computer systems, according to former intelligence officials. They say the program has discovered what appear to be efforts from China to collect information on specific types of U.S. military programs, such as "quiet drive" technology that helps submarines evade detection. Some U.S. officials believe such espionage is connected to the Chinese government. Homeland Security counted 37,258 attacks on government and private networks last year, compared with 4,095 in 2005, the first year it started counting standardized data. The administration's plan is to reduce points of access between the Internet and the government and to use sensors to detect intrusions displaying potentially nefarious patterns, said former top intelligence officials. The program would first be used on government networks and then adapted to private networks. Former officials said the final price tag is approaching an estimated $30 billion over seven years, including a 2009 infusion of around $6 billion, though those numbers could change significantly as the plan develops. Access to private networks will be a major sticking point because intelligence agencies, including the National Security Agency, are to play prominent roles. "We need to be very careful," Mr. Chertoff said. "There is a lot of thought being given to: How do you organize this in a way that protects an incredibly valuable asset in the United States but does it in a way that doesn't alarm reasonable people, and I underline reasonable people, in terms of civil liberties?" House Homeland Security Committee Chairman Bennie G. Thompson, a Mississippi Democrat, wants the administration to put the program on hold until it can answer congressional concerns. "We don't want to unconstitutionally infringe on the rights of private business under the guise of this new program," Mr. Thompson said. He said he was particularly irked to learn that Mr. Bush had signed a classified directive that outlines how the White House proposes to bolster security of government networks weeks ago but "has refused to share [the directive] with Congress." White House spokesman Scott Stanzel said the White House is giving "careful consideration" to Mr. Thompson's request for the Jan. 8 directive, which he described as "a continuation of our efforts to secure government networks, protect against constant intrusion attempts, address vulnerabilities and anticipate future threats." The structure of the initiative has also been under debate. Officials in Director of National Intelligence Mike McConnell's office argued for a centralized approach, according to a former senior government official. But they appear to have lost the fight in favor of a structure that would dole out responsibilities, and slices of the budget, to individual agencies, two former officials said. The CIA and the Pentagon didn't want other agencies mucking about in their computer networks; other agencies sought to maintain exclusive relationships with certain industries. Some security experts warn a dispersed structure will invite bureaucratic turf wars. Mr. McConnell's office declined repeated requests for an interview. Current and former officials said the effort could be scaled back to primarily protect government networks. They would then do what is possible to help the private sector improve its security. Mr. McConnell has said 95% of the problem lies with the private sector. Write to Siobhan Gorman at siobhan.gorman[at]wsj.com From rforno at infowarrior.org Tue Jan 29 17:24:54 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 29 Jan 2008 12:24:54 -0500 Subject: [Infowarrior] - Booz Allen Is in Talks to Sell Government Unit to Carlyle Message-ID: The Wall Street Journal, January 16, 2008 Booz Allen Is in Talks to Sell Government Unit to Carlyle Defense Consultant Expected to Draw Price of $2 Billion By MATTHEW KARNITSCHNIG and AUGUST COLE January 16, 2008; Page C5 http://cryptome.org/spy-bah.htm Booz Allen Hamilton Inc. is in discussions to sell its government-consulting business to private-equity firm Carlyle Group, according to people familiar with the situation. The deal would be centered on Booz Allen's influence in defense and intelligence contracting. If an agreement is reached, the sale price will likely be around $2 billion, the people say. Booz Allen has held talks with other private-equity firms as part of a debate about the McLean, Va., company's future. For Carlyle, a deal would complement the Washington firm's extensive holdings in aerospace and defense. Any deal would be significant for the Pentagon, the intelligence community and lawmakers, as well as the biggest firms in the defense sector. Booz Allen, once primarily a management consultant to corporations, now plays a major role in some of the costliest and most complex defense projects. The company has extensive government contracts -- totaling more than $2 billion a year -- with the Pentagon, intelligence services and various civilian agencies, including the Department of Homeland Security. Booz Allen's executives have debated how to take advantage of the booming growth in its defense-consulting business. The government business now accounts for more than 50% of the company's $4 billion in revenue. The firm's past three chief executive officers have come from the government side of the firm. Booz Allen has more than 300 senior executives and 20,000 employees world-wide. A Booz spokeswoman yesterday declined to comment about possible buyers for the government-services group. The size and influence of Booz Allen's government-consulting practice has been on the rise since the Sept. 11, 2001, terrorist attacks, as the government has sought more outside help for projects such as setting up the Department of Homeland Security's management to engineering and integration work for advanced Air Force satellites. Booz Allen employs numerous retired military officers and former intelligence-agency chiefs. Retired Navy Admiral J. Michael McConnell, former head of the National Security Agency, was a Booz Allen executive until President Bush named him director of national intelligence in 2007. James Woolsey, former head of the Central Intelligence Agency, is another high-profile executive. The move comes at a time when the defense industry has been under fire for having too much control of government contracts. Lockheed Martin Corp., Northrop Grumman Corp. and Boeing Co. have taken the lead overseeing development of big military programs. That has alarmed critics in Congress and watchdogs worried about government ceding too much authority. Legislation in the 2008 Defense Authorization Act will end the practice of awarding contractors such overarching roles within a few years. The industry contends that the government lacks the expertise to handle complex projects. --Joann S. Lublin contributed to this article. Write to Matthew Karnitschnig at matthew.karnitschnig[at]wsj.com and August Cole at august.cole[at]dowjones.com From rforno at infowarrior.org Wed Jan 30 13:18:51 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 Jan 2008 08:18:51 -0500 Subject: [Infowarrior] - Researchers say EEs have a 'terrorist mindset' In-Reply-To: Message-ID: ------ Forwarded Message From: David Farber Holy War! Researchers say EEs have a 'terrorist mindset' Junko Yoshida (01/28/2008 10:07 AM EST) URL: MANHASSET, N.Y. " Is there a thread that ties engineers to Islamic terrorism? There certainly is, according to Diego Gambetta and Steffen Hertog at Oxford University, who recently published a paper titled, "Engineers of Jihad." The authors call the link to terrorism "the engineer's mindset." The sociology paper published last November, which has been making rounds over the Internet and was recently picked up by The Atlantic, uses illustrative statistics and qualitative data to conclude that there is a strong relationship between an engineering background and involvement in a variety of Islamic terrorist groups. The authors have found that graduates in subjects such as science, engineering, and medicine are strongly overrepresented among Islamist movements in the Muslim world. The authors also note that engineers, alone, are strongly over-represented among graduates who gravitate to violent groups. However, contrary to popular speculation, it's not technical skills that make engineers attractive recruits to radical groups. Rather, the authors pose the hypothesis that "engineers have a 'mindset' that makes them a particularly good match for Islamism," which becomes explosive when fused by the repression and vigorous radicalization triggered by the social conditions they endured in Islamic countries. But what is the engineer's mindset? The authors call it a mindset that inclines them to take more extreme conservative and religious positions. A past survey in the United States has already shown that the proportion of engineers who declare themselves to be on the right of the political spectrum is greater than any other disciplinary groups-- such as economists, doctors, scientists, and those in the humanities and social sciences. The authors note that the mindset is universal. Whether American, Canadian or Islamic, they pointed out that a disproportionate share of engineers seem to have a mindset that makes them open to the quintessential right-wing features of "monism" (why argue where there is one best solution) and by "simplism" (if only people were rational, remedies would be simple). From rforno at infowarrior.org Wed Jan 30 22:32:56 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 Jan 2008 17:32:56 -0500 Subject: [Infowarrior] - Damaged Cables Cut Internet in Mideast In-Reply-To: Message-ID: http://biz.yahoo.com/ap/080130/mideast_internet_outages.html?.v=5 AP Damaged Cables Cut Internet in Mideast Wednesday January 30, 4:09 pm ET By Pakinam Amer, Associated Press Writer Internet Outages From Damaged Undersea Cables Disrupt Businesses, Personal Use Across Mideast CAIRO, Egypt (AP) -- Internet outages disrupted business and personal usage across a wide swathe of the Middle East on Wednesday after two undersea cables in the Mediterranean were damaged, government officials and Internet service providers said. In Cairo, the Ministry of Communications and Information Technology said the cut of the international communications cables Flag and Seamewe 4 had led to a partial disruption of Internet services and other telecommunications across much of Egypt. Emergency teams were quickly trying to find alternative routes, including satellite connections, to end the disruptions, Minister Tariq Kamel said. A telecommunications expert at the Egyptian communications ministry, Rafaat Hindy, cautioned that "solving this could take days." TeleGeography, a U.S. research group that tracks submarine cables around the world, said the severed lines account for 75 percent of the capacity connecting Egypt and other Middle Eastern countries to Europe. It would take "a few days up to one week before submarine cable operators deploy ships to bring the cables up and fix the fault," said Eric Schoonover, senior research analyst at TeleGeography. It was not clear what caused the damage to the cable. Schoonover said there has been speculation by others that an illegally or improperly anchored ship caused the problem. Cables get damaged all the time but Schoonover believes this was the first time two undersea cables near each other were cut at the same time. Phone lines in Egypt still work, indicating "network operators in the area are rerouting traffic through emergency channels," Schoonover said. He said alternate paths include going "around India and back through Asia to the U.S." Internet service also was disrupted in Dubai in the United Arab Emirates, which markets itself as a top Mideast business and luxury tourist hub. Both Internet service providers said international telephone service was also affected. One of the ISPs, DU, was completely down in the morning; browsing remained very slow even after DU restored Internet service by the afternoon. An official who works in the customer care department of DU, who identified himself only as Hamed because he was not authorized to talk to the media, said the cable cut took place between Alexandria, Egypt, and Palermo, Italy. Although he was not in a position to describe the technical fault, Hamed said engineers contracted by DU were working to solve the problem. By early afternoon, the service was flooded with complaints and had found alternative routes, but Hamed said "there is slowness while browsing on the Internet." There was no total outage in Kuwait, but service was interrupted Tuesday and Wednesday. The Gulfnet International Company apologized in an e-mail Wednesday to its customers for the "degraded performance in Internet browsing." In Saudi Arabia, some users said Internet was functioning fine but others said it was slow or totally down. Users in Bahrain and Qatar also complained of slow Internet. Associated Press Writer Barbara Surk contributed to this report from Dubai, United Arab Emirates. From rforno at infowarrior.org Thu Jan 31 02:25:48 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 Jan 2008 21:25:48 -0500 Subject: [Infowarrior] - Copy a CD, owe $1.5 million under "gluttonous" PRO-IP Act Message-ID: Copy a CD, owe $1.5 million under "gluttonous" PRO-IP Act By Nate Anderson | Published: January 29, 2008 - 09:57PM CT http://arstechnica.com/news.ars/post/20080129-statutory-damages-not-high-eno ugh.html Not content with the current (and already massive) statutory damages allowed under copyright law, the RIAA is pushing to expand the provision. The issue is compilations, which now are treated as a single work. In the RIAA's perfect world, each copied track would count as a separate act of infringement, meaning that a copying a ten-song CD even one time could end up costing a defendant $1.5 million if done willfully. Sound fair? Proportional? Necessary? Not really, but that doesn't mean it won't become law. The change to statutory damages is contained in the PRO-IP Act that is currently up for consideration in Congress. We've reported on the bill before, noting that Google's top copyright lawyer (and the man who wrote a seven-volume treatise on the subject of copyright law), William Patry, called the bill the most "outrageously gluttonous IP bill ever introduced in the US." The industries pushing it (music, especially) have an "unslakable lust for more and more rights, longer terms of protection, draconian criminal provisions, and civil damages that bear no resemblance to the damages suffered," he said. Public Knowledge head Gigi Sohn testified before Congress last year that statutory damages are already "disproportionate penalties for infringement," pointing that it hardly seems fair to bill someone like Jammie Thomas more than $9,000 per song when each track costs a buck. Even accounting for a punitive penalty, that seems absurdly high. Both Patry and Sohn attended a Copyright Office roundtable on statutory damages a few days ago, and Public Knowledge's staff attorney Sherwin Siy has posted a fascinating writeup of the closed-door session. The meeting was a small affair, with only 30 or so stakeholders in attendance, and it quickly became clear that even content owners had different takes on the situation. The Magazine Publishers Association, for instance, argued for maintaining the current law. If the PRO-IP Act passes, anyone found guilty of copying a magazine could be liable for hundreds of separate acts of infringement (at the judge's discretion), but magazine accused of copyright violations would face similarly huge penalties. Patry wasn't pleased with the PRO-IP Act, nor was Public Knowledge. On the other side, the argument seemed to be that people could take advantage of the law to copy "greatest hits" albums or other compilations but be liable for less damages than if they had ripped the songs from ten individual albums. As Siy points out, no one in the room could offer any actual evidence of such "crafty defendants," and the change in law would likely do little to change the behavior of file-swappers. Given the huge amounts already available to copyright holders (who can always collect actual damages if the statutory damages truly aren't large enough to cover their costs), an increase in statutory damages seems only useful when pursuing true "pirates" and large-scale infringers. Unfortunately, the PRO-IP Act would would make the damages an option in small-scale file-swapping cases, the kinds of cases that the European Court of Justice doesn't seem real worried about. When it comes to casual, non-commercial users, current awards are high enough already. From rforno at infowarrior.org Thu Jan 31 02:28:13 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 Jan 2008 21:28:13 -0500 Subject: [Infowarrior] - Verizon: We don't want to play copyright cop on our network Message-ID: Verizon: We don't want to play copyright cop on our network Posted by Anne Broache http://www.news.com/8301-10784_3-9861402-7.html WASHINGTON--AT&T may be flirting with filters designed to ferret out pirated material on its network, but Verizon Communications isn't interested. That's the message that company Executive Vice President Tom Tauke delivered during a luncheon discussion at an Internet policy conference here Wednesday. It's not that Verizon doesn't believe that it's vitally important to protect intellectual property, said Tauke, who heads the company's public affairs, policy, and communications department. Rather, the company is concerned that inspecting individual packets, as rival AT&T is currently testing, poses potential dangers to consumer privacy and opens up a host of other potential watchdog duties that Verizon isn't keen on undertaking. "From a business perspective, we really don't want to assume the role of being police on the Internet," Tauke, a former Iowa Republican congressman, said in response to a question from Rep. Bob Goodlatte (R-Va.), who moderated discussion with the executive. "We are leery of using these technologies on our networks." The way Tauke sees it, if the expectation develops that Internet service providers will actively police their networks for pirated content, that could morph into other new responsibilities, such as rooting out online pornography or illegal gambling Web sites. Instead, Verizon prefers the existing legal framework established by the Digital Millennium Copyright Act of 1998, whereby service providers generally respond to requests that they take down pirated content but aren't obligated to play copyright cop. The idea of ISPs' filtering traffic, which appears to be growing in popularity in Europe, is controversial for a number of reasons. To some legal experts, it seems contrary to the set-up established by the DMCA, for which many prominent ISPs fought hard. And consumer activists have said it raises serious privacy concerns. In defending its filter experiment, AT&T has said it's trying to stem the flow of peer-to-peer traffic that clogs its networks and degrades its customers' surfing experiences. And there's clear pressure from some content owners, such as NBC, which have suggested that ISPs that do such policing stand the chance of brokering more favorable deals. Drawing a smattering of applause from the lunching crowd, Tauke said Verizon's not prepared to join those ranks. "We don't want to get into the business of inspecting the bits and figuring out what is and is not appropriate traffic," he said. From rforno at infowarrior.org Thu Jan 31 02:29:06 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 30 Jan 2008 21:29:06 -0500 Subject: [Infowarrior] - Google leads, ICANN follows Message-ID: Google leads, ICANN follows: domain tasters can now eat dirt By Nate Anderson | Published: January 30, 2008 - 01:53PM CT http://arstechnica.com/news.ars/post/20080130-google-leads-icann-follows-dom ain-tasters-can-now-eat-dirt.html Domain tasting might sound like a leisurely Sunday afternoon activity, but ICANN isn't amused, and it has just proposed a crackdown plan that could make "tasting" and "front running" of domains an unprofitable activity. Under current ICANN rules, anyone who registers a new domain name has a five-day grace period to back out and receive a total refund. The policy is in place to prevent hassles if people mistype domain names during signup or simply have buyer's remorse at signing up for ilovespaminacan.com. But because a five-day registration is free, some users "taste" millions of domain names in order to see how well they perform as marketing vehicles. The sites that don't perform are then deleted and the cash refunded. It's a practice that thrives on mistyped and expired domain names, and it's no longer limited to small operations. ICANN's own numbers show that in January 2007 alone, the top 10 domain tasters requested refunds on 45,450,897 domains. ICANN's simple solution? Charge the small ICANN registration fee even for these registrations. The goal is to make widespread tasting uneconomic while still allowing regular users to get nearly complete refunds for domains. "Charging the ICANN fee as soon as a domain name is registered would close the loophole used by tasters to test a domain name's profitability for free," said Dr. Paul Twomey, ICANN's CEO, in a statement. The plan could also put a dent in "front-running," a practice where searched-for (but not purchased) domains are snapped up with the goal of selling them to the searcher at a later date and for a higher price. Network Solutions was recently accused of the practice after it became public that the company was holding onto searched domains for four days before releasing them. During that four-day period, the domain could only be purchased from Network Solutions. The ICANN change still needs to be approved as part of the organization's annual budget. Google has also moved to make tasting less economic and will refuse to offer AdSense revenue to sites until they have been registered for more than four days. The crackdown begins in February and is expected to cost Google millions in lost ad revenue.